跳转至

Audit log categories(审计日志类别(Audit log categories))

Audit log categories simplify security monitoring by allowing you to identify events of interest based on what happened rather than needing to enumerate every possible event name across all Foundry services. Instead of tracking hundreds of service-specific event names, categories let you focus on high-level actions like data loading, data exporting, or authentication attempts, regardless of which product or feature generated the log.

Why categories matter

In traditional audit logging systems, security analysts must understand the implementation details of every service to write effective queries. When investigating potential data exfiltration, for example, you might need to know that the relevant event names are EXPORT_DATASET, DOWNLOAD_FILE, CREATE_EXTERNAL_CONNECTION, and dozens of others, while also maintaining this list as new features are added.

Audit log categories solve this problem through abstraction. In the audit.3 schema, every event must be logged under one or more standardized categories that provide consistent request and result parameters. This means the following:

  • Service-agnostic queries: Filter for dataExport to find all data export events, regardless of which Foundry product performed the export.
  • Future-proof monitoring: New export capabilities will log with the dataExport category; you do not need to update your queries.
  • Faster investigations: Spend less time understanding system internals and more time analyzing user behavior.
  • Predictable structure: Each category defines exactly which request and result fields will be present, making automated analysis more reliable.

Audit.2 vs audit.3 schemas

While audit.2 logs may contain category information, their usage is optional and not enforced. This means categories might be missing entirely, or the associated request and result parameters may not follow a consistent structure.

In contrast, the audit.3 schema enforces category usage with the following guarantees:

  • Every audit log must specify at least one category.
  • Every category explicitly defines the request and result fields that will be present.
  • Standard parameters enable analysis without service-specific knowledge.

:::callout{theme="neutral"} Field naming: Note that audit.3 uses requestFields and resultFields for parameter information, while audit.2 uses request_params and result_params. :::

Refer to our audit logging overview documentation for comprehensive information about schema differences and migration guidance.

Example workflow

A typical security monitoring workflow using categories looks like this:

1. Identify categories of interest

Based on your security requirements, determine which categories are relevant. For example:

  • Investigating potential data access: dataLoad
  • Monitoring exports: dataExport
  • Reviewing logins: userLogin

2. Query logs by category

Use an external SIEM or a Foundry audit log export dataset with Pipeline Builder to filter logs. In pseudo-code this would look like:

allLogs.filter {log -> interestingCategories.any{log.categories.contains(it)}}

Performance note: Audit log datasets can contain very high volumes of data. Always filter using the time column before performing aggregations or visualizations to ensure performant queries.

3. Analyze structured parameters

For each matching log, examine the requestFields and resultFields. These contain the specific information submitted by the user and returned by the system, separated to help you differentiate between:

  • Request fields (requestFields): What the user provided (for example, which resources they requested).
  • Result fields (resultFields): What the system returned (for example, which resources were actually loaded).

For example, a log with the dataLoad category will contain a list of all resources loaded during that interaction in either requestFields or resultFields, allowing you to immediately understand data access patterns without knowing which specific Foundry service handled the request.

4. Cross-reference categories

Many events generate logs with multiple categories. When investigating a potential incident, you can verify that while a user loaded many datasets (dataLoad), no actual exports occurred by confirming the absence of the dataExport category in their activity.

Available categories

Below are the available audit log categories.

Audit log category Category description Request fields Result fields
apiGatewayRequest A request to an API gateway.

User actions may result in requests that are fulfilled by an API gateway. Use this audit log to view the name or origin of the request. To get more information about this user action, find other audit logs associated with this request by filtering to logs with the same traceId field. To find audit logs for requests made by the API gateway when fulfilling the user-initiated request, further filter to logs that have a userAgent field starting with the service name in this audit log.
operationNames
docs: The name of the request. If a batch request, this may include multiple names.
type: optional
appConfigAccess Load application-specific configuration. These may be tied to a user or resource. accessedAppConfigIds
docs: The application resources that were accessed in this event.
type: required

accessAppConfigDescription
docs: A description of the configuration access.
type: required
appConfigCreate Create application-specific configuration. These may be tied to a user or resource. createAppConfigDescription
docs: A description of the configuration creation.
type: required
createdAppConfigIds
docs: The application resources that were created in this event.
type: required
appConfigDelete Delete application-specific configuration. These may be tied to a user or resource. deletedAppConfigIds
docs: The ApplicationResouces that were deleted in this event.
type: required

deleteAppConfigDescription
docs: A description of the configuration deletion.
type: required
appConfigSearch Search for application-specific configuration. These may be tied to a user or resource. appConfigSearch should be used when the exact result values of a request are unknown, or variable. appConfigSearchQuery
docs: The search-query that this event is running.
type: required
appConfigSearchResults
docs: The search-results that are returned to the user in this event.
type: required
appConfigUpdate Update application-specific configuration. These may be tied to a user or resource. updatedAppConfigIds
docs: The application resources that were updated in this event.
type: required

updateAppConfigDescription
docs: A description of the configuration update.
type: required
assetFileLoad Deprecated; use AssetFileLoadV2. Loads a file's full coordinate, such as group, artifact, and version, from a static asset. requestMavenCoordinate
docs: Maven coordinate for the asset requested. Might not include groupId or version.
type: required
type: required
responseMavenCoordinate
docs: The full Maven coordinate for the returned asset.
type: required
assetFileLoadV2 Loads a file either from the asset coordiate or through the content addressable storage. fileIdentifier
type: required
fileLoadResponse
type: required
auditDataRedact Redaction of audit data as part of remediation of a data spill. requestedAuditEventIds
docs: The identifiers for the audit events which were believed to be impacted by the spill.
type: required

organizationRid
docs: The organization to which the suspected audit events were attributed.
type: required

startDate
docs: The beginning of the window of time in which the suspected audit events occurred.
type: required

endDate
docs:The end of the window of time in which the suspected audit events occurred.
type: required

redactionReason
docs: The reason for the redaction; must be non-empty.
type: required
redactionRequestId
docs: The UUID associated with this request.
type: required

redactedAuditEventIds
docs: The identifiers which were actually redacted in the specified organization.
type: required

redactedServiceUserAttributedAuditEventIds
docs: The service user-attributed audit event identifiers which were actually redacted.
type: required

missingAuditEventIds
docs: The identifiers for suspected audit events which were found in neither the specified organization nor among service user-attributed audit events in the specified window.
type: required

redactedLineCount
docs: The number of physical lines which were actually redacted as part of the completion of this request.
type: required

modifiedFiles
docs: A mapping from the original filename to a new filename for all modified files.
type: required
auditDataShareCreate Creation of shares of audit data. For example, signed URLs that can be used to retrieve audit logs. No data is returned in this request; instead, this endpoint returns pointers that can be used to retrieve audit log data without further auth checks. shareTargets
docs: The identifiers for the audit data being shared.
type: required
shareIds
docs: Map from share targets to created data shares.
type: required
auditDataTransform Transform exactly one DataResource which contains audit data in some way. transformTarget
docs: The resource that was transformed.
type: required

