Audit trail codes
This document lists all audit trail codes necessary for writing audit-related queries and subsequently, exporting audit log results by third-party integrations.
Using audit trail codes in Infinity NQL queries
The procedure in this section applies to Nexthink Infinity.
Refer to the Audit Trail API (classic) documentation for auditing user actions in Nexthink Experience.
To query audit logs follow these steps:
Identify the required fields from the Audit logs table by accessing the NQL data model documentation.
Determine the required audit trail codes to audit the actions of Nexthink users.
Run the NQL query in any of the query-based features from Nexthink Infinity.
The NQL query example below uses the platform.audit_logs
field and the 94011
audit trail code to retrieve all manual executions of remote actions taken by Nexthink users in the UI.
In this case, the example simulates running the query in the NQL editor of an investigation.
After running the NQL query example, the investigation results report the following information under the Message column:
Web request manual execution of remote action
source= source where remote action is triggered
ID=remote action uid
name=remote action on n devices with uids devices uids
Refer to the Roles documentation to grant the View audit logs in NQL permission required for querying audit logs
Exporting audit logs by third-party integrations
To export audit logs to a third-party system, you have the following integration options:
Data exporter for Azure Data Lake - recommended option
Handle up to 1 million records per request.
Handle up to 1 million records per request.
Avoid consuming more than 24 API calls per day to prevent the system from exhausting the maximum daily limit of 50 requests.
Infinity audit trail codes
The audit trail codes in this section apply to Nexthink Infinity.
Refer to the following documentation specific to Audit trail codes Engine (classic) and Audit trail codes Portal (classic).
Below are all audit trail codes necessary for writing audit-related queries and subsequently exporting audit log results through third-party integrations.
Audit code | Audited user activity |
---|---|
90211 | User login.
|
90212 | User logout. The system reports: |
90213 | User failed login attempt.
The system reports: |
90214 | User is locked. The system reports: |
90215 | User is granted access.
The system reports: |
91011 | User update. The system reports: |
91012 | User creation. The system reports: |
91013 | User deletion. The system reports: |
91014 | User update.
The system reports: |
91021 | Role update. The system reports: |
91022 | Role creation. The system reports: |
91023 | Role deletion. The system reports: |
91031 | API Credentials creation. The system reports: |
91032 | API Credentials creation. The system reports: |
91033 | API Credentials deletion. The system reports: |
91181 | Access granted. The system reports: |
91182 | Access update. The system reports: |
91183 | Access revoke. The system reports: |
92011 | Remote action update. The system reports: |
92012 | Remote action creation. The system reports: |
92013 | Remote action deletion. The system reports: |
92021 | Checklist update. The system reports: |
92022 | Checklist creation. The system reports: |
92023 | Checklist deletion. The system reports: |
92031 | Campaign update. The system reports: |
92032 | Campaign creation. The system reports: |
92033 | Campaign deletion. The system reports: |
92041 | Dashboard update. The system reports: |
92042 | Dashboard creation. The system reports: |
92043 | Dashboard deletion. The system reports: |
92051 | Monitor update. The system reports: |
92052 | Monitor creation. The system reports: |
92053 | Monitor deletion. The system reports: |
92061 | Application update. The system reports: |
92062 | Application creation. The system reports: |
92063 | Application deletion. The system reports: |
92071 | Bulk export update. The system reports: |
92072 | Bulk export creation. The system reports: |
92073 | Bulk export deletion. The system reports: |
92081 | Webhook update. The system reports: |
92082 | Webhook creation. The system reports: |
92083 | Webhook deletion. The system reports: |
92091 | Dex Score definition update. The system reports: |
92092 | Dex Score definition creation. The system reports: |
92093 | Dex Score definition deletion. The system reports: |
92111 | Azure connector update. The system reports: |
92112 | Azure connector creation. The system reports: |
92113 | Azure connector deletion. The system reports: |
92121 | Teams connector update. The system reports: |
92122 | Teams connector creation. The system reports: |
92123 | Teams connector deletion. The system reports: |
92141 | Zoom connector update. The system reports: |
92142 | Zoom connector creation. The system reports: |
92143 | Zoom connector deletion. The system reports: |
92151 | Saved investigation update. The system reports: |
92152 | Saved investigation creation. The system reports: |
92153 | Saved investigation deletion. The system reports: |
92171 | Connector credentials update. The system reports: |
92172 | Connector credentials creation. The system reports: |
92173 | Connector credentials deletion. The system reports: |
92191 | Amplify configuration update. The system reports: |
92192 | Amplify configuration creation. The system reports: |
92193 | Amplify configuration deletion. The system reports: |
92201 | Ms Avd connector update. The system reports: |
92202 | Ms Avd connector creation. The system reports: |
92203 | Ms Avd connector deletion. The system reports: |
92221 | Location type update. The system reports: |
92222 | Location type creation. The system reports: |
92231 | NQL API update. The system reports: |
92232 | NQL API creation. The system reports: |
92233 | NQL API deletion. The system reports: |
92241 | Product configuration update. The system reports: |
92242 | Product configuration creation. The system reports: |
92243 | Product configuration deletion. The system reports: |
92251 | Organization update. The system reports: |
92252 | Organization creation. The system reports: |
92261 | Custom field update. The system reports: |
92262 | Custom field creation. The system reports: |
92263 | Custom field deletion. The system reports: |
92271 | Collector update. The system reports: |
92272 | Collector creation. The system reports: |
92273 | Collector deletion. The system reports: |
92311 | Custom trend update.
The system reports: |
92312 | Custom trend creation.
The system reports: |
92313 | Custom trend deletion.
The system reports: |
93011 | External execution of a remote action through the API. The system reports: |
93262 | User API key value update.
The system reports: |
94011 | Manual execution of a remote action through the Web. The system reports: |
94162 | GDPR Data Retrieval on Infinity Platform. The system reports: |
94163 | GDPR Anonymize Data for users/devices. The system reports: |
94262 | User ID value update via API.
The system reports: |
94301 | Device deletion scheduled by device name.
The system reports: |
94303 | Device deletion scheduled by device SID. The system reports: |
Last updated