Audit trail codes

This document lists all audit trail codes necessary for writing audit-related queries and subsequently, exporting audit log results by third-party integrations.

Using audit trail codes in Infinity NQL queries

The procedure in this section applies to Nexthink Infinity.

Refer to the Audit Trail API (classic) documentation for auditing user actions in Nexthink Experience.

To query audit logs follow these steps:

Identify the required fields from the Audit logs table by accessing the NQL data model documentation.
Determine the required audit trail codes to audit the actions of Nexthink users.
Run the NQL query in any of the query-based features from Nexthink Infinity.

The NQL query example below uses the platform.audit_logs field and the 94011 audit trail code to retrieve all manual executions of remote actions taken by Nexthink users in the UI.

In this case, the example simulates running the query in the NQL editor of an investigation.

Code

platform.audit_logs during past 30d
| where code == 94011

After running the NQL query example, the investigation results report the following information under the Message column:

Web request manual execution of remote action
source= source where remote action is triggered
ID=remote action uid
name=remote action on n devices with uids devices uids

Refer to the Roles documentation to grant the View audit logs in NQL permission required for querying audit logs

Exporting audit logs by third-party integrations

To export audit logs to a third-party system, you have the following integration options:

Data exporter for Azure Data Lake - recommended option
- Handle up to 1 million records per request.
NQL API export
- Handle up to 1 million records per request.
- Avoid consuming more than 24 API calls per day to prevent the system from exhausting the maximum daily limit of 50 requests.

Infinity audit trail codes

The audit trail codes in this section apply to Nexthink Infinity.

Refer to the following documentation specific to Audit trail codes Engine (classic) and Audit trail codes Portal (classic).

Below are all audit trail codes necessary for writing audit-related queries and subsequently exporting audit log results through third-party integrations.