transformDescriptions
docs: Descriptions of the transformations that were performed.
type: required
transformDestination
docs: The destination to which the output of the transformations on the input were written. If absent, then the transformations are assumed to have been performed in-memory only (the output may or may not have been shown to the user, but it was not persisted). To indicate an in-place transformation, the transformTarget and transformDestination fields should contain the same DataResource.
type: optional
authenticationCheck Checks authentication status via a programmatic or manual authentication event, such as token validation. authenticationCheckTargets
docs: The identifiers against which that auth is being checked.
type: optional
authenticationCheckResult
docs: Whether this authentication check succeeded or not.
type: required

authenticationCheckResultMessage
docs: Further details on this authentication check result.
type: optional
authorizationCheck Checks authorization status via a programmatic or manual authorization event, like checking permissions. authorizationCheckTargets
docs: The identifiers that auth is being checked against.
type: optional

authorizationCheckOperations
docs: The values within the authorization attempt, such as the permission being checked for.
type: required
authorizationCheckSucceededTargets
docs: Targets that passed authorization.
type: required

authorizationCheckFailedTargets
docs: Targets that failed authorization.
type: required

authorizationCheckResultMessage
docs: Further details on this authorization check result.
type: optional
bulkDataImport Bulk imports to the platform. Differs from dataImport in that the direct relationship between destinations and origins may not be known. bulkImportedFiles
docs: The files that were imported
type: required
bulkImportDestinations
docs: The destination for the bulk imports.
type: required
cancelCodeExecution Cancellation of an existing code execution. cancelledExecutedResources
docs: The specific resources that were being executed before cancellation. For example, this could be a modelUUID or a buildRID.
type: required

cancelledExecutedResourceEnvironment
docs: The encompassing environment for the resources that were being executed before cancellation. For example, this could be a liveRID or a workbookRID.
type: required
codeExecution Occurrence of code execution, which might not write results to a dataResource. executedResourceEnvironment
docs: The encompasssing environment for the resources that were executed. For example, this could be a liveRID or a workbookRID.
type: required
executedResources
docs: The specific resources that were executed. For example, this could be a modelUUID or a buildRID or if run on a container, pass in the identifier of the container.
type: required
configureInfra A user configures some infrastructure like a node or a service. configureInfraTargets
docs: The SystemResources that are being configured.
type: required
configureInfraRequestId
docs: The request-id of this configuration event.
type: required
containerLaunch Registers the preparation of a compute environment. This should be emitted when, for example, a Spark module is launched. If possible, pass in a location identifier of the compute environment like a host name. requestedContainerIdsToLaunch
docs: The IDs of the resources that were requested to be launched.
type: optional
launchedContainerIds
docs: The IDs of the resources that were launched.
type: required
containerLoad Registers the load of a compute environment. This should be emitted when, for example, a spark module is read. If possible, pass in a location identifier of the compute environment like a host name. requestedContainerLoadIds
docs: The IDs of the resources that were requested.
type: required
loadedContainerLoadIds
docs: The IDs of the resources that were loaded.
type: required
containerSearch Registers the search of compute environments. This should be emitted when, for example, spark module list is read. containerSearchQuery
docs: The search-query that this event is running.
type: optional
containerSearchResults
docs: The search-results that are returned to the user in this event.
type: required
containerStop Registers the shutdown of a compute environment. If possible, pass in a human readable reason for the shutdown, for example "failure" or "user request". stoppedContainerIds
docs: The IDs of the resources that were stopped.
type: required

containerStopReason
docs: The reason why the resource was stopped.
type: optional
createInfra A user creates some infrastructure like a node or a service. createInfraTargets
docs: The SystemResources that are being created.
type: required
createdInfraResources
docs: The SystemResources that were created. This should have a more explicit identifier.
type: required
dataCreate Indicates the addition of some new entry of data into the platform where it did not exist prior. This event may be reflected as a dataPromote in a separate service if it is logged in the landing service. createdResources
docs: The DataResources that were created in this event.
type: required
dataDelete Related to the deletion of data, independent of the granularity of that deletion. deletedResources
docs: The DataResources that were deleted in this event.
type: required
dataExport Export of data from the platform. Use for things like downloading data from the platform, such as a system external to Palantir, csv file and more. If data was exported to another Palantir system, use the dataPromote category. downloadedResources
docs: All resources that were downloaded in this event.
type: required
downloadedSize
docs: The size, in bytes, of the downloaded data.
type: required
dataImport Imports to the platform. Unlike dataPromote, dataImport refers only to data being ingested from outside the platform. This means that a dataImport in Palantir Gotham could show up as a dataPromote in a separate service. importedFilename
docs: The filename of the imported data.
type: required

importedFileType
docs: The filetype of the imported data.
type: required

importParentResourceId
docs: The parent of the destination resource.
type: optional
importResourceId:
docs: The destination resource for the imported data.
type: required

importedSize
docs: The total size, in bytes, of the imported data.
type: optional
dataLoad Refers to the loading of data to be returned to a user. For purely back-end loads, use internal. loadedResources
docs: The DataResources that were loaded in this event.
type: required
dataMerge Refers to the combination of two datasources into one. This would be triggered by a JOIN in Contour or a Resolution event in Palantir Gotham. resourcesToMerge
docs: The resources that were merged in this event.
type: required
mergedResult
docs: The resultant DataResource from the merging of the resources.
type: required
dataPromote Indicates that a user promoted data to an external Palantir system, Gotham or otherwise. promotionDestinations
docs: The destinations to which the DataResources were promoted to.
type: required

promotionDescription
docs: A description of this promotion event.
type: required

promotedResources
docs: The resources that were promoted to another system.
type: required
dataSearch Searches of datasets, objects, or other searches for data within the system. dataSearchQuery
docs: The query that this search is executing.
type: required

dataSearchContext
docs: Further information to contextualize the current query. This information is unstructured and should not be relied upon beyond informing auditors.
type:list\
dataSearchResults
docs: All resources that were presented to the user by this search result.
type: required
dataShareCreate Creation of a share of data. For example, when creating a link that grants access to resources on visit. dataShareCreateId
docs: An optional identifier for this share, if available.
type: optional

dataShareCreateTargets
type: required
dataShareDisable Deactivation of a mechanism to share data. For example, the disabling of a link that grants access to resources on visit. dataShareDisableId
docs: An optional identifier for this share, if available.
type: optional

dataShareDisableTargets
type: required
dataShare Discretionary share of data. dataShareId
docs: An optional identifier for this share, if available.
type: optional

dataShareTargets
type: required

dataShareReason
docs: A human-readable reason this data was shared (for example, "visited a share link").
type: required
dataTransform Transform one or more DataResources in some way. transformTargets
docs: The resources that were transformed.
type: required

transformDescription
docs: A description of the transformation that was performed.
type: required
dataUpdate Updates or attempted updates of data. This is a catch-all field and we recommend using dataTransform or dataMerge instead.
inApplicationContext The request was initiated from a third-party application. applicationRid
docs: The application from which the request was initiated.
type: required
inEnrollmentContext The request was made in the context of one or more enrollments. enrollmentRids
docs: The enrollments that were associated with the request.
type: required
infraLogsAccess User requests logs from an infrastructure resource like a node or a service. infraLogsAccessTarget
docs: The SystemResource from which logs are being requested.
type: required
infraLogsAccessRequestId
docs: The request ID of this access request event.
type: required
inHubContext The request was made in a hub-spoke environment context where services may query about configurations for different stacks/spokes than their own. targetEnvironment
docs: The target environment being queried about.
type: required

