humio-audit Event types
The type field in each humio-audit event defines the type of operation recorded in the audit log. The list of possible types is provided below.
Table: humio-audittype Values
| Field Value | Availability | Description | Functionality |
|---|---|---|---|
action.delete | Action has been deleted | Deleting an Action | |
alert.clear-error | Alert error has been cleared | Editing Alerts | |
alert.create | Alert has been created | Creating Alerts | |
alert.delete | Alert has been deleted | Deleting Automated Alerts | |
alert.disable | Alert has been disabled | Disabling an Alert | |
alert.enable | Alert has been enabled | Disabling an Alert | |
alert.update | Alert has been updated | Editing Alerts | |
baseaudit | Generic auditing entry | The humio-audit Repository | |
bucket-storage.update | Bucket storage configuration has been updated | Data Storage, Buckets and Archiving | |
bucket.storage.target.delete | Bucket storage target has been deleted | Delete Bucket Storage Targets | |
cachepolicy.delete | Data caching policy has been deleted | removeRepoCachePolicy() | |
cachepolicy.update | Cache policy has been updated | setRepoCachePolicy() | |
config.settings | Configuration settings have been changed | Configuration Settings | |
dashboard.create | A dashboard has been created | Create Dashboards and Widgets | |
dashboard.delete | A dashboard has been deleted | Main Operations | |
dashboard.link.create | A shared dashboard link has been created | Sharing Dashboards | |
dashboard.link.delete | A shared dashboard link has been deleted | Disabling Access to Shared Dashboards | |
dashboard.link.update | A shared dashboard link has been updated | Disabling Access to Shared Dashboards | |
dashboard.update | A dashboard has been edited | Edit Dashboards | |
datasource.autoshard | Datasource autosharding has started | Configure Auto-Sharding for High-Volume Data Sources | |
datasource.delete | A datasource has been deleted | Delete Datasources, Data Sources | |
datasource.max-autoshard-count | The globally configured maximum number of autoshards was overridden. DATASOURCE_MAX_AUTOSHARD_COUNT | Configure Auto-Sharding for High-Volume Data Sources, updateMaxAutoShardCount() | |
datasource.stop-autoshard | Autosharding for a datasource has stopped | Configure Auto-Sharding for High-Volume Data Sources | |
dataspace.block | Ingest has been paused | Disabling Ingestion | |
dataspace.datatype | Repository datatype has been updated | Repository and View Settings | |
dataspace.default-autoshard | Default autosharding rule applied | Configure Auto-Sharding for High-Volume Data Sources | |
dataspace.delete | A repository has been deleted | Delete a Repository or View | |
dataspace.kind | Dataspace kind has been updated | Repository and View Settings | |
dataspace.limit-id | Repository limit has been updated | Repository and View Settings | |
dataspace.max-ingest-request-size | Repository max ingest request size has been changed | Repository and View Settings | |
dataspace.query | Query has been executed | Writing Queries | |
dataspace.retention | Retention settings have been changed | Data Retention | |
dataspace.settings | Repository settings have been updated | Repository and View Settings | |
dataspace.taggroupingrules | Repository tag grouping rules have been updated | Tag Grouping | |
dataspace.unblock | The ingest pause has been cleared | Disabling Ingestion | |
delete.events | Events have been deleted | Redact Events API | |
dynamicconfig.set | A dynamic configuration value has been updated | Dynamic Configuration Parameters | |
email-action.create | An email action has been created | Action Type: Email | |
email-action.update | An email action has been updated | Action Type: Email | |
eventforwarder.delete | An event forwarder has been deleted | Event Forwarders | |
eventforwarder.disable | An event forwarder has been disabled | Event Forwarders | |
eventforwarder.enable | An event forwarder has been enabled | Event Forwarders | |
eventforwarder.kafka.create | An event forwarder has been created | Event Forwarders | |
eventforwarder.kafka.update | An event forwarder has been updated | Event Forwarders | |
eventforwardingrule.add | An event forwarding rule has been added | Event Forwarding Rules | |
eventforwardingrule.delete | An event forwarding rule has been deleted | Event Forwarding Rules | |
eventforwardingrule.update | An event forwarding rule has been updated | Event Forwarding Rules | |
fdrfeed-controls.update | Falcon Data Replicator feed controls have been created | Ingesting FDR Data into a Repository | |
fdrfeed.create | Falcon Data Replicator feed configurations have been created | Ingesting FDR Data into a Repository | |
fdrfeed.delete | Falcon Data Replicator feed configurations have been deleted | Ingesting FDR Data into a Repository | |
fdrfeed.update | Falcon Data Replicator feed configurations have been updated | Ingesting FDR Data into a Repository | |
