Audit log categories(审计日志类别(Audit log categories))¶
Audit log categories simplify security monitoring by allowing you to identify events of interest based on what happened rather than needing to enumerate every possible event name across all Foundry services. Instead of tracking hundreds of service-specific event names, categories let you focus on high-level actions like data loading, data exporting, or authentication attempts, regardless of which product or feature generated the log.
Why categories matter¶
In traditional audit logging systems, security analysts must understand the implementation details of every service to write effective queries. When investigating potential data exfiltration, for example, you might need to know that the relevant event names are EXPORT_DATASET, DOWNLOAD_FILE, CREATE_EXTERNAL_CONNECTION, and dozens of others, while also maintaining this list as new features are added.
Audit log categories solve this problem through abstraction. In the audit.3 schema, every event must be logged under one or more standardized categories that provide consistent request and result parameters. This means the following:
- Service-agnostic queries: Filter for
dataExportto find all data export events, regardless of which Foundry product performed the export. - Future-proof monitoring: New export capabilities will log with the
dataExportcategory; you do not need to update your queries. - Faster investigations: Spend less time understanding system internals and more time analyzing user behavior.
- Predictable structure: Each category defines exactly which request and result fields will be present, making automated analysis more reliable.
Audit.2 vs audit.3 schemas¶
While audit.2 logs may contain category information, their usage is optional and not enforced. This means categories might be missing entirely, or the associated request and result parameters may not follow a consistent structure.
In contrast, the audit.3 schema enforces category usage with the following guarantees:
- Every audit log must specify at least one category.
- Every category explicitly defines the request and result fields that will be present.
- Standard parameters enable analysis without service-specific knowledge.
:::callout{theme="neutral"}
Field naming: Note that audit.3 uses requestFields and resultFields for parameter information, while audit.2 uses request_params and result_params.
:::
Refer to our audit logging overview documentation for comprehensive information about schema differences and migration guidance.
Example workflow¶
A typical security monitoring workflow using categories looks like this:
1. Identify categories of interest
Based on your security requirements, determine which categories are relevant. For example:
- Investigating potential data access:
dataLoad - Monitoring exports:
dataExport - Reviewing logins:
userLogin
2. Query logs by category
Use an external SIEM or a Foundry audit log export dataset with Pipeline Builder to filter logs. In pseudo-code this would look like:
allLogs.filter {log -> interestingCategories.any{log.categories.contains(it)}}
Performance note: Audit log datasets can contain very high volumes of data. Always filter using the time column before performing aggregations or visualizations to ensure performant queries.
3. Analyze structured parameters
For each matching log, examine the requestFields and resultFields. These contain the specific information submitted by the user and returned by the system, separated to help you differentiate between:
- Request fields (
requestFields): What the user provided (for example, which resources they requested). - Result fields (
resultFields): What the system returned (for example, which resources were actually loaded).
For example, a log with the dataLoad category will contain a list of all resources loaded during that interaction in either requestFields or resultFields, allowing you to immediately understand data access patterns without knowing which specific Foundry service handled the request.
4. Cross-reference categories
Many events generate logs with multiple categories. When investigating a potential incident, you can verify that while a user loaded many datasets (dataLoad), no actual exports occurred by confirming the absence of the dataExport category in their activity.
Available categories¶
Below are the available audit log categories.
| Audit log category | Category description | Request fields | Result fields |
|---|---|---|---|
apiGatewayRequest |
A request to an API gateway. User actions may result in requests that are fulfilled by an API gateway. Use this audit log to view the name or origin of the request. To get more information about this user action, find other audit logs associated with this request by filtering to logs with the same traceId field. To find audit logs for requests made by the API gateway when fulfilling the user-initiated request, further filter to logs that have a userAgent field starting with the service name in this audit log. |
operationNames docs: The name of the request. If a batch request, this may include multiple names. type: optional |
|
appConfigAccess |
Load application-specific configuration. These may be tied to a user or resource. | accessedAppConfigIds docs: The application resources that were accessed in this event. type: required accessAppConfigDescription docs: A description of the configuration access. type: required |
|
appConfigCreate |
Create application-specific configuration. These may be tied to a user or resource. | createAppConfigDescription docs: A description of the configuration creation. type: required |
createdAppConfigIds docs: The application resources that were created in this event. type: required |
appConfigDelete |
Delete application-specific configuration. These may be tied to a user or resource. | deletedAppConfigIds docs: The ApplicationResouces that were deleted in this event. type: required deleteAppConfigDescription docs: A description of the configuration deletion. type: required |
|
appConfigSearch |
Search for application-specific configuration. These may be tied to a user or resource. appConfigSearch should be used when the exact result values of a request are unknown, or variable. |
appConfigSearchQuery docs: The search-query that this event is running. type: required |
appConfigSearchResults docs: The search-results that are returned to the user in this event. type: required |
appConfigUpdate |
Update application-specific configuration. These may be tied to a user or resource. | updatedAppConfigIds docs: The application resources that were updated in this event. type: required updateAppConfigDescription docs: A description of the configuration update. type: required |
|
assetFileLoad |
Deprecated; use AssetFileLoadV2. Loads a file's full coordinate, such as group, artifact, and version, from a static asset. | requestMavenCoordinate docs: Maven coordinate for the asset requested. Might not include groupId or version. type: required type: required |