Audit code	Audited user activity
90211	User login. `User logged in, id=user id, name=user name, session_id=session id`
90212	User logout. The system reports: `User logged out, id=user id, name=user name, session_id=session id`
90213	User failed login attempt. The system reports: `User failed login attempt, id=47b2e0e7-e778-47ef-8a27-e54ccf5ccaae, name=vishvesh.yadav@nexthink.com, error="Invalid username, password or MFA provided"`
90214	User is locked. The system reports: `User {0} is locked`
90215	User is granted access. The system reports: `User access granted, id=47b2e0e7-e778-47ef-8a27-e54ccf5ccaae, name=vishvesh.yadav@nexthink.com, session_id=idxH9IVaxhRRg-nFoCPHLBpdw, application_name="Nexthink Amplify"`
91011	User update. The system reports: `Updated user, id=user uid, name=user name`
91012	User creation. The system reports: `Created user, id=user uid, name=user name`
91013	User deletion. The system reports: `Removed user, id=user uid, name=user name`
91014	User update. The system reports: `Updated user, id=1f5d09b9-ab78-409e-b2d0-fe221e681f3d, name="test to delete"`
91021	Role update. The system reports: `Updated role, id=role uid, name=role name`
91022	Role creation. The system reports: `Added role, id=role uid, name=role name`
91023	Role deletion. The system reports: `Removed role, id=role uid, name=role name`
91031	API Credentials creation. The system reports: `Updated API credentials, id=API credentials uid, name=API credentials name`
91032	API Credentials creation. The system reports: `Added API credentials, id=API credentials uid, name=API credentials name`
91033	API Credentials deletion. The system reports: `Removed API credentials, id=API credentials uid, name=API credentials name`
91181	Access granted. The system reports: `Granted access to content, ID=content uid, name=content name, role_id=role uid, role_name=role name, permission=type of permission granted`
91182	Access update. The system reports: `Updated access to content, ID=content uid, name=content name, role_id=role uid, role_name=role name, permission=type of permission updated`
91183	Access revoke. The system reports: `Revoked access to content, ID=content uid, name=content name, role_id=role uid, role_name=role name`
92011	Remote action update. The system reports: `Updated remote action, ID=remote action uid, name=remote action name`
92012	Remote action creation. The system reports: `Created remote action, ID=remote action uid, name=remote action name`
92013	Remote action deletion. The system reports: `Deleted remote action, ID=remote action uid, name=remote action name`
92021	Checklist update. The system reports: `Updated Checklist, ID=Checklist uid, name=Checklist name`
92022	Checklist creation. The system reports: `Created Checklist, ID=Checklist uid, name=Checklist name`
92023	Checklist deletion. The system reports: `Deleted ID=Checklist uid, name=Checklist name`
92031	Campaign update. The system reports: `Updated campaign, ID=campaign uid, name=campaign name`
92032	Campaign creation. The system reports: `Created campaign, ID=campaign uid, name=campaign name`
92033	Campaign deletion. The system reports: `Deleted campaign, ID=campaign uid, name=campaign name`
92041	Dashboard update. The system reports: `Updated dashboard, ID=dashboard uid, name=dashboard name`
92042	Dashboard creation. The system reports: `Created dashboard, ID=dashboard uid, name=dashboard name`
92043	Dashboard deletion. The system reports: `Deleted dashboard, ID=dashboard uid, name=dashboard name`
92051	Monitor update. The system reports: `Updated monitor, ID=monitor uid, name=monitor name`
92052	Monitor creation. The system reports: `Created monitor, ID=monitor uid, name=monitor name`
92053	Monitor deletion. The system reports: `Deleted monitor, ID=monitor uid, name=monitor name`
92061	Application update. The system reports: `Updated appex, ID=application uid, name=application name`
92062	Application creation. The system reports: `Created appex, ID=application uid, name=application name`
92063	Application deletion. The system reports: `Deleted appex, ID=application uid, name=application name`
92071	Bulk export update. The system reports: `Updated bulk export, ID=bulk export uid, name=bulk export name`
92072	Bulk export creation. The system reports: `Created bulk export, ID=bulk export uid, name=bulk export name`
92073	Bulk export deletion. The system reports: `Deleted bulk export, ID=bulk export uid, name=bulk export name`
92081	Webhook update. The system reports: `Updated webhook, ID=webhook uid, name=webhook name`
92082	Webhook creation. The system reports: `Created webhook, ID=webhook uid, name=webhook name`
92083	Webhook deletion. The system reports: `Deleted webhook, ID=webhook uid, name=webhook name`
92091	Dex Score definition update. The system reports: `Updated dex, ID=dex uid, name=dex name`
92092	Dex Score definition creation. The system reports: `Created dex, ID=dex uid, name=dex name`
92093	Dex Score definition deletion. The system reports: `Deleted dex, ID=dex uid, name=dex name`
92111	Azure connector update. The system reports: `Updated azure connector, ID=connector uid, name=connector name`
92112	Azure connector creation. The system reports: `Created azure connector, ID=connector uid, name=connector name`
92113	Azure connector deletion. The system reports: `Deleted azure connector, ID=connector uid, name=connector name`
92121	Teams connector update. The system reports: `Updated teams connector, ID=connector uid, name=connector name`
92122	Teams connector creation. The system reports: `Created teams connector, ID=connector uid, name=connector name`
92123	Teams connector deletion. The system reports: `Deleted teams connector, ID=connector uid, name=connector name`
92141	Zoom connector update. The system reports: `Updated zoom connector, ID=connector uid, name=connector name`
