Admin Audit Log Fields

The descriptions and names of available log fields in a SaaS Security API administration activity log.
The admin audit log is generated when a SaaS Security API administrator performs an action such as the remediation of an incident, creating a new policy rule, or adding internal or external collaborators. The log includes the following fields, which are available for ingestion by your Security information and event management (SIEM) system.
Fields are listed in the order that they are needed for push mode.
Field Name
Description
timestamp
Time the incident was discovered in
YYYY-MM-DD HH:MM:SS
format with Augmented Backus-Naur Form (ABNF) to indicate the timezone.
serial
Serial number of the organization using the service (tenant).
log_type
Type of log. In this case,
admin_audit
.
admin_id
Email account associated with the SaaS Security API administrator.
admin_role
Role assigned to the administrator:
super_admin
,
admin
,
limited_admin
, or
read_only
ip
IP address of the administrator who performed the action.
event_type
Type of configuration change:
settings
,
policy
,
remediation
, or
login
.
item_name
Name of the item that changed in the configuration.
item_type
Type of item in the configuration that changed:
user
,
apps
,
settings
,
content_policy
,
file
,
risk
, or
general_settings
.
field
Name of the field associated with the configuration change.
action
Configuration change activity that occurred:
create
,
edit
,
delete
,
login
, or
logout
.
resource_value_old
Value before the configuration change occurred.
resource_value_new
Value after the configuration change occurred.
future_use
Not currently implemented.
future_use2
Not currently implemented.

Recommended For You