The descriptions and names of available log fields in
a Data Security administration activity log.
The admin audit log is generated when a Data Security administrator performs an action such as the remediation of
an incident, creating a new policy rule, or adding internal or external
collaborators. The log includes the following fields, which are
available for ingestion by your Security information and event management
(SIEM) system.
Fields are listed in the order that they are needed for push
mode.
Field Name
Description
timestamp
Time the incident was discovered in YYYY-MM-DD HH:MM:SS format
with Augmented Backus-Naur Form (ABNF) to indicate the timezone.
serial
Serial number of the organization using
the service (tenant).
log_type
Type of log. In this case, admin_audit.
admin_id
Email account associated with the Data Security administrator.
admin_role
Role assigned to the administrator: super_admin, admin, limited_admin,
or read_only
ip
IP address of the administrator who performed
the action.
event_type
Type of configuration change: settings, policy, remediation,
or login.
item_name
Name of the item that changed in the configuration.
item_type
Type of item in the configuration that changed: user, apps, settings, content_policy, file, risk,
or general_settings.
field
Name of the field associated with the configuration change.
action
Configuration change activity that occurred: create, edit, delete, login,
or logout.
