humio-audit Event types

The type field in each humio-audit event defines the type of operation recorded in the audit log. The list of possible types is provided below.

Table: humio-audit type Values

Field ValueField actionName ValueAvailabilityDescriptionFunctionality
$singularName.delete   Entity was deleted.  
action   Limit for organization added or updated LimitV2
action.delete   Action has been deleted Delete an Action
aggregateAlert.add-label (added in 1.201)  
aggregateAlert.remove-label (added in 1.201)  
alert.clear-error   Alert error has been cleared Edit triggers
alert.create   Alert has been created Create triggers
alert.delete   Alert has been deleted Deleting Automated Alerts
alert.disable   Alert has been disabled Disabling an Alert
alert.enable   Alert has been enabled automated-alerts-create-general-new-labels, enableAlert()
alert.update   Alert has been updated Editing Alerts
baseaudit   Generic auditing entry The humio-audit Repository
bucket-storage.update   Bucket storage configuration has been updated Storage Architecture
bucket.storage.target.delete   Bucket storage target has been deleted Delete Bucket Storage Targets
bucket.storage.target.update   Bucket storage target has been updated Update Segments Storage Targets
cachepolicy.delete   Data caching policy has been deleted removeRepoCachePolicy()
cachepolicy.update   Cache policy has been updated setRepoCachePolicy()
cluster-management-stats.refresh (added in 1.172) Forced refresh of cluster management stats was done refreshClusterManagementStats()
cluster-management.update   A change was made to a setting involving digester replication factor, update of desired digesters, rebalance of existing segments, segment replication factor, or minimum host alive percentage. setAllowUpdateDesiredDigesters() , setDigestReplicationFactor() , setMinHostAlivePercentageToEnableClusterRebalancing() , setSegmentReplicationFactor() , Rebalancing Segments
cluster.globalconsistencycheck.start (added in 1.168) Global consistency check run on a cluster runGlobalConsistencyCheck()
config.settings (removed in 1.171.0) Configuration settings have been changed Configuration Settings
dashboard.create   A dashboard has been created Create Dashboards and Widgets
dashboard.delete   A dashboard has been deleted Main Operations
dashboard.link.create   A shared dashboard link has been created Sharing Dashboards
dashboard.link.delete   A shared dashboard link has been deleted Disabling Access to Shared Dashboards
dashboard.link.update   A shared dashboard link has been updated Disabling Access to Shared Dashboards
dashboard.update   A dashboard has been edited Edit Dashboards
datasource.autoshard   Default autosharding rule applied Configure Auto-Sharding for High-Volume Data Sources
datasource.autoshard   Datasource autosharding has started Configure Auto-Sharding for High-Volume Data Sources
datasource.delete   A datasource has been deleted Delete Datasources, Datasources
datasource.max-autoshard-count   The globally configured maximum number of autoshards in DATASOURCE_MAX_AUTOSHARD_COUNT was overridden. Configure Auto-Sharding for High-Volume Data Sources, updateMaxAutoShardCount()
datasource.stop-autoshard   Autosharding for a datasource has stopped Configure Auto-Sharding for High-Volume Data Sources
dataspace.block   Ingest has been paused Disabling Ingestion
dataspace.datatype   Repository datatype has been updated Repository and View Settings
dataspace.delete   A repository has been deleted Delete a Repository or View
dataspace.kind   Dataspace kind has been updated Repository and View Settings
dataspace.limit-id   Repository limit has been updated Repository and View Settings
dataspace.max-ingest-request-size   Repository max ingest request size has been changed Repository and View Settings
dataspace.query   Query has been executed Write Queries
dataspace.retention   Retention settings have been changed Data Retention
dataspace.settings   Repository settings have been updated Repository and View Settings
dataspace.taggroupingrules   Repository tag grouping rules have been updated Tag Grouping in AWS S3
dataspace.unblock   The ingest pause has been cleared Disabling Ingestion
delete.events   Events have been deleted Redact Events API
dynamicconfig.set   A dynamic configuration value has been updated Dynamic Configuration Parameters
dynamicconfig.unset   A dynamic configuration value has been removed Dynamic Configuration Parameters
email-action.create   An email action has been created Action Type: Email
email-action.update   An email action has been updated Action Type: Email
eventforwarder.delete   An event forwarder has been deleted Event Forwarders
eventforwarder.disable   An event forwarder has been disabled Event Forwarders