targetSpokeEnvironment
docs: If present, the target spoke environment being queried about.
type: optional
targetEnrollment
docs: If present, the target enrollment being queried about.
type: optional

targetDomain
docs: If present, the target domain being queried about.
type: optional
internal Catch-all for all internal events. These typically are low signal for audit users.
llmInference Runs a prompt through a Generative AI model (a Large Language Model or LLM) that outputs a response. llmInferenceContext
docs: Further context to identify this inference request, such as the model ID, or resources in foundry attributed to the request.
type: required

llmInferenceInputs
docs: The inputs that were used to generate the responses.
type: required
llmInferenceResponses
docs: The responses that were generated by the model.
type: required

llmInferenceResponseContext
docs: Further context to identify this inference request, such as the model ID. This must include any LLM inference context that is only available at response time.
type: required
llmRoute Represents the forwarding of an LLM prompt to an appropriate backend. This audit category is intended for LLM proxies or load balancers (for example, llm-portal). llmRouteRequest
type: required
llmRouteResponse
type: required
logicAccess Access of logic. For example, viewing a Contour analysis. accessedLogicResources
docs: All LogicResources accessed in this event.
type: required
logicCreate Creation of new logic. For example, when a new Contour board is created. createdLogicResources
docs: All LogicResources created in this event.
type: required
logicDelete Deletion of logic. For example, deleting a Contour board. deletedLogicResources
docs: All LogicResources deleted in this event.
type: required
logicSearch Search of some logic. For example, searching for a Contour analysis. logicSearchQuery
docs: The query that this search is executing.
type: required
logicSearchResults
docs: All underlying LogicResources returned by this search request.
type: required
logicUpdate An update to existing logic. For example, when a user saves a file, a push to a stemma repo occurs, or the logic of an existing Contour board is updated. updatedLogicResources
docs: All LogicResources updated in this event.
type: required
managementGroups Changes to group membership should always go through here. groupPatches
type: required
managementPermissions Anything that changes permissions on the platform. These logs should use the result_params changes field to enumerate the precise change that occurred. Examples include sharing a resource or changing a resource's provenance. resourcesWithPermissionsChanges
docs: The resources affected by the change in permissions
type: required

permissionChangeContext
docs: Further information to contextualize changed resources
type: optional
managementUsers Changes and modifications to what users exist or their personal information. For events related to user permissions, use managementPermissions. For events where a user is added or removed from a group, use managementGroups. managedUserIds
type: required
managementTokens Specific action related to token management, such as enabling, disabling, or revoking tokens. managedTokens
docs: All tokens affected by the change.
type: required
managementMarkings Anything that modifies access to mandatory controls. markingPatches
type: required
mandatoryControlManagement Privileged action affecting mandatory controls in the system. Replaced by managementMarkings in audit.3.
mandatoryControlApplication Privileged action affecting mandatory controls in the system. Replaced by managementPermissions in audit.3.
metaDataAccess Refers to the loading of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. As such, metadata may not have its own identifier but instead will be related to the data that it describes. accessedMetaDataResources
docs: The underlying DataResources that the accessed metadata describes.
type: required

accessedMetaDataDescription
docs: A description of the metadata access.
type: required
metaDataCreate The creation of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. createdMetaDataDescription
docs: A description of the metadata creation.
type: required
createdMetaDataResources
docs: The underlying DataResources that the created metadata describes.
type: required
metaDataDelete The deletion of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. deletedMetaDataResources
docs: The underlying DataResources that the deleted metadata describes.
type: required

deletedMetaDataDescription
docs: A description of the metadata deletion.
type: required
metaDataSearch Search of metadata associated with a dataset, objects, or other searches for metadata within the system. metaDataSearchQuery
docs: The query that this search is executing.
type: required
metaDataSearchResults
docs: All underlying resources that had metadata presented to the user by this search result.
type: required
metaDataUpdate The updating of metadata. MetaData is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. updatedMetaDataResources
docs: The underlying DataResources that the updated metadata describes.
type: required

updatedMetaDataDescription
docs: A description of the metadata update.
type: required
monitorAccess Access of a monitor, for example viewing details about how it works. accessedMonitorResources
docs: The MonitorResources that were accessed in this event.
type: required

accessedMonitorDescription
docs: A description of the monitor access.
type: optional
monitorCreate Creation of a monitor. createdMonitorDescription
docs: A description of the monitor creation.
type: optional
createdMonitorResources
docs: The MonitorResources that were created in this event.
type: required
monitorDelete Deletion of a monitor. deletedMonitorResources
docs: The MonitorResources that were deleted in this event.
type: required

deletedMonitorDescription
docs: A description of the monitor deletion.
type: optional
monitorRun Execution of a particular monitor, potentially triggering actions or notifications. runMonitorTargets
docs: The MonitorResources that were ran in this event.
type: required
monitorSearch Searching for a monitor. monitorSearchQuery
docs: The search-query that this event is running.
type: required
monitorSearchResults
docs: The search-results that are returned to the user in this event.
type: required
monitorUpdate Update a monitor, potentially changing how it behaves. updatedMonitorResources
docs: The MonitorResources that were updated in this event.
type: required

updatedMonitorDescription
docs: A description of the monitor update.
type: optional
oauth2InitiateAuthFlow Start the OAuth 2.0 Authorization Code flow with the external OAuth 2.0 server. oauth2InitiateAuthFlowUser
docs: The user for whom this oauth2 flow is being started.
type: required

oauth2InitiateAuthClientId
docs: The client-id the oauth2 flow is being performed for.
type: required
onBehalfOf The request was made on behalf of other users, usually by a service user. onBehalfOfUserIds
docs: The upstream users. The first user ID is the most upstream user.
type: required
ontologyDataLoad The loading of ontology data to be returned to a user. ontologyDataLoadContext
docs: Further context to identify this load request, such as the owning RID.
type: optional

requestedOntologyDataResources
docs: The OntologyDataResources that were requested in this event.
type: required
loadedOntologyDataResources
docs: The OntologyDataResources that were loaded in this event.
type: required
ontologyDataTransform The modification of ontology data via patches or edits. ontologyDataTransformTargets
docs: The OntologyDataResources that the user intends to transform.
type: optional

ontologyDataTransformContext
docs: Further context to identify this transform request.
type: optional

ontologyDataTransformDescription
docs: A description of the transformation that was performed.
type: optional
transformedOntologyDataResources
docs: The OntologyDataResources that were transformed by the request.
type: optional
ontologyDataSearch Search of ontology data within the system. ontologyDataSearchContext
docs: Further context to identify this load request, such as the owning RID.
type: optional