responseMavenCoordinate docs: The full Maven coordinate for the returned asset. type: required |
assetFileLoadV2 |
Loads a file either from the asset coordiate or through the content addressable storage. | fileIdentifiertype: required |
fileLoadResponsetype: required |
auditDataRedact |
Redaction of audit data as part of remediation of a data spill. | requestedAuditEventIdsdocs: The identifiers for the audit events which were believed to be impacted by the spill. type: required organizationRiddocs: The organization to which the suspected audit events were attributed. type: required startDatedocs: The beginning of the window of time in which the suspected audit events occurred. type: required endDatedocs:The end of the window of time in which the suspected audit events occurred. type: required redactionReasondocs: The reason for the redaction; must be non-empty. type: required |
redactionRequestIddocs: The UUID associated with this request. type: required redactedAuditEventIdsdocs: The identifiers which were actually redacted in the specified organization. type: required redactedServiceUserAttributedAuditEventIdsdocs: The service user-attributed audit event identifiers which were actually redacted. type: required missingAuditEventIdsdocs: The identifiers for suspected audit events which were found in neither the specified organization nor among service user-attributed audit events in the specified window. type: required redactedLineCountdocs: The number of physical lines which were actually redacted as part of the completion of this request. type: required modifiedFilesdocs: A mapping from the original filename to a new filename for all modified files. type: required |
auditDataShareCreate |
Creation of shares of audit data. For example, signed URLs that can be used to retrieve audit logs. No data is returned in this request; instead, this endpoint returns pointers that can be used to retrieve audit log data without further auth checks. | shareTargetsdocs: The identifiers for the audit data being shared. type: required |
shareIdsdocs: Map from share targets to created data shares. type: required |
auditDataTransform |
Transform exactly one DataResource which contains audit data in some way. | transformTargetdocs: The resource that was transformed. type: required transformDescriptionsdocs: Descriptions of the transformations that were performed. type: required |
transformDestinationdocs: The destination to which the output of the transformations on the input were written. If absent, then the transformations are assumed to have been performed in-memory only (the output may or may not have been shown to the user, but it was not persisted). To indicate an in-place transformation, the transformTarget and transformDestination fields should contain the same DataResource. type: optional |
authenticationCheck |
Checks authentication status via a programmatic or manual authentication event, such as token validation. | authenticationCheckTargets docs: The identifiers against which that auth is being checked. type: optional |
authenticationCheckResult docs: Whether this authentication check succeeded or not. type: required authenticationCheckResultMessage docs: Further details on this authentication check result. type: optional |
authorizationCheck |
Checks authorization status via a programmatic or manual authorization event, like checking permissions. | authorizationCheckTargets docs: The identifiers that auth is being checked against. type: optional authorizationCheckOperations docs: The values within the authorization attempt, such as the permission being checked for. type: required |
authorizationCheckSucceededTargets docs: Targets that passed authorization. type: required authorizationCheckFailedTargets docs: Targets that failed authorization. type: required authorizationCheckResultMessage docs: Further details on this authorization check result. type: optional |
bulkDataImport |
Bulk imports to the platform. Differs from dataImport in that the direct relationship between destinations and origins may not be known. |
bulkImportedFiles docs: The files that were imported type: required |
bulkImportDestinations docs: The destination for the bulk imports. type: required |
cancelCodeExecution |
Cancellation of an existing code execution. | cancelledExecutedResources docs: The specific resources that were being executed before cancellation. For example, this could be a modelUUID or a buildRID. type: required cancelledExecutedResourceEnvironment docs: The encompassing environment for the resources that were being executed before cancellation. For example, this could be a liveRID or a workbookRID. type: required |
|
codeExecution |
Occurrence of code execution, which might not write results to a dataResource. |
executedResourceEnvironment docs: The encompasssing environment for the resources that were executed. For example, this could be a liveRID or a workbookRID. type: required |
executedResources docs: The specific resources that were executed. For example, this could be a modelUUID or a buildRID or if run on a container, pass in the identifier of the container. type: required |
configureInfra |
A user configures some infrastructure like a node or a service. | configureInfraTargets docs: The SystemResources that are being configured. type: required |
configureInfraRequestId docs: The request-id of this configuration event. type: required |
containerLaunch |
Registers the preparation of a compute environment. This should be emitted when, for example, a Spark module is launched. If possible, pass in a location identifier of the compute environment like a host name. | requestedContainerIdsToLaunch docs: The IDs of the resources that were requested to be launched. type: optional |
launchedContainerIds docs: The IDs of the resources that were launched. type: required |
containerLoad |
Registers the load of a compute environment. This should be emitted when, for example, a spark module is read. If possible, pass in a location identifier of the compute environment like a host name. | requestedContainerLoadIds docs: The IDs of the resources that were requested. type: required |
loadedContainerLoadIds docs: The IDs of the resources that were loaded. type: required |
containerSearch |
Registers the search of compute environments. This should be emitted when, for example, spark module list is read. | containerSearchQuery docs: The search-query that this event is running. type: optional |
containerSearchResults docs: The search-results that are returned to the user in this event. type: required |
containerStop |
Registers the shutdown of a compute environment. If possible, pass in a human readable reason for the shutdown, for example "failure" or "user request". | stoppedContainerIds docs: The IDs of the resources that were stopped. type: required containerStopReason docs: The reason why the resource was stopped. type: optional |