featureflag.global.update | A feature flag has been updated at the cluster level | Enabling & Disabling Feature Flags, Syntax | |
featureflag.org.update | A feature flag has been updated at the organization level | Enabling & Disabling Feature Flags, Syntax | |
featureflag.user.update | A feature flag has been updated at the user level | Enabling & Disabling Feature Flags, Syntax | |
fieldaliasing.schema.create | A field aliasing schemas has been created | Configuring Field Aliasing | |
fieldaliasing.schema.delete | A field aliasing schema has been deleted | Configuring Field Aliasing | |
fieldaliasing.schema.disable-org | A field aliasing schema in an organization has been disabled | Configuring Field Aliasing | |
fieldaliasing.schema.disable-view | Field aliasing on a view has been disabled | Configuring Field Aliasing | |
fieldaliasing.schema.enable-org | A field aliasing schemas has been enabled on an organization | Configuring Field Aliasing | |
fieldaliasing.schema.enable-views | A field aliasing schema has been enabled on a view | Configuring Field Aliasing | |
fieldaliasing.schema.update | A field aliasing schema has been updated | Configuring Field Aliasing | |
filterAlert.clear-error | A filter alert error condition has been cleared | Monitoring Alerts | |
filterAlert.create | A filter alerter has been created | Creating Alerts | |
filterAlert.delete | A filter alert has been deleted | Deleting an Alert | |
filterAlert.disable | A filter alert has been disabled | Disabling an Alert | |
filterAlert.enable | A filter alert has been enabled | Disabling an Alert | |
filterAlert.update | A filter alert has been updated | Editing Alerts | |
fleet.collectors.unenroll | Fleet collectors have been unenrolled | Manage Falcon Log Collector Instance Enrollment | |
flushingstate.org.clear | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
flushingstate.org.update | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
group.membership.change | A user has been added or removed in a group | Group Memberships | |
group.organizationrole.assigned | An organization role has been assigned to a group | Assign Roles to Groups | |
group.organizationrole.unassigned | An organization role has been unassigned from a group | Assign Roles to Groups | |
group.role.assigned | A role has been assigned to a group | Assign Roles to Groups | |
group.role.unassigned | A role has been removed from a group | Assign Roles to Groups | |
group.systemrole.assigned | The system role has been added to a group | Manage Groups | |
group.systemrole.unassigned | The system role has been removed from a group | Manage Groups | |
hashedtokens.change | An API token has been changed | API Tokens | |
hashedtokens.rotate | An API token has been rotated | API Tokens | |
humio-repo-action.create | A LogScale repo action has been created | Action Type: Falcon LogScale Repository | |
humio-repo-action.update | A LogScale repo action has been updated | Action Type: Falcon LogScale Repository | |
identityProvider | Identity providers have been changed | Authentication & Identity Providers | |
ingest.block | Event ingest was blocked | Blocking and Unblocking Ingestion, Disabling Ingestion | |
ingestconsumer.force-release | |||
ingestfeed.create | An ingest feed has been created | Set up a New Ingest Feed | |
ingestfeed.delete | An ingest feed has been deleted | Delete an Ingest Feed | |
ingestfeed.reset-quota | Quota/rate for ingest feed was set to a value or reset to defaults | ||
ingestfeed.update | An ingest feed has been updated | Edit Ingest Feed Configuration | |
ingestlistener.create | An ingest listener has been created | Ingest Listeners | |
ingestlistener.delete | Ingest listeners have been deleted | Ingest Listeners | |
ingestlistener.update | Ingest listeners have been updated | Ingest Listeners | |
iocaccess.update | IOC access was updated | IOC Configuration, enableOrganizationIocAccess() , disableOrganizationIocAccess() | |
ipfilters.change | An IP filter has been updated | Editing an IP Filter | |
login.bridge.allowed.users | Third-party authentication allowed users has been updated | addLoginBridgeAllowedUsers() | |
login.bridge.change | Third-party authentication method has been changed | updateLoginBridge() | |
login.bridge.delete | Third-party authentication method has been deleted | removeLoginBridge() | |
login.bridge.generate.login | Third-party authentication user login request has been generated | LoginBridgeRequest | |
login.bridge.terms.change | Third-party authentication has been updated | updateLoginBridge() | |
notifications.create | A notification has been created | ||
notifications.delete | A notification has been deleted | deleteNotification() | |
notifications.user.change | Notification user has been updated | ||
notifications.user.create | Notification user has been created | ||
notifications.user.delete | Notification user has been deleted | ||
ops-genie-action.create | OpsGenie action has been created | Action Type: OpsGenie | |