searchedOntologyLogicResources
docs: The logical selections included in this search.
type: required
ontologyDataSearchResults
docs: All resources that were presented to the user by this search result.
type: required
ontologyLogicAccess Access of ontology logic. For example, viewing an object set or sets. requestedOntologyLogicResources
docs: The OntologyLogicResources that were requested.
type: required
loadedOntologyLogicResources
docs: The OntologyLogicResources that were present in the response.
type: required
ontologyLogicCreate Creation of new ontology logic. For example, when a new object set is created. createOntologyLogicContext
docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more.
type: optional
createdOntologyLogicResources
docs: All LogicResources created in this event.
type: required
ontologyLogicDelete Deletion of ontology logic, for example a new object set. deleteOntologyLogicContext
docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more.
type: optional
deletedOntologyLogicResources
docs: All LogicResources deleted in this event.
type: required
ontologyLogicUpdate Update ontology logic, for example saving a new version of an object set. updateOntologyLogicContext
docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more.
type: optional
updatedOntologyLogicResources
docs: All LogicResources updated in this event.
type: required
ontologyMetaDataCreate The creation of OntologyMetaDataResources. createdOntologyMetaDataResources
docs: All OntologyMetaDataResources created in this event.
type: required
ontologyMetaDataDelete The deletion of OntologyMetaDataResources. deletedOntologyMetaDataResources
docs: All OntologyMetaDataResources deleted in this event.
type: required
ontologyMetaDataLoad The loading of Ontology MetaData to be returned to a user. requestedOntologyMetaDataResources
docs: The OntologyMetadataResources that were requested.
type: required
loadedOntologyMetaDataResources
docs: The OntologyMetaDataResources that were present in the response.
type: required
ontologyMetaDataSearch Search for OntologyMetaDataResources that meet criteria. ontologyMetaDataSearchedResources
docs: The OntologyMetaDataResources included in the search query.
type: required

ontologyMetaDataSearchContext
docs: Further context to the search query, such as DatasourceType.
type: optional
ontologyMetaDataSearchResults
docs: All OntologyMetaDataResources that were returned to the user.
type: required
ontologyMetaDataUpdate The modification of OntologyMetaDataResources. updatedOntologyMetaDataResources
docs: All OntologyMetaDataResources updated in this event.
type: required
passThrough A category where the set of auditable parameters is determined at runtime, typically by an external system passThroughRequestParams
type: required
passThroughResponseParams
type: required
requestAccess The loading of a request. accessedRequestIds
docs: The requests that were accessed in this request.
type: required

accessedRequestDescription
docs: A description of the request access.
type: optional
requestApprove Approving a request, or part of a request. A request may require multiple approvals before it can be performed. approvedRequestIds
docs: The requests that are being approved
type: required

approveRequestUserId
docs: The user that approved the request
type: optional
requestCancel Canceling the request so that it will no longer be performed, such as closing a pull request. canceledRequestIds
docs: The requests that are being canceled
type: required
requestCreate The creation of a request. Requests represent an action that has not yet been taken and may require approval, such as a pull request, access request, or checkpoint. createdRequestAffectedResources
docs: The resources that are directly affected by the request. For example, for an update request this would be the updated resource, and for a create request this could be the parent resource.
type: required

createdRequestDescription
docs: A description of the request creation.
type: optional
createdRequestIds
docs: The requests that were created in this request
type: required
requestDisapprove Disapproving a request. disapprovedRequestIds
docs: The requests that are being disapproved.
type: required

disapproveRequestUserId
docs: The user that disapproved the request.
type: optional
requestExecute Executing the action associated with a request, such as merging a pull request or applying an access request. executedRequestIds
docs: The requests that are being executed.
type: required
executeRequestAffectedResources
docs: The resources that were affected by this request. This may not include all the resources that were provided when creating the request.
type: optional
requestSearch Searching for requests. requestSearchQuery
docs: The search-query that this event is running.
type: required
requestSearchResults
docs: The search-results that are returned to the user in this event.
type:required
requestUpdate The update of an existing request. updatedRequestIds
docs: The requests that were updated in this request
type: required

updatedRequestDescription
docs: A description of the request update.
type: optional
restartInfra Restarts some infrastructure like a node or a service. restartedResources
docs: All SystemResources that were restarted in this event.
type: required
reviewInfraAction A user approves or denies an action within the infrastructure space, such as configuring a node, a service and more. reviewInfraActionRequestId
docs: The request-id of this review.
type: required

reviewInfraActionUser
docs: The user who reviewed this action.
type: required
reviewInfraActionWasApproved
docs: Whether the review was approved.
type: required
secretCreate Create a secret string. createdSecretType
docs: The kind of secrets that were created
type: required
createdSecretIdentifiers
docs: The identifiers of the secrets that were created.
type: required
secretDeprecate Mark a secret as deprecated. deprecatedSecretIdentifier
docs: The identifier of the secret that was deprecated.
type: required
secretLoad Retrieve a secret from the backing store. loadedSecretIdentifiers
docs: The identifiers of the secrets that were loaded.
type: required
secretUse Use a secret via a backend endpoint. usedSecretOperation
docs: The operation used for the secret.
type: required

usedSecretIdentifiers
docs: The identifiers of the secrets that were used.
type: required
systemManagement Modification of or access to metadata that determines the layout and configuration of applications on the environment. Replaced by appConfigCreate/Access/Update/Delete/Search in audit.3.
tokenAccess Accessing a previously generated token. accessedTokens
docs: A description of how these tokens were accessed, for auditor-context.
type: required
tokenGeneration Action that leads to generation of a new token. generateTokensDescription
docs: A description of how these tokens were generated, for auditor-context.
type: optional
generatedTokens
docs: All tokens that were generated
type: optional
tokenRevoke Action that leads to the deletion of tokens. revokeTokensDescription
docs: A description of how these tokens were generated, for auditor-context.
type: optional
revokedTokens
docs: All tokens that were revoked.
type: required
upgradeInfra Some infrastructure was upgraded, including downgrades. upgradedResources
docs: All SystemResources that were upgraded in this event.
type: required
userJustify Event when a user specifies a purpose justification for taking an action. userJustifyId
docs: The user justifying the action.
type: required

userJustification
docs: The user's justification for taking the action. Multiple justifications can be provided.
type: required
userLogin Login events of users. loginUserId
type: optional
userLogout Logout events of users. logoutUserId
type: optional

中文翻译

审计日志类别(Audit log categories)

审计日志类别通过允许您根据发生了什么来识别感兴趣的事件,从而简化安全监控,而无需枚举所有Foundry服务中的每个可能事件名称。无需跟踪数百个特定于服务的事件名称,类别让您可以专注于高级操作,如数据加载、数据导出或身份验证尝试,无论哪个产品或功能生成了日志。

类别为何重要

在传统的审计日志系统中,安全分析师必须了解每个服务的实现细节才能编写有效的查询。例如,在调查潜在的数据泄露时,您可能需要知道相关的事件名称是EXPORT_DATASET、DOWNLOAD_FILE、CREATE_EXTERNAL_CONNECTION以及其他数十个,同时还要随着新功能的添加维护这个列表。

审计日志类别通过抽象解决了这个问题。在audit.3模式中,每个事件必须在一个或多个标准化类别下记录,这些类别提供一致的请求和结果参数。这意味着:

  • 服务无关的查询: 筛选dataExport以查找所有数据导出事件,无论哪个Foundry产品执行了导出。
  • 面向未来的监控: 新的导出功能将使用dataExport类别记录日志;您无需更新查询。
  • 更快的调查: 花更少的时间了解系统内部,花更多的时间分析用户行为。
  • 可预测的结构: 每个类别精确定义了哪些请求和结果字段将存在,使自动化分析更加可靠。