eventforwarder.enable   An event forwarder has been enabled Event Forwarders
eventforwarder.kafka.create   An event forwarder has been created Event Forwarders
eventforwarder.kafka.update   An event forwarder has been updated Event Forwarders
eventforwardingrule.add   An event forwarding rule has been added createEventForwardingRule() , Event Forwarding Rules
eventforwardingrule.delete   An event forwarding rule has been deleted Event Forwarding Rules
eventforwardingrule.update   An event forwarding rule has been updated Event Forwarding Rules
fdrfeed-controls.update   Falcon Data Replicator feed controls have been created Ingesting FDR Data into a Repository
fdrfeed.create   Falcon Data Replicator feed configurations have been created Ingesting FDR Data into a Repository
fdrfeed.delete   Falcon Data Replicator feed configurations have been deleted Ingesting FDR Data into a Repository
fdrfeed.update   Falcon Data Replicator feed configurations have been updated Ingesting FDR Data into a Repository
featureflag.global.update   A feature flag has been updated at the cluster level Enabling & Disabling Feature Flags, Syntax
featureflag.org.update   A feature flag has been updated at the organization level Enabling & Disabling Feature Flags, Syntax
featureflag.user.update   A feature flag has been updated at the user level Enabling & Disabling Feature Flags, Syntax
fieldaliasing.schema.create   A field aliasing schema has been created Configuring Field Aliasing
fieldaliasing.schema.delete   A field aliasing schema has been deleted Configuring Field Aliasing
fieldaliasing.schema.disable-org   A field aliasing schema in an organization has been disabled Configuring Field Aliasing
fieldaliasing.schema.disable-view   Field aliasing on a view has been disabled Configuring Field Aliasing
fieldaliasing.schema.disable-views (added in 1.164) Field aliasing on more than one view has been disabled Configuring Field Aliasing
fieldaliasing.schema.enable-org   A field aliasing schemas has been enabled on an organization Configuring Field Aliasing
fieldaliasing.schema.enable-views   A field aliasing schema has been enabled on a view Configuring Field Aliasing
fieldaliasing.schema.update   A field aliasing schema has been updated Configuring Field Aliasing
filterAlert.add-label (added in 1.201)  
filterAlert.clear-error   A filter alert error condition has been cleared Monitor, diagnose, and troubleshoot triggers
filterAlert.create   A filter alerter has been created Create triggers
filterAlert.delete   A filter alert has been deleted Deleting an Alert
filterAlert.disable   A filter alert has been disabled Disabling an Alert
filterAlert.enable   A filter alert has been enabled Disabling an Alert
filterAlert.remove-label (added in 1.201)  
filterAlert.update   A filter alert has been updated Editing Alerts
fleet.collectors.assignconfig   Log Collector(s) assigned to a configuration assignLogCollectorConfiguration() , assignLogCollectorsToConfiguration()
fleet.collectors.disabledebuglogging   Debug for a Log Collector instance was disabled disableLogCollectorInstanceDebugLogging()
fleet.collectors.enabledebugloggingstatic   Debug logging enabled for a Log Collector instance enableLogCollectorInstanceDebugLogging()
fleet.collectors.enroll   Log Collector enrolled in fleet management EnrolledCollector , Enrollment Command Options
fleet.collectors.unenroll   Log collectors have been unenrolled unenrollLogCollectors() , Enroll Instances
fleet.collectors.wantedVersion   Wanted version of Log Collector set setWantedLogCollectorVersion()
fleet.configuration.create   Log Collector configuration created createLogCollectorConfiguration()
fleet.configuration.delete   Log Collector configuration deleted deleteLogCollectorConfiguration()
fleet.configuration.publish   Updated Log Collector configuration published publishLogCollectorConfiguration()
fleet.group.delete   Log Collector group deleted deleteLogCollectorGroup()
fleet.group.setconfigids   Log Collector group configuration IDs updated updateLogCollectorGroupConfigIds()
fleet.group.setfilter   Log Collector group filter updated updateLogCollectorGroupFilter()
fleet.group.setwantedversion   Wanted Log Collector version set setWantedLogCollectorVersion()
fleet.installtokens.create   Fleet installation token created createFleetInstallToken()
fleet.installtokens.delete   Fleet installation token deleted deleteToken()
fleet.installtokens.updateconfigid   Configuration ID updated updateLogCollectorGroupConfigIds()
fleet.settings.disabledebuglogging   Debug for Log Collector was disabled disableLogCollectorDebugLogging()
fleet.settings.enabledebugloggingstatic   Debug enabled for all Log Collector instances enableLogCollectorDebugLogging()
fleet.settings.setlostcollectordays   Lost Log Collector days set setLostCollectorDays()