ops-genie-action.update | OpsGenie action has been updated | Action Type: OpsGenie | |
org.datasources.import | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
org.metadata.import | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
org.metadata.import.rollback | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
org.segments.import | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
organization.inconsistencyjob.start | An organization cleanup job was started | ||
organizations | Organization settings have been changed | Organization Settings | |
organizations.batch | Organization inconsistency cleanup job run. | ||
organizations.buckets.readonly | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
organizations.cid.set | A Crowdstrike CID (customer ID) was associated with an organization | ||
organizations.cross.change | A cross organization view was created or updated. | Repository and View Settings | |
organizations.link.create | A link between an organization and a "child" organization was created. | ||
organizations.link.unlink | All links for the organization were removed. | ||
organizations.link.unlink.child | Link to a child organization was removed. | ||
organizations.queryhandles.ownership-batch.update | Query ownership handles have been batch updated | Updating Organization Ownership for Existing Queries | |
organizations.securitypolicies.actions.update | The security policy for Actions has been updated | Changing Actions Security Policies | |
organizations.securitypolicies.shared-dashboards.update | Shared dashboard security policies have been updated | Dashboard Security Policies | |
organizations.securitypolicies.tokens.update | Security policy for API tokens has been updated | API Token Security Policies | |
organizations.selected.batch | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
organizations.subscription.change | Subscription changed for an organization | updateOrganizationSubscription() | |
organizations.transfer.user | A user has been invited to join and joined another organization | addUserV2() | |
organizations.update.foreignkey | Bad reference fixed in organization settings | updateOrganizationForeignKey() | |
organizations.users | Organization users have been updated | ||
organizations.users.batch | Certain users within an organization have been fixed or removed. | ||
orgtransfer-job-status.create | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
orgtransfer-job-status.delete | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
package.entity.create | An item (query, dashboard, widget) within a package has been changed | Packages | |
package.entity.delete | An item (query, dashboard, widget) within a package has been deleted | Packages | |
package.error | A package error has been triggered | Packages | |
package.install | A package has been installed | Installing & Updating Packages | |
package.uninstall | A package has been uninstalled | Installing & Updating Packages | |
package.update | A package has been updated | Installing & Updating Packages | |
pager-duty-action.create | A PagerDuty action has been created | Action Type: PagerDuty | |
pager-duty-action.update | A PagerDuty action has been updated | Action Type: PagerDuty | |
parser.create | A parser has been created | Creating a Parser | |
parser.delete | A parser has been deleted | Creating a Parser | |
parser.update | A parser has been updated | updateParserV2() | |
query-blocklist.add | Query blocklist has been created | Blocking Queries | |
query-blocklist.remove | Query blocklist has been removed | Blocking Queries | |
query-quota.set | Query quota setting has been updated | Query Quotas | |
query.stop-all-queries | All queries have been stopped | stopAllQueries() | |
query.stop-exporting-queries | All Streaming (live) queries have been stopped | stopStreamingQueries() | |
query.stop-static-queries | All historical queries have been stopped | stopHistoricalQueries() | |
readonly.dashboard.accessed | A read-only dashboard has been accessed | Sharing Dashboards, Dashboard Security Policies | |
readonly.dashboard.update | A read-only dashboard has been updated | Dashboard Security Policies | |
redirectingest.org.clear | Redirect of ingest to target cluster has been cleared; event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
redirectingest.org.update | Redirect of ingest to target cluster was set; event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
repo.users | User access to a repo or view has been changed | Repository & View Permissions, Manage Roles | |
repository.create | A repository has been created | Creating a Repository or View | |
role.objectaction.change | Role has been changed | Manage Roles, updateRole() | |
role.organizationpermissions.change | Role organization permissions have been changed | Organization Administration Permissions, Manage Roles | |
role.systempermissions.change | Role system permissions have been changed | Cluster Management Permissions, Manage Roles | |
