User login.
The system reports:
User logged in, id=user id, name=user name, session\_id=session id, ip={user\_ip\_address}
User logout (only manual logouts are audited)
The system reports: User logged out, id=user id, name=user name, session\_id=session id
User failed login attempt.
The system reports: User failed login attempt, id=user id, name=user name, error="Invalid username, password or MFA provided"
User is locked.
The system reports: User {0} is locked
User update.
The system reports: Updated user, id=user uid, name=user name, roles\_granted={list\_of\_roles}, roles\_revoked={list\_of\_roles}, \[previous\_name]
User creation.
The system reports: Created user, id=user uid, name=user name, roles\_granted={list\_of\_roles}
User deletion.
The system reports: Removed user, id=user uid, name=user name
Role update.
The system reports: Updated role, id={0}, name="{1}", permissions\_granted="{2}", permissions\_revoked="{3}", \[data\_privacy\_visibility], \[data\_model\_visibility], \[view\_domain]
Role creation.
The system reports:Added role, id={0}, name="{1}", permissions\_granted="{2}", \[data\_privacy\_visibility], \[data\_model\_visibility], \[view\_domain]
Role deletion.
The system reports: Removed role, id=role uid, name=role name
API credentials update.
The system reports: Updated API credentials, id=API credentials uid, name=API credentials name
API Credentials creation.
The system reports: Added API credentials, id=API credentials uid, name=API credentials name
API Credentials deletion.
The system reports: Removed API credentials, id=API credentials uid, name=API credentials name
Support access granted.
The system reports: Nexthink access granted, grantee="{0}", expiration="{1}", main\_role="{2}", additional\_roles="{3}"
Support access updated.
The system reports: Nexthink access updated, grantee="{0}", expiration="{1}", main\_role="{2}", additional\_roles="{3}"
Support access revoked.
The system reports: Nexthink access revoked, grantee="{0}"
SSO configuration update.
The system reports: SSO Configuration update
Updated account provisioning SSO group.
The system reports: Updated account provisioning SSO group, group\_”{0}”, roles\_assigned”{1}”, roles\_revoked”{2}”, rank\_change=”{3}”
Added account provisioning SSO group.
The system reports: Added account provisioning SSO group, group\_”{0}”, roles\_assigned=”{1}”, rank=”{3}”
Deleted account provisioning SSO group.
The system reports: Deleted account provisioning SSO group, group\_”{0}”
User email updated.
The system reports: Updated user email, id={0}, name="{user\_name}", old\_email="{previous\_user\_email}", new\_email="{new\_user\_email}"
Password reset requested.
The system reports: Password reset requested for user, name="{user\_name}"
Note that this event is recorded as anonymous, as no authenticated account context is established at the time of the request.
Password reset completed.
The system reports: Password reset completed for user, name="{user\_name}"
Note that this event is attributed to the affected account according to the authentication context available at the time of the action.
MFA reset requested.
The system reports: MFA reset requested for user, name="{user\_name}"
MFA reset completed.
The system reports: MFA reset completed for user, name="{user\_name}"Note that this event is attributed to the affected account according to the authentication context available at the time of the action.
Access granted.
The system reports: Granted access to content, ID=content uid, name=content name, role\_id=role uid, role\_name=role name, permission=type of permission granted
Access update.
The system reports: Updated access to content, ID=content uid, name=content name, role\_id=role uid, role\_name=role name, permission=type of permission updated
Access revoke.
The system reports: Revoked access to content, ID=content uid, name=content name, role\_id=role uid, role\_name=role name
Remote action update.
The system reports: Updated remote action, ID=remote action uid, name=remote action name
Remote action creation.
The system reports: Created remote action, ID=remote action uid, name=remote action name
Remote action deletion.
The system reports: Deleted remote action, ID=remote action uid, name=remote action name
Checklist update.
The system reports: Updated Checklist, ID=Checklist uid, name=Checklist name
Checklist creation.
The system reports: Created Checklist, ID=Checklist uid, name=Checklist name
Checklist deletion.
The system reports: Deleted ID=Checklist uid, name=Checklist name
Campaign update.
The system reports: Updated campaign, ID=campaign uid, name=campaign name
Campaign creation.
The system reports: Created campaign, ID=campaign uid, name=campaign name
Campaign deletion.