flight-recorder-settings.update   FlightRecorder settings updated flightRecorderSettings()
flushingstate.org.clear   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
flushingstate.org.update   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
global.patch   Global patch event Patch global
group.create   New group created addGroup() , Manage Groups
group.delete   Group was deleted removeGroup() , Manage Groups
group.membership.changeremoveUsers, addUsers  A user has been added or removed in a group Group Memberships
group.organizationmanagementrole.assigned   An organization management role has been assigned to a group assignOrganizationManagementRoleToGroup() , Assign Roles to Groups
group.organizationmanagementrole.unassigned   An organization management role has been unassigned from a group unassignOrganizationRoleFromGroup() , Assign Roles to Groups
group.organizationrole.assigned   An organization role has been assigned to a group Assign Roles to Groups
group.organizationrole.unassigned   An organization role has been unassigned from a group Assign Roles to Groups
group.role.assigned   A role has been assigned to a group Assign Roles to Groups
group.role.unassigned   A role has been removed from a group Assign Roles to Groups
group.systemrole.assigned   The system role has been added to a group Manage Groups
group.systemrole.unassigned   The system role has been removed from a group Manage Groups
group.update   Group was updated updateGroup() , Manage Groups
group.update.defaultQueryPrefix   Default query prefix for group was updated updateDefaultQueryPrefix() , Manage Groups
group.update.defaultRole   Default role of group was updated updateDefaultRole() , Add or change roles
group.update.queryPrefix   Query prefix updated for group updateQueryPrefix() , Manage Groups
hashedtokens.change (available 1.170 to 1.176.0) Permissions for an API token have been changed API Tokens
hashedtokens.change   An API token has been changed API Tokens
hashedtokens.changeupdateViewPermissionsTokenAssetPermissions(added in 1.177) Permissions for an API token have been changed API Tokens
hashedtokens.change (added in 1.170) Permissions for an API token have been created API Tokens
hashedtokens.rotate   An API token has been rotated API Tokens
host-management.update   Host management settings updated  
humio-repo-action.create   A LogScale repo action has been created Action Type: Falcon LogScale Repository
humio-repo-action.update   A LogScale repo action has been updated Action Type: Falcon LogScale Repository
identityProvider   Identity providers have been changed Authentication and Identity Providers
ingest.block   Event ingest was blocked Disabling Ingestion, Blocking and Unblocking Ingestion
ingestconsumer.force-release   Forced release of ingest consumer  
ingestfeed.create (removed in 1.163.0) An ingest feed has been created Set up a New AWS Ingest Feed
ingestfeed.delete (removed in 1.163.0) An ingest feed has been deleted Delete an Ingest Feed
ingestfeed.reset-quota (removed in 1.163.0) Quota/rate for ingest feed was set to a value or reset to defaults  
ingestfeed.update (removed in 1.163.0) An ingest feed has been updated Edit Ingest Feed Configuration
ingestlistener.create   An ingest listener has been created Ingest Listeners
ingestlistener.delete   Ingest listeners have been deleted Ingest Listeners
ingestlistener.update   Ingest listeners have been updated Ingest Listeners
iocaccess.update   IOC access was updated IOC Configuration, disableOrganizationIocAccess() , enableOrganizationIocAccess()
ipfilters.change   An IP filter has been updated Edit an IP Filter
limit.delete   Limit removed from organization removeLimitWithId()
limit.mark.deleted   Limit mark was deleted. Query Quotas, markLimitDeleted() , Limits & Standards
login.bridge.allowed.users   Third-party authentication allowed users has been updated addLoginBridgeAllowedUsers()
login.bridge.change   Third-party authentication method has been changed updateLoginBridge()
login.bridge.delete   Third-party authentication method has been deleted removeLoginBridge()
login.bridge.generate.login   Third-party authentication user login request has been generated LoginBridgeRequest
login.bridge.terms.change   Third-party authentication has been updated updateLoginBridge()
no-op-action.create   Action created as a product of alerts during unit tests where the alert must register an action but it is not necessary for an email, etc to be sent. The action does nothing, hence the name no op.  
no-op-action.update   Action updated as a product of alerts during unit tests where the alert must register an action but it is not necessary for an email, etc to be sent. The action does nothing, hence the name no op.  