Audit.2 与 audit.3 模式对比

虽然audit.2日志可能包含类别信息,但其使用是可选的且不强制执行。这意味着类别可能完全缺失,或者相关的请求和结果参数可能不遵循一致的结构。

相比之下,audit.3模式强制执行类别使用,并具有以下保证:

  • 每个审计日志必须指定至少一个类别。
  • 每个类别明确定义将存在的请求和结果字段。
  • 标准参数使得无需特定于服务的知识即可进行分析。

:::callout{theme="neutral"} 字段命名: 请注意,audit.3使用requestFieldsresultFields表示参数信息,而audit.2使用request_paramsresult_params。 :::

有关模式差异和迁移指南的全面信息,请参阅我们的审计日志概述文档。

示例工作流程

一个典型的使用类别的安全监控工作流程如下所示:

1. 识别感兴趣的类别

根据您的安全需求,确定哪些类别是相关的。例如:

  • 调查潜在的数据访问:dataLoad
  • 监控导出:dataExport
  • 审查登录:userLogin

2. 按类别查询日志

使用外部SIEM或带有Pipeline Builder的Foundry审计日志导出数据集来筛选日志。在伪代码中,这看起来像:

allLogs.filter {log -> interestingCategories.any{log.categories.contains(it)}}

性能说明: 审计日志数据集可能包含非常大量的数据。在执行聚合或可视化之前,始终使用time列进行筛选,以确保查询性能。

3. 分析结构化参数

对于每个匹配的日志,检查requestFieldsresultFields。这些包含用户提交和系统返回的特定信息,分开以帮助您区分:

  • 请求字段 (requestFields):用户提供了什么(例如,他们请求了哪些资源)。
  • 结果字段 (resultFields):系统返回了什么(例如,实际加载了哪些资源)。

例如,带有dataLoad类别的日志将包含在该交互期间加载的所有资源列表,位于requestFieldsresultFields中,使您无需知道处理请求的特定Foundry服务即可立即了解数据访问模式。

4. 交叉引用类别

许多事件会生成带有多个类别的日志。在调查潜在事件时,您可以通过确认用户活动中不存在dataExport类别来验证,虽然用户加载了许多数据集(dataLoad),但并未发生实际的导出。

可用类别

以下是可用的审计日志类别。

审计日志类别 类别描述 请求字段 结果字段
apiGatewayRequest 对API网关的请求。

用户操作可能导致由API网关完成的请求。使用此审计日志查看请求的名称或来源。要获取有关此用户操作的更多信息,请通过筛选具有相同traceId字段的日志来查找与此请求关联的其他审计日志。要查找API网关在完成用户发起的请求时发出的请求的审计日志,请进一步筛选userAgent字段以此审计日志中的service名称开头的日志。
operationNames
docs: 请求的名称。如果是批量请求,可能包含多个名称。
type: optional
appConfigAccess 加载应用程序特定的配置。这些可能关联到用户或资源。 accessedAppConfigIds
docs: 在此事件中访问的应用程序资源。
type: required

accessAppConfigDescription
docs: 配置访问的描述。
type: required
appConfigCreate 创建应用程序特定的配置。这些可能关联到用户或资源。 createAppConfigDescription
docs: 配置创建的描述。
type: required
createdAppConfigIds
docs: 在此事件中创建的应用程序资源。
type: required
appConfigDelete 删除应用程序特定的配置。这些可能关联到用户或资源。 deletedAppConfigIds
docs: 在此事件中删除的ApplicationResources。
type: required

deleteAppConfigDescription
docs: 配置删除的描述。
type: required
appConfigSearch 搜索应用程序特定的配置。这些可能关联到用户或资源。当请求的确切结果值未知或可变时,应使用appConfigSearch appConfigSearchQuery
docs: 此事件正在运行的搜索查询。
type: required
appConfigSearchResults
docs: 在此事件中返回给用户的搜索结果。
type: required
appConfigUpdate 更新应用程序特定的配置。这些可能关联到用户或资源。 updatedAppConfigIds
docs: 在此事件中更新的应用程序资源。
type: required

updateAppConfigDescription
docs: 配置更新的描述。
type: required
assetFileLoad 已弃用;请使用AssetFileLoadV2。从静态资产加载文件的完整坐标,例如组(group)、工件(artifact)和版本(version)。 requestMavenCoordinate
docs: 请求的资产的Maven坐标。可能不包含groupId或版本。
type: required
type: required
responseMavenCoordinate
docs: 返回资产的完整Maven坐标。
type: required
assetFileLoadV2 从资产坐标或通过内容可寻址存储加载文件。 fileIdentifier
type: required
fileLoadResponse
type: required
auditDataRedact 作为数据泄露修复的一部分,对审计数据进行编辑。 requestedAuditEventIds
docs: 被认为受泄露影响的审计事件的标识符。
type: required

organizationRid
docs: 可疑审计事件所属的组织。
type: required

startDate
docs: 可疑审计事件发生的时间窗口的开始。
type: required

endDate
docs: 可疑审计事件发生的时间窗口的结束。
type: required

redactionReason
docs: 编辑的原因;必须非空。
type: required
redactionRequestId
docs: 与此请求关联的UUID。
type: required

redactedAuditEventIds
docs: 在指定组织中实际被编辑的标识符。
type: required

redactedServiceUserAttributedAuditEventIds
docs: 实际被编辑的服务用户归属审计事件标识符。
type: required

missingAuditEventIds
docs: 在指定窗口内,既未在指定组织中找到,也未在服务用户归属审计事件中找到的可疑审计事件的标识符。
type: required

redactedLineCount
docs: 作为完成此请求的一部分实际被编辑的物理行数。
type: required

modifiedFiles
docs: 从原始文件名到新文件名的映射,适用于所有修改过的文件。
type: required
auditDataShareCreate 创建审计数据的共享。例如,可用于检索审计日志的签名URL。此请求不返回数据;相反,此端点返回可用于检索审计日志数据而无需进一步身份验证检查的指针。 shareTargets
docs: 被共享的审计数据的标识符。
type: required
shareIds
docs: 从共享目标到已创建数据共享的映射。
type: required
auditDataTransform 以某种方式转换恰好一个包含审计数据的DataResource。 transformTarget
docs: 被转换的资源。
type: required

transformDescriptions
docs: 所执行转换的描述。
type: required
transformDestination
docs: 输入转换的输出写入的目标。如果不存在,则假定转换仅在内存中执行(输出可能已显示给用户,也可能未显示,但未持久化)。要指示原地转换,transformTargettransformDestination字段应包含相同的DataResource。
type: optional
authenticationCheck 通过编程或手动身份验证事件(如令牌验证)检查身份验证状态。 authenticationCheckTargets
docs: 正在检查身份验证的标识符。
type: optional
authenticationCheckResult
docs: 此身份验证检查是否成功。
type: required

authenticationCheckResultMessage
docs: 此身份验证检查结果的更多详细信息。
type: optional
authorizationCheck 通过编程或手动授权事件(如检查权限)检查授权状态。 authorizationCheckTargets
docs: 正在检查授权的标识符。
type: optional

authorizationCheckOperations
docs: 授权尝试中的值,例如正在检查的权限。
type: required
authorizationCheckSucceededTargets
docs: 通过授权的目标。
type: required