|
createInfra |
A user creates some infrastructure like a node or a service. | createInfraTargets docs: The SystemResources that are being created. type: required |
createdInfraResources docs: The SystemResources that were created. This should have a more explicit identifier. type: required |
dataCreate |
Indicates the addition of some new entry of data into the platform where it did not exist prior. This event may be reflected as a dataPromote in a separate service if it is logged in the landing service. |
createdResources docs: The DataResources that were created in this event. type: required |
|
dataDelete |
Related to the deletion of data, independent of the granularity of that deletion. | deletedResources docs: The DataResources that were deleted in this event. type: required |
|
dataExport |
Export of data from the platform. Use for things like downloading data from the platform, such as a system external to Palantir, csv file and more. If data was exported to another Palantir system, use the dataPromote category. |
downloadedResources docs: All resources that were downloaded in this event. type: required |
downloadedSize docs: The size, in bytes, of the downloaded data. type: required |
dataImport |
Imports to the platform. Unlike dataPromote, dataImport refers only to data being ingested from outside the platform. This means that a dataImport in Palantir Gotham could show up as a dataPromote in a separate service. |
importedFilename docs: The filename of the imported data. type: required importedFileType docs: The filetype of the imported data. type: required importParentResourceId docs: The parent of the destination resource. type: optional |
importResourceId: docs: The destination resource for the imported data. type: required importedSize docs: The total size, in bytes, of the imported data. type: optional |
dataLoad |
Refers to the loading of data to be returned to a user. For purely back-end loads, use internal. |
loadedResources docs: The DataResources that were loaded in this event. type: required |
|
dataMerge |
Refers to the combination of two datasources into one. This would be triggered by a JOIN in Contour or a Resolution event in Palantir Gotham. | resourcesToMerge docs: The resources that were merged in this event. type: required |
mergedResult docs: The resultant DataResource from the merging of the resources. type: required |
dataPromote |
Indicates that a user promoted data to an external Palantir system, Gotham or otherwise. | promotionDestinations docs: The destinations to which the DataResources were promoted to. type: required promotionDescription docs: A description of this promotion event. type: required promotedResources docs: The resources that were promoted to another system. type: required |
|
dataSearch |
Searches of datasets, objects, or other searches for data within the system. | dataSearchQuery docs: The query that this search is executing. type: required dataSearchContext docs: Further information to contextualize the current query. This information is unstructured and should not be relied upon beyond informing auditors. type:list\ |
dataSearchResults docs: All resources that were presented to the user by this search result. type: required |
dataShareCreate |
Creation of a share of data. For example, when creating a link that grants access to resources on visit. | dataShareCreateId docs: An optional identifier for this share, if available. type: optional dataShareCreateTargets type: required |
|
dataShareDisable |
Deactivation of a mechanism to share data. For example, the disabling of a link that grants access to resources on visit. | dataShareDisableId docs: An optional identifier for this share, if available. type: optional dataShareDisableTargets type: required |
|
dataShare |
Discretionary share of data. | dataShareId docs: An optional identifier for this share, if available. type: optional dataShareTargets type: required dataShareReason docs: A human-readable reason this data was shared (for example, "visited a share link"). type: required |
|
dataTransform |
Transform one or more DataResources in some way. | transformTargets docs: The resources that were transformed. type: required transformDescription docs: A description of the transformation that was performed. type: required |
|
dataUpdate |
Updates or attempted updates of data. This is a catch-all field and we recommend using dataTransform or dataMerge instead. |
||
inApplicationContext |
The request was initiated from a third-party application. | applicationRiddocs: The application from which the request was initiated. type: required |
|
inEnrollmentContext |
The request was made in the context of one or more enrollments. | enrollmentRidsdocs: The enrollments that were associated with the request. type: required |
|
infraLogsAccess |
User requests logs from an infrastructure resource like a node or a service. | infraLogsAccessTarget docs: The SystemResource from which logs are being requested. type: required |
infraLogsAccessRequestIddocs: The request ID of this access request event. type: required |
inHubContext |
The request was made in a hub-spoke environment context where services may query about configurations for different stacks/spokes than their own. | targetEnvironmentdocs: The target environment being queried about. type: required targetSpokeEnvironmentdocs: If present, the target spoke environment being queried about. type: optional |
targetEnrollmentdocs: If present, the target enrollment being queried about. type: optional targetDomaindocs: If present, the target domain being queried about. type: optional |
internal |
Catch-all for all internal events. These typically are low signal for audit users. | ||
llmInference |
Runs a prompt through a Generative AI model (a Large Language Model or LLM) that outputs a response. | llmInferenceContextdocs: Further context to identify this inference request, such as the model ID, or resources in foundry attributed to the request. type: required llmInferenceInputsdocs: The inputs that were used to generate the responses. type: required |
llmInferenceResponsesdocs: The responses that were generated by the model. type: required llmInferenceResponseContextdocs: Further context to identify this inference request, such as the model ID. This must include any LLM inference context that is only available at response time. type: required |
llmRoute |
Represents the forwarding of an LLM prompt to an appropriate backend. This audit category is intended for LLM proxies or load balancers (for example, llm-portal). | llmRouteRequesttype: required |
llmRouteResponsetype: required |
logicAccess |
Access of logic. For example, viewing a Contour analysis. | accessedLogicResources docs: All LogicResources accessed in this event. type: required |
|
logicCreate |
Creation of new logic. For example, when a new Contour board is created. | createdLogicResources docs: All LogicResources created in this event. type: required |