notifications.create   A notification has been created  
notifications.delete   A notification has been deleted deleteNotification()
notifications.user.change   Notification user has been updated  
notifications.user.create   Notification user has been created  
notifications.user.delete   Notification user has been deleted  
ops-genie-action.create   OpsGenie action has been created Action Type: OpsGenie
ops-genie-action.update   OpsGenie action has been updated Action Type: OpsGenie
org.datasources.import   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
org.metadata.import   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
org.metadata.import.rollback   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
org.segments.import   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
organization.inconsistencyjob.start   An organization cleanup job was started  
organization.userdefaults.update   User defaults for organization updated  
organizations   Organization settings have been changed Organization Settings
organizations.batch   Organization inconsistency cleanup job run.  
organizations.buckets.readonly   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
organizations.cid.set   A Crowdstrike CID (customer ID) was associated with an organization  
organizations.cross-org-view.add-connections (added in 1.165) A cross organization view connection was added addCrossOrgViewConnections()
organizations.cross-org-view.create (added in 1.165) A cross-organization view was created createCrossOrgView()
organizations.cross-org-view.remove-connections (added in 1.165) Remove connections for cross-organization view  
organizations.cross-org-view.update-filters (added in 1.165) View connection filters for a cross-organization view have been updated updateCrossOrgViewConnectionFilters()
organizations.cross.change   A cross organization view was created or updated. Repository and View Settings
organizations.link.create   A link between an organization and a "child" organization was created.  
organizations.link.unlink   All links for the organization were removed.  
organizations.link.unlink.child   Link to a child organization was removed.  
organizations.queryhandles.ownership-batch.update   Query ownership handles have been batch updated Updating Organization Ownership for Existing Queries
organizations.securitypolicies.actions.update   The security policy for Actions has been updated Change actions security policies
organizations.securitypolicies.shared-dashboards.update   Shared dashboard security policies have been updated Dashboard security policies
organizations.securitypolicies.tokens.update   Security policy for API tokens has been updated API token security policies
organizations.selected.batch   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
organizations.subscription.change   Subscription changed for an organization updateOrganizationSubscription()
organizations.transfer.user   A user has been invited to join and joined another organization addUserV2()
organizations.update.foreignkey   Bad reference fixed in organization settings updateOrganizationForeignKey()
organizations.users   Organization users have been updated  
organizations.users.batch   Certain users within an organization have been fixed or removed.  
orgtransfer-job-status.create   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
orgtransfer-job-status.delete   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
package.entity.create   An item (query, dashboard, widget) within a package has been changed Package Management
package.entity.delete   An item (query, dashboard, widget) within a package has been deleted Package Management
package.error   A package error has been triggered Package Management
package.install   A package has been installed Installing & Updating Packages
package.uninstall   A package has been uninstalled Installing & Updating Packages
package.update   A package has been updated Installing & Updating Packages
pager-duty-action.create   A PagerDuty action has been created Action Type: PagerDuty
pager-duty-action.update   A PagerDuty action has been updated Action Type: PagerDuty
parser.create   A parser has been created Create a Parser
parser.delete   A parser has been deleted Create a Parser
parser.update   A parser has been updated updateParserV2()
partition.offset.set   Offset for an ingest partition was set setOffsetForDatasourcesOnPartition()
permission.assignment.create   Permission granted Asset permissions
permission.assignment.create (available 1.161 to 1.167.0) Permission granted Asset permissions
permission.assignment.delete (available 1.161 to 1.167.0) Permission removed. Asset permissions
permission.assignment.delete (added in 1.160) Permission removed. For more information, see Asset permissions.  