authorizationCheckFailedTargets
docs: 未通过授权的目标。
type: required

authorizationCheckResultMessage
docs: 此授权检查结果的更多详细信息。
type: optional
bulkDataImport 批量导入到平台。与dataImport不同之处在于,目标与来源之间的直接关系可能未知。 bulkImportedFiles
docs: 已导入的文件
type: required
bulkImportDestinations
docs: 批量导入的目标。
type: required
cancelCodeExecution 取消正在进行的代码执行。 cancelledExecutedResources
docs: 取消前正在执行的特定资源。例如,可以是modelUUIDbuildRID
type: required

cancelledExecutedResourceEnvironment
docs: 取消前正在执行的资源所处的环境。例如,可以是liveRIDworkbookRID
type: required
codeExecution 代码执行的发生,可能不会将结果写入dataResource executedResourceEnvironment
docs: 已执行资源所处的环境。例如,可以是liveRID或workbookRID。
type: required
executedResources
docs: 已执行的特定资源。例如,可以是modelUUID或buildRID,如果在容器上运行,则传入容器的标识符。
type: required
configureInfra 用户配置某些基础设施,如节点或服务。 configureInfraTargets
docs: 正在配置的SystemResources。
type: required
configureInfraRequestId
docs: 此配置事件的请求ID。
type: required
containerLaunch 记录计算环境的准备。例如,当启动Spark模块时,应发出此事件。如果可能,传入计算环境的位置标识符,如主机名。 requestedContainerIdsToLaunch
docs: 请求启动的资源的ID。
type: optional
launchedContainerIds
docs: 已启动的资源的ID。
type: required
containerLoad 记录计算环境的加载。例如,当读取Spark模块时,应发出此事件。如果可能,传入计算环境的位置标识符,如主机名。 requestedContainerLoadIds
docs: 请求的资源的ID。
type: required
loadedContainerLoadIds
docs: 已加载的资源的ID。
type: required
containerSearch 记录计算环境的搜索。例如,当读取Spark模块列表时,应发出此事件。 containerSearchQuery
docs: 此事件正在运行的搜索查询。
type: optional
containerSearchResults
docs: 在此事件中返回给用户的搜索结果。
type: required
containerStop 记录计算环境的关闭。如果可能,传入人类可读的关闭原因,例如"failure"或"user request"。 stoppedContainerIds
docs: 已停止的资源的ID。
type: required

containerStopReason
docs: 资源停止的原因。
type: optional
createInfra 用户创建某些基础设施,如节点或服务。 createInfraTargets
docs: 正在创建的SystemResources。
type: required
createdInfraResources
docs: 已创建的SystemResources。这应具有更明确的标识符。
type: required
dataCreate 表示向平台添加一些先前不存在的新数据条目。如果此事件在登录服务中记录,则可能在单独的服务中反映为dataPromote createdResources
docs: 在此事件中创建的DataResources。
type: required
dataDelete 与数据删除相关,与删除的粒度无关。 deletedResources
docs: 在此事件中删除的DataResources。
type: required
dataExport 从平台导出数据。用于从平台下载数据,例如下载到Palantir外部的系统、csv文件等。如果数据导出到另一个Palantir系统,请使用dataPromote类别。 downloadedResources
docs: 在此事件中下载的所有资源。
type: required
downloadedSize
docs: 下载数据的大小,以字节为单位。
type: required
dataImport 导入到平台。与dataPromote不同,dataImport仅指从平台外部摄取的数据。这意味着Palantir Gotham中的dataImport可能在单独的服务中显示为dataPromote importedFilename
docs: 导入数据的文件名。
type: required

importedFileType
docs: 导入数据的文件类型。
type: required

importParentResourceId
docs: 目标资源的父级。
type: optional
importResourceId:
docs: 导入数据的目标资源。
type: required

importedSize
docs: 导入数据的总大小,以字节为单位。
type: optional
dataLoad 指加载数据以返回给用户。对于纯粹的后端加载,请使用internal loadedResources
docs: 在此事件中加载的DataResources。
type: required
dataMerge 指将两个数据源合并为一个。这可以由Contour中的JOIN或Palantir Gotham中的Resolution事件触发。 resourcesToMerge
docs: 在此事件中合并的资源。
type: required
mergedResult
docs: 合并资源产生的DataResource。
type: required
dataPromote 表示用户将数据提升到外部的Palantir系统,无论是Gotham还是其他系统。 promotionDestinations
docs: DataResources被提升到的目标。
type: required

promotionDescription
docs: 此提升事件的描述。
type: required

promotedResources
docs: 被提升到另一个系统的资源。
type: required
dataSearch 搜索数据集、对象或系统内的其他数据搜索。 dataSearchQuery
docs: 此搜索正在执行的查询。
type: required

dataSearchContext
docs: 为当前查询提供背景的进一步信息。此信息是非结构化的,不应依赖其超出告知审计员的范围。
type:list\
dataSearchResults
docs: 此搜索结果呈现给用户的所有资源。
type: required
dataShareCreate 创建数据共享。例如,创建在访问时授予资源访问权限的链接。 dataShareCreateId
docs: 此共享的可选标识符(如果可用)。
type: optional

dataShareCreateTargets
type: required
dataShareDisable 停用共享数据的机制。例如,禁用授予资源访问权限的链接。 dataShareDisableId
docs: 此共享的可选标识符(如果可用)。
type: optional

dataShareDisableTargets
type: required
dataShare 酌情共享数据。 dataShareId
docs: 此共享的可选标识符(如果可用)。
type: optional

dataShareTargets
type: required

dataShareReason
docs: 共享此数据的人类可读原因(例如,"visited a share link")。
type: required
dataTransform 以某种方式转换一个或多个DataResources。 transformTargets
docs: 被转换的资源。
type: required

transformDescription
docs: 对所执行转换的描述。
type: required
dataUpdate 数据的更新或尝试更新。这是一个包罗万象的字段,我们建议改用dataTransformdataMerge
inApplicationContext 请求是从第三方应用程序发起的。 applicationRid
docs: 发起请求的应用程序。
type: required
inEnrollmentContext 请求是在一个或多个注册(enrollment)的上下文中发出的。 enrollmentRids
docs: 与请求关联的注册。
type: required
infraLogsAccess 用户请求来自基础设施资源(如节点或服务)的日志。 infraLogsAccessTarget
docs: 正在请求日志的SystemResource。
type: required
infraLogsAccessRequestId
docs: 此访问请求事件的请求ID。
type: required
inHubContext 请求是在中心辐射型(hub-spoke)环境上下文中发出的,其中服务可能查询关于不同堆栈/分支(spokes)的配置。 targetEnvironment
docs: 正在查询的目标环境。
type: required

targetSpokeEnvironment
docs: 如果存在,则是正在查询的目标分支环境。
type: optional
targetEnrollment
docs: 如果存在,则是正在查询的目标注册。
type: optional

targetDomain
docs: 如果存在,则是正在查询的目标域。
type: optional
internal 所有内部事件的包罗万象类别。这些通常对审计用户来说信号较弱。
llmInference 通过生成式AI模型(大型语言模型或LLM)运行提示词,该模型输出响应。 llmInferenceContext
docs: 用于识别此推理请求的进一步上下文,例如模型ID,或Foundry中归属于该请求的资源。
type: required