The system reports: Deleted campaign, ID=campaign uid, name=campaign name
Dashboard update.
The system reports: Updated dashboard, ID=dashboard uid, name=dashboard name
Dashboard creation.
The system reports: Created dashboard, ID=dashboard uid, name=dashboard name
Dashboard deletion.
The system reports: Deleted dashboard, ID=dashboard uid, name=dashboard name
Monitor update.
The system reports: Updated monitor, ID=monitor uid, name=monitor name
Monitor creation.
The system reports: Created monitor, ID=monitor uid, name=monitor name
Monitor deletion.
The system reports: Deleted monitor, ID=monitor uid, name=monitor name
Application update.
The system reports: Updated appex, ID=application uid, name=application name
Application creation.
The system reports: Created appex, ID=application uid, name=application name
Application deletion.
The system reports: Deleted appex, ID=application uid, name=application name
Bulk export update.
The system reports: Updated bulk export, ID=bulk export uid, name=bulk export name
Bulk export creation.
The system reports: Created bulk export, ID=bulk export uid, name=bulk export name
Bulk export deletion.
The system reports: Deleted bulk export, ID=bulk export uid, name=bulk export name
Webhook update.
The system reports: Updated webhook, ID=webhook uid, name=webhook name
Webhook creation.
The system reports: Created webhook, ID=webhook uid, name=webhook name
Webhook deletion.
The system reports: Deleted webhook, ID=webhook uid, name=webhook name
Dex Score definition creation.
The system reports: Created dex, ID=dex uid, name=dex name
Dex Score definition deletion.
The system reports: Deleted dex, ID=dex uid, name=dex name
Dex Score definition update.
The system reports: Updated dex, ID=dex uid, name=dex name
Azure connector update.
The system reports: Updated azure connector, ID=connector uid, name=connector name
Azure connector creation.
The system reports: Created azure connector, ID=connector uid, name=connector name
Azure connector deletion.
The system reports: Deleted azure connector, ID=connector uid, name=connector name
Teams connector update.
The system reports: Updated teams connector, ID=connector uid, name=connector name
Teams connector creation.
The system reports: Created teams connector, ID=connector uid, name=connector name
Teams connector deletion.
The system reports: Deleted teams connector, ID=connector uid, name=connector name
Workflow update.
The system reports: Updated workflow, ID=#workflow\_name, name=Workflow\_name
Workflow creation.
The system reports: Created workflow, ID=#workflow\_name, name=Workflow\_name
Workflow deletion.
The system reports: Deleted workflow, ID=#workflow\_name, name=Workflow\_name
Zoom connector update.
The system reports: Updated zoom connector, ID=connector uid, name=connector name
Zoom connector creation.
The system reports: Created zoom connector, ID=connector uid, name=connector name
Zoom connector deletion.
The system reports: Deleted zoom connector, ID=connector uid, name=connector name
Saved investigation update.
The system reports: Updated save investigation, ID=investigation uid, name=investigation name
Saved investigation creation.
The system reports: Created save investigation, ID=investigation uid, name=investigation name
Saved investigation deletion.
The system reports: Deleted save investigation, ID=investigation uid, name=investigation name
Connector credentials update.
The system reports: Updated connector credentials, ID=connector uid, name=connector name
Connector credentials creation.
The system reports: Created connector credentials, ID=connector uid, name=connector name
Connector credentials deletion.
The system reports: Deleted connector credentials, ID=connector uid, name=connector name
Amplify configuration update.
The system reports: Updated amplify configuration, ID=configuration uid, name=configuration name
Amplify configuration creation.
The system reports: Created amplify configuration, ID=configuration uid, name=configuration name
Amplify configuration deletion.
The system reports: Deleted amplify configuration, ID=configuration uid, name=configuration name
Ms Avd connector update.
The system reports: Updated ms avd connector, ID=ms avd connector uid, name=ms avd connector name
Ms Avd connector creation.
The system reports: Created ms avd connector, ID=ms avd connector uid, name=ms avd connector name
Ms Avd connector deletion.
The system reports: Deleted ms avd connector, ID=ms avd connector uid, name=ms avd connector name
Location type update.
The system reports: Updated location type, ID=location type uid, name=location type name
Location type creation.
The system reports: Created location type, ID=location type uid, name=location type name
NQL API update.
The system reports: Updated nql api, ID=nql api uid, name=nql api name
NQL API creation.