permission.assignment.update (added in 1.160) Permission updated. Asset permissions
query-blocklist.add   Query blocklist has been created Blocking Queries, addToBlocklist() , addToBlocklistById()
query-blocklist.remove   Query blocklist has been removed Blocking Queries
query-quota.set   Query quota setting has been updated Query Quotas
query.stop-all-queries   All queries have been stopped stopAllQueries()
query.stop-exporting-queries   All Streaming (live) queries have been stopped stopStreamingQueries()
query.stop-static-queries   All historical queries have been stopped stopHistoricalQueries()
readonly.dashboard.accessed   A read-only dashboard has been accessed Sharing Dashboards, Dashboard security policies
readonly.dashboard.update   A read-only dashboard has been updated Dashboard security policies
redirectingest.org.clear   Redirect of ingest to target cluster has been cleared; event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
redirectingest.org.update   Redirect of ingest to target cluster was set; event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
repo.users   User access to a repo or view has been changed Repository & View permissions, Manage Roles
repository.create   A repository has been created Creating a Repository or View
role.create   New role created createRole() , Manage Roles
role.delete   Role was deleted removeRole() , Manage Roles
role.description.change   Role description was changed  
role.name.change   Name change of role updateRole() , Manage Roles
role.objectaction.change   Role has been changed updateRole() , Manage Roles
role.organizationmanagementpermissions.change   Organization management permissions for role changed Organization Administration Permissions, Manage Roles
role.organizationpermissions.change   Role organization permissions have been changed Organization Administration Permissions, Manage Roles
role.systempermissions.change   Role system permissions have been changed Cluster Management Permissions, Manage Roles
role.viewpermissions.change   Role view or repository permissions have been changed Repository & View permissions, Manage Roles
s3-archiving.configure   S3 archiving settings were changed S3 Archiving
s3-archiving.disable   S3 archiving was disabled S3 Archiving
s3-archiving.enable   S3 archiving was enabled S3 Archiving
s3-archiving.restart   S3 archiving was restarted S3 Archiving
saved-query.create   A saved query has been created User Functions (Saved Searches)
saved-query.delete   A saved query has been deleted User Functions (Saved Searches)
saved-query.update   A saved query has been updated User Functions (Saved Searches)
scheduled-search.clear-error   A scheduled search error condition has been cleared Scheduled searches
scheduled-search.create   A scheduled search has been created Create triggers
scheduled-search.delete   A scheduled search has been deleted Scheduled searches
scheduled-search.update   A scheduled search has been updated Scheduled searches
segment.delete   A segment has been deleted Mark Segment for Deletion
sessions.change.config   Session settings for organization updated. updateSessionSettings() , Session management
sessions.create   A user session has been created Manage sessions within an organization
sessions.revoke   A user session has been revoked revokeSession() , Manage sessions within an organization
slack-action.create   Slack action has been created Action Type: Slack
slack-action.update   Slack action has been updated Action Type: Slack
slack-post-message-action.create   Slack message action has been created Action Type: Slack
slack-post-message-action.update   Slack message action has been updated Action Type: Slack
sociallogin.settings.update   Social login options for an organization were updated updateSocialLoginSettings()
subdomain.remove   Subdomain settings for an organization have been removed SubdomainConfig , Authentication & Adding Collaborators
subdomain.set   Subdomain settings for an organization have been updated SubdomainConfig , Authentication & Adding Collaborators
system-repository.createcreate  LogScale system repository has been created  
tokens   API or security tokens have been updated API Tokens
transfer.ingest-redirection   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
transfer.metadata   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
transfer.segment   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
transfer.snapshot   TRANSFER_SNAPSHOT; event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
transfercheckmark.org.update   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
transfercheckmarks.org.update   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
transferjob.added   A transfer job between clusters was added  
transferjob.cancelled   A transfer job was canceled  
transferstate.org.update   Event triggered by Falcon LogScale support performing an organization transfer to new cluster.  
upload-file-action.create   Update file action has been created Action Type: Upload File
upload-file-action.update   Update file action has been updated Action Type: Upload File
uploaded-file.create   A lookup file has been created UploadFileAction , Create a lookup file
uploaded-file.delete   An uploaded file has been deleted Delete a lookup file
uploaded-file.update   An uploaded file has been updated UploadFileAction , Lookup Files
user.accept-standard-mandatory-dod-notice-and-consent   User has accepted the usage notice  
user.accept-terms   User has accepted the terms acceptTermsAndConditions()
user.invite-accepted   User has accepted an invite Manage Users
user.invited   A user has been invited to access the cluster Manage Users
user.profilecreate, delete, update  User settings have been changed Manage Users
user.roles.change   The roles assigned to a user have been changed Manage Users
user.signin   User has signed in Manage Users
user.signout   User has signed out (manually or automatically) Manage Users
victor-ops-action.create   A VictorOps action has been created Action Type: VictorOps (Splunk On-Call)
victor-ops-action.update   A VictorOps action has been updated Action Type: VictorOps (Splunk On-Call)
view.delete   A repository or view has been deleted Delete a Repository or View
view.rename   A repository or view has been renamed Repository and View Settings
view.restore   A previously deleted view was restored Delete a Repository or View
view.storagecreate, update  A view has been created, or the description, search limit, or automatic searching has been updated.  
viewinteraction.create   A view interaction was created Event List Interactions
viewinteraction.delete   A view interaction was deleted Event List Interactions
viewinteraction.update   A view interaction was updated Event List Interactions
webhook-action.create   A webhook action has been created Action Type: Webhooks
webhook-action.update   A webhook action has been updated Action Type: Webhooks