llmInferenceInputs
docs: 用于生成响应的输入。
type: required
llmInferenceResponses
docs: 模型生成的响应。
type: required

llmInferenceResponseContext
docs: 用于识别此推理请求的进一步上下文,例如模型ID。这必须包括仅在响应时可用的任何LLM推理上下文。
type: required
llmRoute 表示将LLM提示词转发到适当的后端。此审计类别旨在用于LLM代理或负载均衡器(例如,llm-portal)。 llmRouteRequest
type: required
llmRouteResponse
type: required
logicAccess 访问逻辑。例如,查看Contour分析。 accessedLogicResources
docs: 在此事件中访问的所有LogicResources。
type: required
logicCreate 创建新逻辑。例如,创建新的Contour面板。 createdLogicResources
docs: 在此事件中创建的所有LogicResources。
type: required
logicDelete 删除逻辑。例如,删除Contour面板。 deletedLogicResources
docs: 在此事件中删除的所有LogicResources。
type: required
logicSearch 搜索某些逻辑。例如,搜索Contour分析。 logicSearchQuery
docs: 此搜索正在执行的查询。
type: required
logicSearchResults
docs: 此搜索请求返回的所有底层LogicResources。
type: required
logicUpdate 更新现有逻辑。例如,当用户保存文件、推送到stemma仓库或更新现有Contour面板的逻辑时。 updatedLogicResources
docs: 在此事件中更新的所有LogicResources。
type: required
managementGroups 对组成员身份的更改应始终通过此类别。 groupPatches
type: required
managementPermissions 任何更改平台权限的操作。这些日志应使用result_params changes字段来枚举发生的精确更改。示例包括共享资源或更改资源的来源。 resourcesWithPermissionsChanges
docs: 受权限更改影响的资源
type: required

permissionChangeContext
docs: 为更改的资源提供背景的进一步信息
type: optional
managementUsers 对存在的用户或其个人信息的更改和修改。对于与用户权限相关的事件,请使用managementPermissions。对于用户被添加或从组中移除的事件,请使用managementGroups managedUserIds
type: required
managementTokens 与令牌管理相关的特定操作,例如启用、禁用或撤销令牌。 managedTokens
docs: 受更改影响的所有令牌。
type: required
managementMarkings 任何修改对强制控制(mandatory controls)访问权限的操作。 markingPatches
type: required
mandatoryControlManagement 影响系统中强制控制(mandatory controls)的特权操作。在audit.3中被managementMarkings取代。
mandatoryControlApplication 影响系统中强制控制(mandatory controls)的特权操作。在audit.3中被managementPermissions取代。
metaDataAccess 指加载元数据。元数据是关于数据的数据;例如,描述管道内数据的各种可通过API访问的指标,如计数、数据集名称、事务ID等。因此,元数据可能没有自己的标识符,而是与其描述的数据相关。 accessedMetaDataResources
docs: 所访问元数据描述的底层DataResources。
type: required

accessedMetaDataDescription
docs: 元数据访问的描述。
type: required
metaDataCreate 创建元数据。元数据是关于数据的数据;例如,描述管道内数据的各种可通过API访问的指标,如计数、数据集名称、事务ID等。 createdMetaDataDescription
docs: 元数据创建的描述。
type: required
createdMetaDataResources
docs: 所创建元数据描述的底层DataResources。
type: required
metaDataDelete 删除元数据。元数据是关于数据的数据;例如,描述管道内数据的各种可通过API访问的指标,如计数、数据集名称、事务ID等。 deletedMetaDataResources
docs: 所删除元数据描述的底层DataResources。
type: required

deletedMetaDataDescription
docs: 元数据删除的描述。
type: required
metaDataSearch 搜索与数据集、对象关联的元数据,或系统内对元数据的其他搜索。 metaDataSearchQuery
docs: 此搜索正在执行的查询。
type: required
metaDataSearchResults
docs: 此搜索结果向用户呈现了元数据的所有底层资源。
type: required
metaDataUpdate 更新元数据。元数据是关于数据的数据;例如,描述管道内数据的各种可通过API访问的指标,如计数、数据集名称、事务ID等。 updatedMetaDataResources
docs: 所更新元数据描述的底层DataResources。
type: required

updatedMetaDataDescription
docs: 元数据更新的描述。
type: required
monitorAccess 访问监控器,例如查看其工作原理的详细信息。 accessedMonitorResources
docs: 在此事件中访问的MonitorResources。
type: required

accessedMonitorDescription
docs: 监控器访问的描述。
type: optional
monitorCreate 创建监控器。 createdMonitorDescription
docs: 监控器创建的描述。
type: optional
createdMonitorResources
docs: 在此事件中创建的MonitorResources。
type: required
monitorDelete 删除监控器。 deletedMonitorResources
docs: 在此事件中删除的MonitorResources。
type: required

deletedMonitorDescription
docs: 监控器删除的描述。
type: optional
monitorRun 执行特定的监控器,可能触发操作或通知。 runMonitorTargets
docs: 在此事件中运行的MonitorResources。
type: required
monitorSearch 搜索监控器。 monitorSearchQuery
docs: 此事件正在运行的搜索查询。
type: required
monitorSearchResults
docs: 在此事件中返回给用户的搜索结果。
type: required
monitorUpdate 更新监控器,可能更改其行为方式。 updatedMonitorResources
docs: 在此事件中更新的MonitorResources。
type: required

updatedMonitorDescription
docs: 监控器更新的描述。
type: optional
oauth2InitiateAuthFlow 使用外部OAuth 2.0服务器启动OAuth 2.0授权码流程。 oauth2InitiateAuthFlowUser
docs: 为其启动此oauth2流程的用户。
type: required

oauth2InitiateAuthClientId
docs: 为其执行oauth2流程的客户端ID。
type: required
onBehalfOf 请求是代表其他用户发出的,通常由服务用户执行。 onBehalfOfUserIds
docs: 上游用户。第一个用户ID是最上游的用户。
type: required
ontologyDataLoad 加载本体论(Ontology)数据以返回给用户。 ontologyDataLoadContext
docs: 用于识别此加载请求的进一步上下文,例如拥有者RID。
type: optional

requestedOntologyDataResources
docs: 在此事件中请求的OntologyDataResources。
type: required
loadedOntologyDataResources
docs: 在此事件中加载的OntologyDataResources。
type: required
ontologyDataTransform 通过补丁或编辑修改本体论(Ontology)数据。 ontologyDataTransformTargets
docs: 用户意图转换的OntologyDataResources。
type: optional

ontologyDataTransformContext
docs: 用于识别此转换请求的进一步上下文。
type: optional

ontologyDataTransformDescription
docs: 对所执行转换的描述。
type: optional
transformedOntologyDataResources
docs: 由请求转换的OntologyDataResources。
type: optional
ontologyDataSearch 搜索系统内的本体论(Ontology)数据。 ontologyDataSearchContext
docs: 用于识别此加载请求的进一步上下文,例如拥有者RID。
type: optional