|
logicDelete |
Deletion of logic. For example, deleting a Contour board. | deletedLogicResources docs: All LogicResources deleted in this event. type: required |
|
logicSearch |
Search of some logic. For example, searching for a Contour analysis. | logicSearchQuery docs: The query that this search is executing. type: required |
logicSearchResults docs: All underlying LogicResources returned by this search request. type: required |
logicUpdate |
An update to existing logic. For example, when a user saves a file, a push to a stemma repo occurs, or the logic of an existing Contour board is updated. | updatedLogicResources docs: All LogicResources updated in this event. type: required |
|
managementGroups |
Changes to group membership should always go through here. | groupPatches type: required |
|
managementPermissions |
Anything that changes permissions on the platform. These logs should use the result_params changes field to enumerate the precise change that occurred. Examples include sharing a resource or changing a resource's provenance. |
resourcesWithPermissionsChanges docs: The resources affected by the change in permissions type: required permissionChangeContext docs: Further information to contextualize changed resources type: optional |
|
managementUsers |
Changes and modifications to what users exist or their personal information. For events related to user permissions, use managementPermissions. For events where a user is added or removed from a group, use managementGroups. |
managedUserIds type: required |
|
managementTokens |
Specific action related to token management, such as enabling, disabling, or revoking tokens. | managedTokens docs: All tokens affected by the change. type: required |
|
managementMarkings |
Anything that modifies access to mandatory controls. | markingPatches type: required |
|
mandatoryControlManagement |
Privileged action affecting mandatory controls in the system. Replaced by managementMarkings in audit.3. |
||
mandatoryControlApplication |
Privileged action affecting mandatory controls in the system. Replaced by managementPermissions in audit.3. |
||
metaDataAccess |
Refers to the loading of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. As such, metadata may not have its own identifier but instead will be related to the data that it describes. | accessedMetaDataResources docs: The underlying DataResources that the accessed metadata describes. type: required accessedMetaDataDescription docs: A description of the metadata access. type: required |
|
metaDataCreate |
The creation of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. | createdMetaDataDescription docs: A description of the metadata creation. type: required |
createdMetaDataResources docs: The underlying DataResources that the created metadata describes. type: required |
metaDataDelete |
The deletion of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. | deletedMetaDataResources docs: The underlying DataResources that the deleted metadata describes. type: required deletedMetaDataDescription docs: A description of the metadata deletion. type: required |
|
metaDataSearch |
Search of metadata associated with a dataset, objects, or other searches for metadata within the system. | metaDataSearchQuery docs: The query that this search is executing. type: required |
metaDataSearchResults docs: All underlying resources that had metadata presented to the user by this search result. type: required |
metaDataUpdate |
The updating of metadata. MetaData is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. | updatedMetaDataResources docs: The underlying DataResources that the updated metadata describes. type: required updatedMetaDataDescription docs: A description of the metadata update. type: required |
|
monitorAccess |
Access of a monitor, for example viewing details about how it works. | accessedMonitorResources docs: The MonitorResources that were accessed in this event. type: required accessedMonitorDescription docs: A description of the monitor access. type: optional |
|
monitorCreate |
Creation of a monitor. | createdMonitorDescription docs: A description of the monitor creation. type: optional |
createdMonitorResources docs: The MonitorResources that were created in this event. type: required |
monitorDelete |
Deletion of a monitor. | deletedMonitorResources docs: The MonitorResources that were deleted in this event. type: required deletedMonitorDescription docs: A description of the monitor deletion. type: optional |
|
monitorRun |
Execution of a particular monitor, potentially triggering actions or notifications. | runMonitorTargets docs: The MonitorResources that were ran in this event. type: required |
|
monitorSearch |
Searching for a monitor. | monitorSearchQuery docs: The search-query that this event is running. type: required |
monitorSearchResults docs: The search-results that are returned to the user in this event. type: required |
monitorUpdate |
Update a monitor, potentially changing how it behaves. | updatedMonitorResources docs: The MonitorResources that were updated in this event. type: required updatedMonitorDescription docs: A description of the monitor update. type: optional |
|
oauth2InitiateAuthFlow |
Start the OAuth 2.0 Authorization Code flow with the external OAuth 2.0 server. | oauth2InitiateAuthFlowUser docs: The user for whom this oauth2 flow is being started. type: required oauth2InitiateAuthClientId docs: The client-id the oauth2 flow is being performed for. type: required |
|
onBehalfOf |
The request was made on behalf of other users, usually by a service user. | onBehalfOfUserIds docs: The upstream users. The first user ID is the most upstream user. type: required |
|
ontologyDataLoad |
The loading of ontology data to be returned to a user. | ontologyDataLoadContext docs: Further context to identify this load request, such as the owning RID. type: optional requestedOntologyDataResources docs: The OntologyDataResources that were requested in this event. type: required |
loadedOntologyDataResources docs: The OntologyDataResources that were loaded in this event. type: required |
ontologyDataTransform |
The modification of ontology data via patches or edits. | ontologyDataTransformTargets docs: The OntologyDataResources that the user intends to transform. type: optional ontologyDataTransformContext docs: Further context to identify this transform request. type: optional ontologyDataTransformDescription docs: A description of the transformation that was performed. type: optional |
transformedOntologyDataResources docs: The OntologyDataResources that were transformed by the request. type: optional |
ontologyDataSearch |
Search of ontology data within the system. | ontologyDataSearchContext docs: Further context to identify this load request, such as the owning RID. type: optional searchedOntologyLogicResources docs: The logical selections included in this search. type: required |