The system reports: Created nql api, ID=nql api uid, name=nql api name
NQL API deletion.
The system reports: Deleted nql api, ID=nql api uid, name=nql api name
Product configuration update.
The system reports: Updated product configuration, ID=configuration uid, name=configuration name
Product configuration creation.
The system reports: Created product configuration, ID=configuration uid, name=configuration name
Product configuration deletion.
The system reports: Deleted product configuration, ID=configuration uid, name=configuration name
Organization update.
The system reports: Updated organization, ID=organization uid, name=organization name
Organization creation.
The system reports: Created organization, ID=organization uid, name=organization name
Custom field update.
The system reports: Updated custom field, ID=custom field uid, name=custom field name (TYPE)
Custom field creation.
The system reports: Created custom field, ID=custom field uid, name=custom field name (TYPE)
Custom field deletion.
The system reports: Deleted custom field, ID=custom field uid, name=custom field name (TYPE)
Collector update.
The system reports: Updated collector updater configuration, ID=collector uid, name=collector name
Collector creation.
The system reports: Created collector updater configuration, ID=collector uid, name=collector name
Collector deletion.
The system reports: Deleted collector updater configuration, ID=collector uid, name=collector name
Custom trend update.
The system reports: Updated custom trend, ID=d627929d-f70f-4b01-8319-e8b21df6e88c, name=trend-name
Custom trend creation.
The system reports: Created custom trend, ID=fc52162c-228d-47a4-ba39-c2ca3e395160, name=trends-snapshot-definition
Custom trend deletion.
The system reports: Deleted custom trend, ID=e583df14-f05f-4dd2-a389-24a9491547f0, name=trends-snapshot-definition
Rating update.
The system reports: Updated rating, ID=rating uid, name=field name
Rating creation.
The system reports: Created rating, ID=rating uid, name=field name
Rating deletion.
The system reports: Deleted rating, ID=rating uid, name=field name
Guide update.
The system reports: Updated guide, ID=guide uid, name=guide name
Guide creation.
The system reports: Created guide, ID=guide uid, name=guide name
Guide deletion.
The system reports: Deleted guide, ID=guide uid, name=guide name
External execution of a remote action through the API.
The system reports: API request manual execution of remote action, source= source where remote action is triggered, ID=remote action uid, name=remote action on n devices with uids devices uids
External triggering of a campaign through the API.
The system reports: API request manual triggering of campaign, ID=nql\_id\_of\_campaign, name=Campaign Name on n users with SIDs
External execution of a workflow through the API.
The system reports: ID=, devices=\[\
Manual custom field update via API.
The system reports: Value of {object\_type}/{object\_type}/#custom\_field\_name updated at timestamp with request\_id request ID by API user ID for 1 {object\_type} via API.
Manual execution of a remote action through the Web.
The system reports: Web request manual execution of remote action, source= source where remote action is triggered, ID=remote action uid, name=remote action on n devices with uids devices uids
Manual triggering of a campaign through the Web.
The system reports: Manual triggering of a campaign through the Web, ID=nql\_id\_of\_campaign, name=Campaign Name on n users with SIDs or on all users from an investigation
Manual execution of a workflow through the Web.
The system reports: ID=, devices=\[\ID=, on \
Data Management, data retrieval.
The system reports: Data retrieval request for user 'username', Data={TYPE OF DATA}
Manual custom field update via UI.
The system reports: Value of {object\_type}/{object\_type}/#custom\_field\_name updated at timestamp by user ID for 1 {object\_type} via UI.
Device deletion scheduled.
The system reports: 2 device(s) scheduled successfully for deletion with the following device name(s): ABC-XYZ123456, XYZ-ABC123456
User deletion scheduled (by user SID).
The system reports: 1 user(s) scheduled for deletion with the following SID(s): S-1-12-1-123456789
Data retention update.
The system reports: Data retention updated: inventory retention to {number of days} days, operational retention to {dumber of days} days.
Spark executes remote actions with user confirmation.
The system reports: remote action ID, id=user id, name=user name, requestId (including device uid).
Spark executes agent actions with user confirmation.
The system reports: agent action ID, id=user id, name=user name, requestId (including device uid).
Spark executes agent actions autonomously.
The system reports: agent action ID, id=user id, name=user name, requestId (including device uid).