Audit log
Overview
The audit log records every user action in your organization. You can trace who did what and when (creating or deleting resources, sign-in attempts, permission changes, etc.), which is useful for security audits and troubleshooting.
Prerequisites
User.UserAudit.READpermission
How to open it
In the left sidebar, click Audit Log (only visible to users with admin permission).
What's shown
| Column | Description |
|---|---|
| Time | When the activity occurred |
| Category | Kind of action (e.g. resource create, sign-in success, user role update) |
| Email of the user who performed the action (with user ID) | |
| IP address | Client IP that issued the request |
| User agent | Client browser / SDK info |
Expanding a row reveals the JSON detail for the action, including which resource was changed and how.
Filtering
Use the filters in the top-left to narrow the log:
- Period:
start dateandend date(date picker) - Email: a specific user (autocomplete, minimum 2 characters)
- Category: a specific action category
Categories
Recorded categories fall into roughly 5 groups (UserAuditCategoryEnum).
Resources
| Category | Meaning |
|---|---|
| Resource list / Resource read | GET on VMs, storage, etc. |
| Resource create / update / delete | Changes to VMs, storage, or network resources |
Users / permissions
| Category | Meaning |
|---|---|
| User create / update / delete | Organization-user changes |
| Profile update / password change | Changes to one's own account |
| User invite started / completed | Invitation sent and accepted |
| User role create / update / delete | Changes to RBAC roles |
Authentication
| Category | Meaning |
|---|---|
| Sign-in success / sign-out | Normal sign-in / sign-out |
| Password failure / OTP failure | Authentication failures: key security signal |
| Sign-in attempts exceeded | Lock-out threshold reached |
| OAuth sign-in success | Sign-in via SSO |
| Password reset started / completed | Reset flow |
| Session refresh | Token refresh |
Access tokens
| Category | Meaning |
|---|---|
| Access token create / read / delete | API-token lifecycle |
Notices
| Category | Meaning |
|---|---|
| Notice read / list read | History of viewing organization notices |
Use cases
Tracing an accidental VM deletion
- Filter by Category =
Resource delete - Narrow the time range to around when it happened
- Confirm the deleted resource ID and name in the JSON detail
Diagnosing a cost spike
- Filter by Category =
Resource create - Pick the time range covering the billing spike
- Identify who created the large instance
Monitoring suspicious sign-in attempts
- Filter by Category =
Password failureorOTP failure - Look for repeated occurrences from the same email or IP
- Force a password reset on the affected user if needed
Auditing API token usage
- Filter by Category =
Access token create / delete - Investigate any suspicious issuance → revoke immediately
Next steps
- Usage and billing: cross-reference cost changes with the audit log
- Role-based access control (RBAC): design permissions to prevent abnormal actions in the first place
- Access tokens: issue and revoke tokens