92142	Zoom connector creation. The system reports: `Created zoom connector, ID=connector uid, name=connector name`
92143	Zoom connector deletion. The system reports: `Deleted zoom connector, ID=connector uid, name=connector name`
92151	Saved investigation update. The system reports: `Updated save investigation, ID=investigation uid, name=investigation name`
92152	Saved investigation creation. The system reports: `Created save investigation, ID=investigation uid, name=investigation name`
92153	Saved investigation deletion. The system reports: `Deleted save investigation, ID=investigation uid, name=investigation name`
92171	Connector credentials update. The system reports: `Updated connector credentials, ID=connector uid, name=connector name`
92172	Connector credentials creation. The system reports: `Created connector credentials, ID=connector uid, name=connector name`
92173	Connector credentials deletion. The system reports: `Deleted connector credentials, ID=connector uid, name=connector name`
92191	Amplify configuration update. The system reports: `Updated amplify configuration, ID=configuration uid, name=configuration name`
92192	Amplify configuration creation. The system reports: `Created amplify configuration, ID=configuration uid, name=configuration name`
92193	Amplify configuration deletion. The system reports: `Deleted camplify configuration, ID=configuration uid, name=configuration name`
92201	Ms Avd connector update. The system reports: `Updated ms avd connector, ID=ms avd connector uid, name=ms avd connector name`
92202	Ms Avd connector creation. The system reports: `Created ms avd connector, ID=ms avd connector uid, name=ms avd connector name`
92203	Ms Avd connector deletion. The system reports: `Deleted ms avd connector, ID=ms avd connector uid, name=ms avd connector name`
92221	Location type update. The system reports: `Updated location type, ID=location type uid, name=location type name`
92222	Location type creation. The system reports: `Created location type, ID=location type uid, name=location type name`
92231	NQL API update. The system reports: `Updated nql api, ID=nql api uid, name=nql api name`
92232	NQL API creation. The system reports: `Created nql api, ID=nql api uid, name=nql api name`
92233	NQL API deletion. The system reports: `Deleted nql api, ID=nql api uid, name=nql api name`
92241	Product configuration update. The system reports: `Updated product configuration, ID=configuration uid, name=configuration name`
92242	Product configuration creation. The system reports: `Created product configuration, ID=configuration uid, name=configuration name`
92243	Product configuration deletion. The system reports: `Deleted product configuration, ID=configuration uid, name=configuration name`
92251	Organization update. The system reports: `Updated organization, ID=organization uid, name=organization name`
92252	Organization creation. The system reports: `Created organization, ID=organization uid, name=organization name`
92261	Custom field update. The system reports: `Updated custom field, ID=custom field uid, name=custom field name (TYPE)`
92262	Custom field creation. The system reports: `Created custom field, ID=custom field uid, name=custom field name (TYPE)`
92263	Custom field deletion. The system reports: `Deleted custom field, ID=custom field uid, name=custom field name (TYPE)`
92271	Collector update. The system reports: `Updated collector updater configuration, ID=collector uid, name=collector name`
92272	Collector creation. The system reports: `Created collector updater configuration, ID=collector uid, name=collector name`
92273	Collector deletion. The system reports: `Deleted collector updater configuration, ID=collector uid, name=collector name`
92311	Custom trend update. The system reports: `Updated custom trend, ID=d627929d-f70f-4b01-8319-e8b21df6e88c, name=trends-snapshot-definition`
92312	Custom trend creation. The system reports: `Created custom trend, ID=fc52162c-228d-47a4-ba39-c2ca3e395160, name=trends-snapshot-definition`
92313	Custom trend deletion. The system reports: `Deleted custom trend, ID=e583df14-f05f-4dd2-a389-24a9491547f0, name=trends-snapshot-definition`
93011	External execution of a remote action through the API. The system reports: `API request manual execution of remote action, source= source where remote action is triggered, ID=remote action uid, name=remote action on n devices with uids devices uids`
93262	User API key value update. The system reports: `Value of user/user/#kerberos_id updated at 2024-05-27T10:17:04.308013353Z with request_id de77401d-696b-4c7d-b518-087b9a168426 by ffc4a21a5e0b457b9cd953455aea1877 for 1 user via API.`
94011	Manual execution of a remote action through the Web. The system reports: `Web request manual execution of remote action, source= source where remote action is triggered, ID=remote action uid, name=remote action on n devices with uids devices uids`
94162	GDPR Data Retrieval on Infinity Platform. The system reports: `Data retrieval request for user 'username', Data={TYPE OF DATA}`
94163	GDPR Anonymize Data for users/devices. The system reports: `Anonymized user 'username' / [Portal\|UI\|94163\|account] Anonymized device 'device name'`
94262	User ID value update via API. The system reports: `Value of user/user/#kerberos_id updated at 2024-05-27T10:17:04.308013353Z with request_id de77401d-696b-4c7d-b518-087b9a168426 by ffc4a21a5e0b457b9cd953455aea1877 for 1 user via API.`
94301	Device deletion scheduled by device name. The system reports: `2 device(s) scheduled successfully for deletion with the following device name(s): NXT-P67H45C6XR, NXT-C02FR5PSMD6R`
94303	Device deletion scheduled by device SID. The system reports: `1 user(s) scheduled for deletion with the following SID(s): lenovo_tmp_svwsPAWF@NXT-PF3KYF2V`

Last updated 32 minutes ago