Action Audit¶
This refers to the action audit events generated within a workspace due to user actions. These events can record in real-time the usage of projects within the workspace, user behavior operations, and resource changes. This includes but is not limited to:
- Workspace management events: such as modifications to basic settings, changes to member permissions, deletion of notification targets, Lisence expiration, etc.;
- Events related to feature and service usage: such as creating/modifying/deleting views, creating application monitoring, disabling a specific detection library, setting HOST mute, generating Metrics, etc.;
- Billing item events: such as when project usage approaches the free quota, etc.;
- ...
Audit Event Scope¶
- User login access behavior records
- User operation behavior records
- OpenAPI operation behavior records
Audit Event Query¶
Within the workspace, you can retrieve audit events using DQL query statements:
Managing Audits¶
Go to Manage > Audit Events to view all user operation behavior events generated by the workspace.
- In the list, you can search for and perform group aggregation operations on events;
- Use the time component at the top of the page to view operation events within different time ranges;
- Click Settings to directly create a monitor for audit events or export the current audit event list as a CSV.
Group Aggregation¶
Through grouping and aggregating by operator, you can see the total number of aggregated events triggered by users within a certain time range in the workspace.
While in group aggregation mode, you can also view aggregated events, and in the details page, you can see all audit events triggered by a particular user (operator).
Audit Event Details¶
Clicking on a single event in the operation event list will slide out the event's detail page, where you can view the trigger time, label attributes, operator, event content, etc.
You can also use the following fields for independent query analysis:
Field Name |
Type | Required | Description |
|---|---|---|---|
date |
Integrate | Required | Generation time, Unix timestamp, unit ms |
df_date_range |
Integrate | Required | Time range, unit s |
df_source |
String | Required | Data source, operation event value audit |
df_status |
String | Required | Status, default info for operation events |
df_origin |
String | Required | Operation source, used to record the entry point of the current operation. Reference values include: |
df_menu |
String | Required | Menu path accessed by the user, e.g., LOG - Explorer |
df_event_id |
String | Required | Unique event ID |
df_title |
String | Required | Title |
df_message |
String | Required | Description |
df_user_id |
String | Required | User ID |
df_user_name |
String | Required | User name |
df_user_email |
String | Required | User email, corresponding to [Member Management]'s id, name, email |
df_user_team |
String | Required | Team the user currently belongs to |
df_role_scope |
String | Required | Role scope the user currently possesses |
df_operation_id |
Str | Required | Unique ID of the actual operation item corresponding to the current audit |
df_operation_name |
Str | Required | The menu name corresponding to the operation item that generates the current audit. For example: the name of the current notification strategy if it corresponds to an audit event for a notification strategy operation |
df_query_typeDQL |
String | Required | Query type |
df_query |
String | Required | DQL query |
df_query_range |
String | Required | DQL query duration, unit ms |
df_cost |
String | Required | DQL query execution time |
df_hit_count |
String | Required | Number of hits from the query |
df_workspace |
String | Required | Workspace to which the audit event belongs |
Data Storage¶
Audit event data is stored independently, separate from the storage strategy for other events within the workspace. Its default storage duration is 2 years. You can view and adjust the storage strategy through Manage > Settings > Change Data Storage Strategy.