ontologyDataSearchResults docs: All resources that were presented to the user by this search result. type: required |
ontologyLogicAccess |
Access of ontology logic. For example, viewing an object set or sets. | requestedOntologyLogicResources docs: The OntologyLogicResources that were requested. type: required |
loadedOntologyLogicResources docs: The OntologyLogicResources that were present in the response. type: required |
ontologyLogicCreate |
Creation of new ontology logic. For example, when a new object set is created. | createOntologyLogicContext docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more. type: optional |
createdOntologyLogicResources docs: All LogicResources created in this event. type: required |
ontologyLogicDelete |
Deletion of ontology logic, for example a new object set. | deleteOntologyLogicContext docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more. type: optional |
deletedOntologyLogicResources docs: All LogicResources deleted in this event. type: required |
ontologyLogicUpdate |
Update ontology logic, for example saving a new version of an object set. | updateOntologyLogicContext docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more. type: optional |
updatedOntologyLogicResources docs: All LogicResources updated in this event. type: required |
ontologyMetaDataCreate |
The creation of OntologyMetaDataResources. | createdOntologyMetaDataResources docs: All OntologyMetaDataResources created in this event. type: required |
|
ontologyMetaDataDelete |
The deletion of OntologyMetaDataResources. | deletedOntologyMetaDataResources docs: All OntologyMetaDataResources deleted in this event. type: required |
|
ontologyMetaDataLoad |
The loading of Ontology MetaData to be returned to a user. | requestedOntologyMetaDataResources docs: The OntologyMetadataResources that were requested. type: required |
loadedOntologyMetaDataResources docs: The OntologyMetaDataResources that were present in the response. type: required |
ontologyMetaDataSearch |
Search for OntologyMetaDataResources that meet criteria. | ontologyMetaDataSearchedResources docs: The OntologyMetaDataResources included in the search query. type: required ontologyMetaDataSearchContext docs: Further context to the search query, such as DatasourceType. type: optional |
ontologyMetaDataSearchResults docs: All OntologyMetaDataResources that were returned to the user. type: required |
ontologyMetaDataUpdate |
The modification of OntologyMetaDataResources. | updatedOntologyMetaDataResources docs: All OntologyMetaDataResources updated in this event. type: required |
|
passThrough |
A category where the set of auditable parameters is determined at runtime, typically by an external system | passThroughRequestParams type: required |
passThroughResponseParams type: required |
requestAccess |
The loading of a request. | accessedRequestIds docs: The requests that were accessed in this request. type: required accessedRequestDescription docs: A description of the request access. type: optional |
|
requestApprove |
Approving a request, or part of a request. A request may require multiple approvals before it can be performed. | approvedRequestIds docs: The requests that are being approved type: required approveRequestUserId docs: The user that approved the request type: optional |
|
requestCancel |
Canceling the request so that it will no longer be performed, such as closing a pull request. | canceledRequestIds docs: The requests that are being canceled type: required |
|
requestCreate |
The creation of a request. Requests represent an action that has not yet been taken and may require approval, such as a pull request, access request, or checkpoint. | createdRequestAffectedResources docs: The resources that are directly affected by the request. For example, for an update request this would be the updated resource, and for a create request this could be the parent resource. type: required createdRequestDescription docs: A description of the request creation. type: optional |
createdRequestIds docs: The requests that were created in this request type: required |
requestDisapprove |
Disapproving a request. | disapprovedRequestIds docs: The requests that are being disapproved. type: required disapproveRequestUserId docs: The user that disapproved the request. type: optional |
|
requestExecute |
Executing the action associated with a request, such as merging a pull request or applying an access request. | executedRequestIds docs: The requests that are being executed. type: required |
executeRequestAffectedResources docs: The resources that were affected by this request. This may not include all the resources that were provided when creating the request. type: optional |
requestSearch |
Searching for requests. | requestSearchQuery docs: The search-query that this event is running. type: required |
requestSearchResults docs: The search-results that are returned to the user in this event. type:required |
requestUpdate |
The update of an existing request. | updatedRequestIds docs: The requests that were updated in this request type: required updatedRequestDescription docs: A description of the request update. type: optional |
|
restartInfra |
Restarts some infrastructure like a node or a service. | restartedResources docs: All SystemResources that were restarted in this event. type: required |
|
reviewInfraAction |
A user approves or denies an action within the infrastructure space, such as configuring a node, a service and more. | reviewInfraActionRequestId docs: The request-id of this review. type: required reviewInfraActionUser docs: The user who reviewed this action. type: required |
reviewInfraActionWasApproved docs: Whether the review was approved. type: required |
secretCreate |
Create a secret string. | createdSecretType docs: The kind of secrets that were created type: required |
createdSecretIdentifiers docs: The identifiers of the secrets that were created. type: required |
secretDeprecate |
Mark a secret as deprecated. | deprecatedSecretIdentifier docs: The identifier of the secret that was deprecated. type: required |
|
secretLoad |
Retrieve a secret from the backing store. | loadedSecretIdentifiers docs: The identifiers of the secrets that were loaded. type: required |
|
secretUse |
Use a secret via a backend endpoint. | usedSecretOperation docs: The operation used for the secret. type: required usedSecretIdentifiers docs: The identifiers of the secrets that were used. type: required |
|
systemManagement |
Modification of or access to metadata that determines the layout and configuration of applications on the environment. Replaced by appConfigCreate/Access/Update/Delete/Search in audit.3. |
||
tokenAccess |
Accessing a previously generated token. | accessedTokens docs: A description of how these tokens were accessed, for auditor-context. type: required |
|
tokenGeneration |
Action that leads to generation of a new token. | generateTokensDescription docs: A description of how these tokens were generated, for auditor-context. type: optional |