role.viewpermissions.change | Role view or repository permissions have been changed | Repository & View Permissions, Manage Roles | |
s3-archiving.configure | S3 archiving settings were changed | S3 Archiving for LogScale Cloud, S3 Archiving (Self-Install) | |
s3-archiving.disable | S3 archiving was disabled | S3 Archiving for LogScale Cloud, S3 Archiving (Self-Install) | |
s3-archiving.enable | S3 archiving was enabled | S3 Archiving for LogScale Cloud, S3 Archiving (Self-Install) | |
s3-archiving.restart | S3 archiving was restarted | S3 Archiving for LogScale Cloud, S3 Archiving (Self-Install) | |
saved-query.create | A saved query has been created | User Functions (Saved Searches) | |
saved-query.delete | A saved query has been deleted | User Functions (Saved Searches) | |
saved-query.update | A saved query has been updated | User Functions (Saved Searches) | |
scheduled-search.clear-error | A scheduled search error condition has been cleared | Scheduled Searches | |
scheduled-search.create | A scheduled search has been created | Creating a Scheduled Search | |
scheduled-search.delete | A scheduled search has been deleted | Scheduled Searches | |
scheduled-search.update | A scheduled search has been updated | Scheduled Searches | |
segment.delete | A segment has been deleted | Mark Segment for Deletion | |
sessions.revoke | A user session has been revoked | revokeSession() , Managing Sessions within an Organization | |
slack-action.create | Slack action has been created | Action Type: Slack | |
slack-action.update | Slack action has been updated | Action Type: Slack | |
slack-post-message-action.create | Slack message action has been created | Action Type: Slack | |
slack-post-message-action.update | Slack message action has been updated | Action Type: Slack | |
subdomain.remove | Subdomain settings for an organization have been removed | Authentication & Adding Collaborators, SubdomainConfig | |
subdomain.set | Subdomain settings for an organization have been updated | Authentication & Adding Collaborators, SubdomainConfig | |
system-repository.create | LogScale system repository has been created | ||
tokens | API or security tokens have been updated | API Tokens | |
transfer.ingest-redirection | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
transfer.metadata | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
transfer.segment | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
transfer.snapshot | TRANSFER_SNAPSHOT; event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
transfercheckmark.org.update | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
transfercheckmarks.org.update | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
transferjob.added | A transfer job between clusters was added | ||
transferjob.cancelled | A transfer job was canceled | ||
transferstate.org.update | Event triggered by Falcon LogScale support performing an organization transfer to new cluster. | ||
upload-file-action.create | Update file action has been created | Action Type: Upload File | |
upload-file-action.update | Update file action has been updated | Action Type: Upload File | |
uploaded-file.create | A lookup file has been created | Creating a File, UploadFileAction | |
uploaded-file.delete | An uploaded file has been deleted | Exporting or Deleting a File | |
uploaded-file.update | An uploaded file has been updated | UploadFileAction , Lookup Files | |
user.accept-standard-mandatory-dod-notice-and-consent | User has accepted the usage notice | ||
user.accept-terms | User has accepted the terms | acceptTermsAndConditions() | |
user.invite-accepted | User has accepted an invite | Manage Users | |
user.invited | A user has been invited to access the cluster | Manage Users | |
user.profile | User settings have been changed | Manage Users | |
user.roles.change | The roles assigned to a user have been changed | Manage Users | |
user.signin | User has signed in | Manage Users | |
user.signout | User has signed out (manually or automatically) | Manage Users | |
victor-ops-action.create | A VictorOps action has been created | Action Type: VictorOps (Splunk On-Call) | |
victor-ops-action.update | A VictorOps action has been updated | Action Type: VictorOps (Splunk On-Call) | |
view.delete | A repository or view has been deleted | Delete a Repository or View | |
view.rename | A repository or view has been renamed | Repository and View Settings | |
view.restore | A previously deleted view was restored | Delete a Repository or View | |
viewinteraction.create | A view interaction was created | Event List Interactions | |
viewinteraction.delete | A view interaction was deleted | Event List Interactions | |
viewinteraction.update | A view interaction was updated | Event List Interactions | |
webhook-action.create | A webhook action has been created | Action Type: Webhooks | |
webhook-action.update | A webhook action has been updated | Action Type: Webhooks |