searchedOntologyLogicResources
docs: 此搜索中包含的逻辑选择。
type: required
ontologyDataSearchResults
docs: 此搜索结果呈现给用户的所有资源。
type: required
ontologyLogicAccess 访问本体论(Ontology)逻辑。例如,查看一个或多个对象集。 requestedOntologyLogicResources
docs: 请求的OntologyLogicResources。
type: required
loadedOntologyLogicResources
docs: 响应中存在的OntologyLogicResources。
type: required
ontologyLogicCreate 创建新的本体论(Ontology)逻辑。例如,创建新的对象集时。 createOntologyLogicContext
docs: 用于缩小标识符范围或进一步识别此请求的上下文。例如,拥有者RID或父Compass RID。这包括一个"type"上下文,标识此请求表示的类型,例如临时对象集、永久对象集、版本化对象集等。
type: optional
createdOntologyLogicResources
docs: 在此事件中创建的所有LogicResources。
type: required
ontologyLogicDelete 删除本体论(Ontology)逻辑,例如新的对象集。 deleteOntologyLogicContext
docs: 用于缩小标识符范围或进一步识别此请求的上下文。例如,拥有者RID或父Compass RID。这包括一个"type"上下文,标识此请求表示的类型,例如临时对象集、永久对象集、版本化对象集等。
type: optional
deletedOntologyLogicResources
docs: 在此事件中删除的所有LogicResources。
type: required
ontologyLogicUpdate 更新本体论(Ontology)逻辑,例如保存对象集的新版本。 updateOntologyLogicContext
docs: 用于缩小标识符范围或进一步识别此请求的上下文。例如,拥有者RID或父Compass RID。这包括一个"type"上下文,标识此请求表示的类型,例如临时对象集、永久对象集、版本化对象集等。
type: optional
updatedOntologyLogicResources
docs: 在此事件中更新的所有LogicResources。
type: required
ontologyMetaDataCreate 创建OntologyMetaDataResources。 createdOntologyMetaDataResources
docs: 在此事件中创建的所有OntologyMetaDataResources。
type: required
ontologyMetaDataDelete 删除OntologyMetaDataResources。 deletedOntologyMetaDataResources
docs: 在此事件中删除的所有OntologyMetaDataResources。
type: required
ontologyMetaDataLoad 加载本体论(Ontology)元数据以返回给用户。 requestedOntologyMetaDataResources
docs: 请求的OntologyMetadataResources。
type: required
loadedOntologyMetaDataResources
docs: 响应中存在的OntologyMetaDataResources。
type: required
ontologyMetaDataSearch 搜索满足条件的OntologyMetaDataResources。 ontologyMetaDataSearchedResources
docs: 搜索查询中包含的OntologyMetaDataResources。
type: required

ontologyMetaDataSearchContext
docs: 搜索查询的进一步上下文,例如DatasourceType。
type: optional
ontologyMetaDataSearchResults
docs: 返回给用户的所有OntologyMetaDataResources。
type: required
ontologyMetaDataUpdate 修改OntologyMetaDataResources。 updatedOntologyMetaDataResources
docs: 在此事件中更新的所有OntologyMetaDataResources。
type: required
passThrough 一种类别,其中可审计的参数集在运行时确定,通常由外部系统决定 passThroughRequestParams
type: required
passThroughResponseParams
type: required
requestAccess 加载请求。 accessedRequestIds
docs: 在此请求中访问的请求。
type: required

accessedRequestDescription
docs: 请求访问的描述。
type: optional
requestApprove 批准请求或请求的一部分。一个请求可能需要多次批准才能执行。 approvedRequestIds
docs: 正在被批准的请求
type: required

approveRequestUserId
docs: 批准请求的用户
type: optional
requestCancel 取消请求,使其不再执行,例如关闭拉取请求。 canceledRequestIds
docs: 正在被取消的请求
type: required
requestCreate 创建请求。请求表示尚未执行且可能需要批准的操作,例如拉取请求、访问请求或检查点。 createdRequestAffectedResources
docs: 直接受请求影响的资源。例如,对于更新请求,这将是更新的资源;对于创建请求,这可能是父资源。
type: required

createdRequestDescription
docs: 请求创建的描述。
type: optional
createdRequestIds
docs: 在此请求中创建的请求
type: required
requestDisapprove 不批准请求。 disapprovedRequestIds
docs: 正在被不批准的请求。
type: required

disapproveRequestUserId
docs: 不批准请求的用户。
type: optional
requestExecute 执行与请求关联的操作,例如合并拉取请求或应用访问请求。 executedRequestIds
docs: 正在被执行的请求。
type: required
executeRequestAffectedResources
docs: 受此请求影响的资源。这可能不包括创建请求时提供的所有资源。
type: optional
requestSearch 搜索请求。 requestSearchQuery
docs: 此事件正在运行的搜索查询。
type: required
requestSearchResults
docs: 在此事件中返回给用户的搜索结果。
type:required
requestUpdate 更新现有请求。 updatedRequestIds
docs: 在此请求中更新的请求
type: required

updatedRequestDescription
docs: 请求更新的描述。
type: optional
restartInfra 重启某些基础设施,如节点或服务。 restartedResources
docs: 在此事件中重启的所有SystemResources。
type: required
reviewInfraAction 用户批准或拒绝基础设施空间内的操作,例如配置节点、服务等。 reviewInfraActionRequestId
docs: 此审查的请求ID。
type: required

reviewInfraActionUser
docs: 审查此操作的用户。
type: required
reviewInfraActionWasApproved
docs: 审查是否被批准。
type: required
secretCreate 创建秘密字符串。 createdSecretType
docs: 创建的密钥的种类
type: required
createdSecretIdentifiers
docs: 已创建密钥的标识符。
type: required
secretDeprecate 将密钥标记为已弃用。 deprecatedSecretIdentifier
docs: 已弃用密钥的标识符。
type: required
secretLoad 从后端存储检索密钥。 loadedSecretIdentifiers
docs: 已加载密钥的标识符。
type: required
secretUse 通过后端端点使用密钥。 usedSecretOperation
docs: 用于密钥的操作。
type: required

usedSecretIdentifiers
docs: 已使用密钥的标识符。
type: required
systemManagement 修改或访问确定环境中应用程序布局和配置的元数据。在audit.3中被appConfigCreate/Access/Update/Delete/Search取代。
tokenAccess 访问先前生成的令牌。 accessedTokens
docs: 这些令牌如何被访问的描述,供审计员参考。
type: required
tokenGeneration 导致生成新令牌的操作。 generateTokensDescription
docs: 这些令牌如何生成的描述,供审计员参考。
type: optional
generatedTokens
docs: 所有已生成的令牌
type: optional
tokenRevoke 导致删除令牌的操作。 revokeTokensDescription
docs: 这些令牌如何生成的描述,供审计员参考。
type: optional
revokedTokens
docs: 所有已撤销的令牌。
type: required
upgradeInfra 某些基础设施已升级,包括降级。 upgradedResources
docs: 在此事件中升级的所有SystemResources。
type: required
userJustify 用户为采取行动指定目的理由的事件。 userJustifyId
docs: 证明行动合理的用户。
type: required

userJustification
docs: 用户采取行动的理由。可以提供多个理由。
type: required
userLogin 用户的登录事件。 loginUserId
type: optional
userLogout 用户的登出事件。 logoutUserId
type: optional