generatedTokens docs: All tokens that were generated type: optional |
tokenRevoke |
Action that leads to the deletion of tokens. | revokeTokensDescription docs: A description of how these tokens were generated, for auditor-context. type: optional |
revokedTokens docs: All tokens that were revoked. type: required |
upgradeInfra |
Some infrastructure was upgraded, including downgrades. | upgradedResources docs: All SystemResources that were upgraded in this event. type: required |
|
userJustify |
Event when a user specifies a purpose justification for taking an action. | userJustifyId docs: The user justifying the action. type: required userJustification docs: The user's justification for taking the action. Multiple justifications can be provided. type: required |
|
userLogin |
Login events of users. | loginUserId type: optional |
|
userLogout |
Logout events of users. | logoutUserId type: optional |
中文翻译¶
审计日志类别(Audit log categories)¶
审计日志类别通过允许您根据发生了什么来识别感兴趣的事件,从而简化安全监控,而无需枚举所有Foundry服务中的每个可能事件名称。无需跟踪数百个特定于服务的事件名称,类别让您可以专注于高级操作,如数据加载、数据导出或身份验证尝试,无论哪个产品或功能生成了日志。
类别为何重要¶
在传统的审计日志系统中,安全分析师必须了解每个服务的实现细节才能编写有效的查询。例如,在调查潜在的数据泄露时,您可能需要知道相关的事件名称是EXPORT_DATASET、DOWNLOAD_FILE、CREATE_EXTERNAL_CONNECTION以及其他数十个,同时还要随着新功能的添加维护这个列表。
审计日志类别通过抽象解决了这个问题。在audit.3模式中,每个事件必须在一个或多个标准化类别下记录,这些类别提供一致的请求和结果参数。这意味着:
- 服务无关的查询: 筛选
dataExport以查找所有数据导出事件,无论哪个Foundry产品执行了导出。 - 面向未来的监控: 新的导出功能将使用
dataExport类别记录日志;您无需更新查询。 - 更快的调查: 花更少的时间了解系统内部,花更多的时间分析用户行为。
- 可预测的结构: 每个类别精确定义了哪些请求和结果字段将存在,使自动化分析更加可靠。
Audit.2 与 audit.3 模式对比¶
虽然audit.2日志可能包含类别信息,但其使用是可选的且不强制执行。这意味着类别可能完全缺失,或者相关的请求和结果参数可能不遵循一致的结构。
相比之下,audit.3模式强制执行类别使用,并具有以下保证:
- 每个审计日志必须指定至少一个类别。
- 每个类别明确定义将存在的请求和结果字段。
- 标准参数使得无需特定于服务的知识即可进行分析。
:::callout{theme="neutral"}
字段命名: 请注意,audit.3使用requestFields和resultFields表示参数信息,而audit.2使用request_params和result_params。
:::
有关模式差异和迁移指南的全面信息,请参阅我们的审计日志概述文档。
示例工作流程¶
一个典型的使用类别的安全监控工作流程如下所示:
1. 识别感兴趣的类别
根据您的安全需求,确定哪些类别是相关的。例如:
- 调查潜在的数据访问:
dataLoad - 监控导出:
dataExport - 审查登录:
userLogin
2. 按类别查询日志
使用外部SIEM或带有Pipeline Builder的Foundry审计日志导出数据集来筛选日志。在伪代码中,这看起来像:
allLogs.filter {log -> interestingCategories.any{log.categories.contains(it)}}
性能说明: 审计日志数据集可能包含非常大量的数据。在执行聚合或可视化之前,始终使用time列进行筛选,以确保查询性能。
3. 分析结构化参数
对于每个匹配的日志,检查requestFields和resultFields。这些包含用户提交和系统返回的特定信息,分开以帮助您区分:
- 请求字段 (
requestFields):用户提供了什么(例如,他们请求了哪些资源)。 - 结果字段 (
resultFields):系统返回了什么(例如,实际加载了哪些资源)。
例如,带有dataLoad类别的日志将包含在该交互期间加载的所有资源列表,位于requestFields或resultFields中,使您无需知道处理请求的特定Foundry服务即可立即了解数据访问模式。
4. 交叉引用类别
许多事件会生成带有多个类别的日志。在调查潜在事件时,您可以通过确认用户活动中不存在dataExport类别来验证,虽然用户加载了许多数据集(dataLoad),但并未发生实际的导出。
可用类别¶
以下是可用的审计日志类别。
| 审计日志类别 | 类别描述 | 请求字段 | 结果字段 |
|---|---|---|---|
apiGatewayRequest |
对API网关的请求。 用户操作可能导致由API网关完成的请求。使用此审计日志查看请求的名称或来源。要获取有关此用户操作的更多信息,请通过筛选具有相同 traceId字段的日志来查找与此请求关联的其他审计日志。要查找API网关在完成用户发起的请求时发出的请求的审计日志,请进一步筛选userAgent字段以此审计日志中的service名称开头的日志。 |
operationNames docs: 请求的名称。如果是批量请求,可能包含多个名称。 type: optional |
|
appConfigAccess |
加载应用程序特定的配置。这些可能关联到用户或资源。 | accessedAppConfigIds docs: 在此事件中访问的应用程序资源。 type: required accessAppConfigDescription docs: 配置访问的描述。 type: required |
|
appConfigCreate |
创建应用程序特定的配置。这些可能关联到用户或资源。 | createAppConfigDescription docs: 配置创建的描述。 type: required |
createdAppConfigIds docs: 在此事件中创建的应用程序资源。 type: required |
appConfigDelete |
删除应用程序特定的配置。这些可能关联到用户或资源。 | deletedAppConfigIds docs: 在此事件中删除的ApplicationResources。 type: required deleteAppConfigDescription docs: 配置删除的描述。 type: required |
|
appConfigSearch |
搜索应用程序特定的配置。这些可能关联到用户或资源。当请求的确切结果值未知或可变时,应使用appConfigSearch。 |
appConfigSearchQuery docs: 此事件正在运行的搜索查询。 type: required |
appConfigSearchResults docs: 在此事件中返回给用户的搜索结果。 type: required |
appConfigUpdate |
更新应用程序特定的配置。这些可能关联到用户或资源。 | updatedAppConfigIds docs: 在此事件中更新的应用程序资源。 type: required updateAppConfigDescription docs: 配置更新的描述。 type: required |
|
assetFileLoad |
已弃用;请使用AssetFileLoadV2。从静态资产加载文件的完整坐标,例如组(group)、工件(artifact)和版本(version)。 | requestMavenCoordinate docs: 请求的资产的Maven坐标。可能不包含 groupId或版本。 type: required type: required |
responseMavenCoordinate docs: 返回资产的完整Maven坐标。 type: required |
assetFileLoadV2 |
从资产坐标或通过内容可寻址存储加载文件。 | fileIdentifiertype: required |
fileLoadResponsetype: required |
auditDataRedact |
作为数据泄露修复的一部分,对审计数据进行编辑。 | requestedAuditEventIdsdocs: 被认为受泄露影响的审计事件的标识符。 type: required organizationRiddocs: 可疑审计事件所属的组织。 type: required startDatedocs: 可疑审计事件发生的时间窗口的开始。 type: required endDatedocs: 可疑审计事件发生的时间窗口的结束。 type: required redactionReasondocs: 编辑的原因;必须非空。 type: required |
redactionRequestIddocs: 与此请求关联的UUID。 type: required redactedAuditEventIdsdocs: 在指定组织中实际被编辑的标识符。 type: required redactedServiceUserAttributedAuditEventIdsdocs: 实际被编辑的服务用户归属审计事件标识符。 type: required missingAuditEventIdsdocs: 在指定窗口内,既未在指定组织中找到,也未在服务用户归属审计事件中找到的可疑审计事件的标识符。 type: required redactedLineCountdocs: 作为完成此请求的一部分实际被编辑的物理行数。 type: required modifiedFilesdocs: 从原始文件名到新文件名的映射,适用于所有修改过的文件。 type: required |
auditDataShareCreate |
创建审计数据的共享。例如,可用于检索审计日志的签名URL。此请求不返回数据;相反,此端点返回可用于检索审计日志数据而无需进一步身份验证检查的指针。 | shareTargetsdocs: 被共享的审计数据的标识符。 type: required |
shareIdsdocs: 从共享目标到已创建数据共享的映射。 type: required |
auditDataTransform |
以某种方式转换恰好一个包含审计数据的DataResource。 | transformTargetdocs: 被转换的资源。 type: required transformDescriptionsdocs: 所执行转换的描述。 type: required |
transformDestinationdocs: 输入转换的输出写入的目标。如果不存在,则假定转换仅在内存中执行(输出可能已显示给用户,也可能未显示,但未持久化)。要指示原地转换, transformTarget和transformDestination字段应包含相同的DataResource。type: optional |
authenticationCheck |
通过编程或手动身份验证事件(如令牌验证)检查身份验证状态。 | authenticationCheckTargets docs: 正在检查身份验证的标识符。 type: optional |
authenticationCheckResult docs: 此身份验证检查是否成功。 type: required authenticationCheckResultMessage docs: 此身份验证检查结果的更多详细信息。 type: optional |
authorizationCheck |
通过编程或手动授权事件(如检查权限)检查授权状态。 | authorizationCheckTargets docs: 正在检查授权的标识符。 type: optional authorizationCheckOperations docs: 授权尝试中的值,例如正在检查的权限。 type: required |
authorizationCheckSucceededTargets docs: 通过授权的目标。 type: required authorizationCheckFailedTargets docs: 未通过授权的目标。 type: required authorizationCheckResultMessage docs: 此授权检查结果的更多详细信息。 type: optional |
bulkDataImport |
批量导入到平台。与dataImport不同之处在于,目标与来源之间的直接关系可能未知。 |
bulkImportedFiles docs: 已导入的文件 type: required |
bulkImportDestinations docs: 批量导入的目标。 type: required |
cancelCodeExecution |
取消正在进行的代码执行。 | cancelledExecutedResources docs: 取消前正在执行的特定资源。例如,可以是 modelUUID或buildRID。 type: required cancelledExecutedResourceEnvironment docs: 取消前正在执行的资源所处的环境。例如,可以是 liveRID或workbookRID。 type: required |
|
codeExecution |
代码执行的发生,可能不会将结果写入dataResource。 |
executedResourceEnvironment docs: 已执行资源所处的环境。例如,可以是liveRID或workbookRID。 type: required |
executedResources docs: 已执行的特定资源。例如,可以是modelUUID或buildRID,如果在容器上运行,则传入容器的标识符。 type: required |
configureInfra |
用户配置某些基础设施,如节点或服务。 | configureInfraTargets docs: 正在配置的SystemResources。 type: required |
configureInfraRequestId docs: 此配置事件的请求ID。 type: required |
containerLaunch |
记录计算环境的准备。例如,当启动Spark模块时,应发出此事件。如果可能,传入计算环境的位置标识符,如主机名。 | requestedContainerIdsToLaunch docs: 请求启动的资源的ID。 type: optional |
launchedContainerIds docs: 已启动的资源的ID。 type: required |
containerLoad |
记录计算环境的加载。例如,当读取Spark模块时,应发出此事件。如果可能,传入计算环境的位置标识符,如主机名。 | requestedContainerLoadIds docs: 请求的资源的ID。 type: required |
loadedContainerLoadIds docs: 已加载的资源的ID。 type: required |
containerSearch |
记录计算环境的搜索。例如,当读取Spark模块列表时,应发出此事件。 | containerSearchQuery docs: 此事件正在运行的搜索查询。 type: optional |
containerSearchResults docs: 在此事件中返回给用户的搜索结果。 type: required |
containerStop |
记录计算环境的关闭。如果可能,传入人类可读的关闭原因,例如"failure"或"user request"。 | stoppedContainerIds docs: 已停止的资源的ID。 type: required containerStopReason docs: 资源停止的原因。 type: optional |
|
createInfra |
用户创建某些基础设施,如节点或服务。 | createInfraTargets docs: 正在创建的SystemResources。 type: required |
createdInfraResources docs: 已创建的SystemResources。这应具有更明确的标识符。 type: required |
dataCreate |
表示向平台添加一些先前不存在的新数据条目。如果此事件在登录服务中记录,则可能在单独的服务中反映为dataPromote。 |
createdResources docs: 在此事件中创建的DataResources。 type: required |
|
dataDelete |
与数据删除相关,与删除的粒度无关。 | deletedResources docs: 在此事件中删除的DataResources。 type: required |
|
dataExport |
从平台导出数据。用于从平台下载数据,例如下载到Palantir外部的系统、csv文件等。如果数据导出到另一个Palantir系统,请使用dataPromote类别。 |
downloadedResources docs: 在此事件中下载的所有资源。 type: required |
downloadedSize docs: 下载数据的大小,以字节为单位。 type: required |
dataImport |
导入到平台。与dataPromote不同,dataImport仅指从平台外部摄取的数据。这意味着Palantir Gotham中的dataImport可能在单独的服务中显示为dataPromote。 |
importedFilename docs: 导入数据的文件名。 type: required importedFileType docs: 导入数据的文件类型。 type: required importParentResourceId docs: 目标资源的父级。 type: optional |
importResourceId: docs: 导入数据的目标资源。 type: required importedSize docs: 导入数据的总大小,以字节为单位。 type: optional |
dataLoad |
指加载数据以返回给用户。对于纯粹的后端加载,请使用internal。 |
loadedResources docs: 在此事件中加载的DataResources。 type: required |
|
dataMerge |
指将两个数据源合并为一个。这可以由Contour中的JOIN或Palantir Gotham中的Resolution事件触发。 | resourcesToMerge docs: 在此事件中合并的资源。 type: required |
mergedResult docs: 合并资源产生的DataResource。 type: required |
dataPromote |
表示用户将数据提升到外部的Palantir系统,无论是Gotham还是其他系统。 | promotionDestinations docs: DataResources被提升到的目标。 type: required promotionDescription docs: 此提升事件的描述。 type: required promotedResources docs: 被提升到另一个系统的资源。 type: required |
|
dataSearch |
搜索数据集、对象或系统内的其他数据搜索。 | dataSearchQuery docs: 此搜索正在执行的查询。 type: required dataSearchContext docs: 为当前查询提供背景的进一步信息。此信息是非结构化的,不应依赖其超出告知审计员的范围。 type:list\ |
dataSearchResults docs: 此搜索结果呈现给用户的所有资源。 type: required |
dataShareCreate |
创建数据共享。例如,创建在访问时授予资源访问权限的链接。 | dataShareCreateId docs: 此共享的可选标识符(如果可用)。 type: optional dataShareCreateTargets type: required |
|
dataShareDisable |
停用共享数据的机制。例如,禁用授予资源访问权限的链接。 | dataShareDisableId docs: 此共享的可选标识符(如果可用)。 type: optional dataShareDisableTargets type: required |
|
dataShare |
酌情共享数据。 | dataShareId docs: 此共享的可选标识符(如果可用)。 type: optional dataShareTargets type: required dataShareReason docs: 共享此数据的人类可读原因(例如,"visited a share link")。 type: required |
|
dataTransform |
以某种方式转换一个或多个DataResources。 | transformTargets docs: 被转换的资源。 type: required transformDescription docs: 对所执行转换的描述。 type: required |
|
dataUpdate |
数据的更新或尝试更新。这是一个包罗万象的字段,我们建议改用dataTransform或dataMerge。 |
||
inApplicationContext |
请求是从第三方应用程序发起的。 | applicationRiddocs: 发起请求的应用程序。 type: required |
|
inEnrollmentContext |
请求是在一个或多个注册(enrollment)的上下文中发出的。 | enrollmentRidsdocs: 与请求关联的注册。 type: required |
|
infraLogsAccess |
用户请求来自基础设施资源(如节点或服务)的日志。 | infraLogsAccessTarget docs: 正在请求日志的SystemResource。 type: required |
infraLogsAccessRequestIddocs: 此访问请求事件的请求ID。 type: required |
inHubContext |
请求是在中心辐射型(hub-spoke)环境上下文中发出的,其中服务可能查询关于不同堆栈/分支(spokes)的配置。 | targetEnvironmentdocs: 正在查询的目标环境。 type: required targetSpokeEnvironmentdocs: 如果存在,则是正在查询的目标分支环境。 type: optional |
targetEnrollmentdocs: 如果存在,则是正在查询的目标注册。 type: optional targetDomaindocs: 如果存在,则是正在查询的目标域。 type: optional |
internal |
所有内部事件的包罗万象类别。这些通常对审计用户来说信号较弱。 | ||
llmInference |
通过生成式AI模型(大型语言模型或LLM)运行提示词,该模型输出响应。 | llmInferenceContextdocs: 用于识别此推理请求的进一步上下文,例如模型ID,或Foundry中归属于该请求的资源。 type: required llmInferenceInputsdocs: 用于生成响应的输入。 type: required |
llmInferenceResponsesdocs: 模型生成的响应。 type: required llmInferenceResponseContextdocs: 用于识别此推理请求的进一步上下文,例如模型ID。这必须包括仅在响应时可用的任何LLM推理上下文。 type: required |
llmRoute |
表示将LLM提示词转发到适当的后端。此审计类别旨在用于LLM代理或负载均衡器(例如,llm-portal)。 | llmRouteRequesttype: required |
llmRouteResponsetype: required |
logicAccess |
访问逻辑。例如,查看Contour分析。 | accessedLogicResources docs: 在此事件中访问的所有LogicResources。 type: required |
|
logicCreate |
创建新逻辑。例如,创建新的Contour面板。 | createdLogicResources docs: 在此事件中创建的所有LogicResources。 type: required |
|
logicDelete |
删除逻辑。例如,删除Contour面板。 | deletedLogicResources docs: 在此事件中删除的所有LogicResources。 type: required |
|
logicSearch |
搜索某些逻辑。例如,搜索Contour分析。 | logicSearchQuery docs: 此搜索正在执行的查询。 type: required |
logicSearchResults docs: 此搜索请求返回的所有底层LogicResources。 type: required |
logicUpdate |
更新现有逻辑。例如,当用户保存文件、推送到stemma仓库或更新现有Contour面板的逻辑时。 | updatedLogicResources docs: 在此事件中更新的所有LogicResources。 type: required |
|
managementGroups |
对组成员身份的更改应始终通过此类别。 | groupPatches type: required |
|
managementPermissions |
任何更改平台权限的操作。这些日志应使用result_params changes字段来枚举发生的精确更改。示例包括共享资源或更改资源的来源。 |
resourcesWithPermissionsChanges docs: 受权限更改影响的资源 type: required permissionChangeContext docs: 为更改的资源提供背景的进一步信息 type: optional |
|
managementUsers |
对存在的用户或其个人信息的更改和修改。对于与用户权限相关的事件,请使用managementPermissions。对于用户被添加或从组中移除的事件,请使用managementGroups。 |
managedUserIds type: required |
|
managementTokens |
与令牌管理相关的特定操作,例如启用、禁用或撤销令牌。 | managedTokens docs: 受更改影响的所有令牌。 type: required |
|
managementMarkings |
任何修改对强制控制(mandatory controls)访问权限的操作。 | markingPatches type: required |
|
mandatoryControlManagement |
影响系统中强制控制(mandatory controls)的特权操作。在audit.3中被managementMarkings取代。 |
||
mandatoryControlApplication |
影响系统中强制控制(mandatory controls)的特权操作。在audit.3中被managementPermissions取代。 |
||
metaDataAccess |
指加载元数据。元数据是关于数据的数据;例如,描述管道内数据的各种可通过API访问的指标,如计数、数据集名称、事务ID等。因此,元数据可能没有自己的标识符,而是与其描述的数据相关。 | accessedMetaDataResources docs: 所访问元数据描述的底层DataResources。 type: required accessedMetaDataDescription docs: 元数据访问的描述。 type: required |
|
metaDataCreate |
创建元数据。元数据是关于数据的数据;例如,描述管道内数据的各种可通过API访问的指标,如计数、数据集名称、事务ID等。 | createdMetaDataDescription docs: 元数据创建的描述。 type: required |
createdMetaDataResources docs: 所创建元数据描述的底层DataResources。 type: required |
metaDataDelete |
删除元数据。元数据是关于数据的数据;例如,描述管道内数据的各种可通过API访问的指标,如计数、数据集名称、事务ID等。 | deletedMetaDataResources docs: 所删除元数据描述的底层DataResources。 type: required deletedMetaDataDescription docs: 元数据删除的描述。 type: required |
|
metaDataSearch |
搜索与数据集、对象关联的元数据,或系统内对元数据的其他搜索。 | metaDataSearchQuery docs: 此搜索正在执行的查询。 type: required |
metaDataSearchResults docs: 此搜索结果向用户呈现了元数据的所有底层资源。 type: required |
metaDataUpdate |
更新元数据。元数据是关于数据的数据;例如,描述管道内数据的各种可通过API访问的指标,如计数、数据集名称、事务ID等。 | updatedMetaDataResources docs: 所更新元数据描述的底层DataResources。 type: required updatedMetaDataDescription docs: 元数据更新的描述。 type: required |
|
monitorAccess |
访问监控器,例如查看其工作原理的详细信息。 | accessedMonitorResources docs: 在此事件中访问的MonitorResources。 type: required accessedMonitorDescription docs: 监控器访问的描述。 type: optional |
|
monitorCreate |
创建监控器。 | createdMonitorDescription docs: 监控器创建的描述。 type: optional |
createdMonitorResources docs: 在此事件中创建的MonitorResources。 type: required |
monitorDelete |
删除监控器。 | deletedMonitorResources docs: 在此事件中删除的MonitorResources。 type: required deletedMonitorDescription docs: 监控器删除的描述。 type: optional |
|
monitorRun |
执行特定的监控器,可能触发操作或通知。 | runMonitorTargets docs: 在此事件中运行的MonitorResources。 type: required |
|
monitorSearch |
搜索监控器。 | monitorSearchQuery docs: 此事件正在运行的搜索查询。 type: required |
monitorSearchResults docs: 在此事件中返回给用户的搜索结果。 type: required |
monitorUpdate |
更新监控器,可能更改其行为方式。 | updatedMonitorResources docs: 在此事件中更新的MonitorResources。 type: required updatedMonitorDescription docs: 监控器更新的描述。 type: optional |
|
oauth2InitiateAuthFlow |
使用外部OAuth 2.0服务器启动OAuth 2.0授权码流程。 | oauth2InitiateAuthFlowUser docs: 为其启动此oauth2流程的用户。 type: required oauth2InitiateAuthClientId docs: 为其执行oauth2流程的客户端ID。 type: required |
|
onBehalfOf |
请求是代表其他用户发出的,通常由服务用户执行。 | onBehalfOfUserIds docs: 上游用户。第一个用户ID是最上游的用户。 type: required |
|
ontologyDataLoad |
加载本体论(Ontology)数据以返回给用户。 | ontologyDataLoadContext docs: 用于识别此加载请求的进一步上下文,例如拥有者RID。 type: optional requestedOntologyDataResources docs: 在此事件中请求的OntologyDataResources。 type: required |
loadedOntologyDataResources docs: 在此事件中加载的OntologyDataResources。 type: required |
ontologyDataTransform |
通过补丁或编辑修改本体论(Ontology)数据。 | ontologyDataTransformTargets docs: 用户意图转换的OntologyDataResources。 type: optional ontologyDataTransformContext docs: 用于识别此转换请求的进一步上下文。 type: optional ontologyDataTransformDescription docs: 对所执行转换的描述。 type: optional |
transformedOntologyDataResources docs: 由请求转换的OntologyDataResources。 type: optional |
ontologyDataSearch |
搜索系统内的本体论(Ontology)数据。 | ontologyDataSearchContext docs: 用于识别此加载请求的进一步上下文,例如拥有者RID。 type: optional searchedOntologyLogicResources docs: 此搜索中包含的逻辑选择。 type: required |
ontologyDataSearchResults docs: 此搜索结果呈现给用户的所有资源。 type: required |
ontologyLogicAccess |
访问本体论(Ontology)逻辑。例如,查看一个或多个对象集。 | requestedOntologyLogicResources docs: 请求的OntologyLogicResources。 type: required |
loadedOntologyLogicResources docs: 响应中存在的OntologyLogicResources。 type: required |
ontologyLogicCreate |
创建新的本体论(Ontology)逻辑。例如,创建新的对象集时。 | createOntologyLogicContext docs: 用于缩小标识符范围或进一步识别此请求的上下文。例如,拥有者RID或父Compass RID。这包括一个"type"上下文,标识此请求表示的类型,例如临时对象集、永久对象集、版本化对象集等。 type: optional |
createdOntologyLogicResources docs: 在此事件中创建的所有LogicResources。 type: required |
ontologyLogicDelete |
删除本体论(Ontology)逻辑,例如新的对象集。 | deleteOntologyLogicContext docs: 用于缩小标识符范围或进一步识别此请求的上下文。例如,拥有者RID或父Compass RID。这包括一个"type"上下文,标识此请求表示的类型,例如临时对象集、永久对象集、版本化对象集等。 type: optional |
deletedOntologyLogicResources docs: 在此事件中删除的所有LogicResources。 type: required |
ontologyLogicUpdate |
更新本体论(Ontology)逻辑,例如保存对象集的新版本。 | updateOntologyLogicContext docs: 用于缩小标识符范围或进一步识别此请求的上下文。例如,拥有者RID或父Compass RID。这包括一个"type"上下文,标识此请求表示的类型,例如临时对象集、永久对象集、版本化对象集等。 type: optional |
updatedOntologyLogicResources docs: 在此事件中更新的所有LogicResources。 type: required |
ontologyMetaDataCreate |
创建OntologyMetaDataResources。 | createdOntologyMetaDataResources docs: 在此事件中创建的所有OntologyMetaDataResources。 type: required |
|
ontologyMetaDataDelete |
删除OntologyMetaDataResources。 | deletedOntologyMetaDataResources docs: 在此事件中删除的所有OntologyMetaDataResources。 type: required |
|
ontologyMetaDataLoad |
加载本体论(Ontology)元数据以返回给用户。 | requestedOntologyMetaDataResources docs: 请求的OntologyMetadataResources。 type: required |
loadedOntologyMetaDataResources docs: 响应中存在的OntologyMetaDataResources。 type: required |
ontologyMetaDataSearch |
搜索满足条件的OntologyMetaDataResources。 | ontologyMetaDataSearchedResources docs: 搜索查询中包含的OntologyMetaDataResources。 type: required ontologyMetaDataSearchContext docs: 搜索查询的进一步上下文,例如DatasourceType。 type: optional |
ontologyMetaDataSearchResults docs: 返回给用户的所有OntologyMetaDataResources。 type: required |
ontologyMetaDataUpdate |
修改OntologyMetaDataResources。 | updatedOntologyMetaDataResources docs: 在此事件中更新的所有OntologyMetaDataResources。 type: required |
|
passThrough |
一种类别,其中可审计的参数集在运行时确定,通常由外部系统决定 | passThroughRequestParams type: required |
passThroughResponseParams type: required |
requestAccess |
加载请求。 | accessedRequestIds docs: 在此请求中访问的请求。 type: required accessedRequestDescription docs: 请求访问的描述。 type: optional |
|
requestApprove |
批准请求或请求的一部分。一个请求可能需要多次批准才能执行。 | approvedRequestIds docs: 正在被批准的请求 type: required approveRequestUserId docs: 批准请求的用户 type: optional |
|
requestCancel |
取消请求,使其不再执行,例如关闭拉取请求。 | canceledRequestIds docs: 正在被取消的请求 type: required |
|
requestCreate |
创建请求。请求表示尚未执行且可能需要批准的操作,例如拉取请求、访问请求或检查点。 | createdRequestAffectedResources docs: 直接受请求影响的资源。例如,对于更新请求,这将是更新的资源;对于创建请求,这可能是父资源。 type: required createdRequestDescription docs: 请求创建的描述。 type: optional |
createdRequestIds docs: 在此请求中创建的请求 type: required |
requestDisapprove |
不批准请求。 | disapprovedRequestIds docs: 正在被不批准的请求。 type: required disapproveRequestUserId docs: 不批准请求的用户。 type: optional |
|
requestExecute |
执行与请求关联的操作,例如合并拉取请求或应用访问请求。 | executedRequestIds docs: 正在被执行的请求。 type: required |
executeRequestAffectedResources docs: 受此请求影响的资源。这可能不包括创建请求时提供的所有资源。 type: optional |
requestSearch |
搜索请求。 | requestSearchQuery docs: 此事件正在运行的搜索查询。 type: required |
requestSearchResults docs: 在此事件中返回给用户的搜索结果。 type:required |
requestUpdate |
更新现有请求。 | updatedRequestIds docs: 在此请求中更新的请求 type: required updatedRequestDescription docs: 请求更新的描述。 type: optional |
|
restartInfra |
重启某些基础设施,如节点或服务。 | restartedResources docs: 在此事件中重启的所有SystemResources。 type: required |
|
reviewInfraAction |
用户批准或拒绝基础设施空间内的操作,例如配置节点、服务等。 | reviewInfraActionRequestId docs: 此审查的请求ID。 type: required reviewInfraActionUser docs: 审查此操作的用户。 type: required |
reviewInfraActionWasApproved docs: 审查是否被批准。 type: required |
secretCreate |
创建秘密字符串。 | createdSecretType docs: 创建的密钥的种类 type: required |
createdSecretIdentifiers docs: 已创建密钥的标识符。 type: required |
secretDeprecate |
将密钥标记为已弃用。 | deprecatedSecretIdentifier docs: 已弃用密钥的标识符。 type: required |
|
secretLoad |
从后端存储检索密钥。 | loadedSecretIdentifiers docs: 已加载密钥的标识符。 type: required |
|
secretUse |
通过后端端点使用密钥。 | usedSecretOperation docs: 用于密钥的操作。 type: required usedSecretIdentifiers docs: 已使用密钥的标识符。 type: required |
|
systemManagement |
修改或访问确定环境中应用程序布局和配置的元数据。在audit.3中被appConfigCreate/Access/Update/Delete/Search取代。 |
||
tokenAccess |
访问先前生成的令牌。 | accessedTokens docs: 这些令牌如何被访问的描述,供审计员参考。 type: required |
|
tokenGeneration |
导致生成新令牌的操作。 | generateTokensDescription docs: 这些令牌如何生成的描述,供审计员参考。 type: optional |
generatedTokens docs: 所有已生成的令牌 type: optional |
tokenRevoke |
导致删除令牌的操作。 | revokeTokensDescription docs: 这些令牌如何生成的描述,供审计员参考。 type: optional |
revokedTokens docs: 所有已撤销的令牌。 type: required |
upgradeInfra |
某些基础设施已升级,包括降级。 | upgradedResources docs: 在此事件中升级的所有SystemResources。 type: required |
|
userJustify |
用户为采取行动指定目的理由的事件。 | userJustifyId docs: 证明行动合理的用户。 type: required userJustification docs: 用户采取行动的理由。可以提供多个理由。 type: required |
|
userLogin |
用户的登录事件。 | loginUserId type: optional |
|
userLogout |
用户的登出事件。 | logoutUserId type: optional |