Audit log categories

Audit log categories help to identify events of interest without enumerating every event. In audit.3, events must be logged under one of the categories in the table below. audit.2 logs may use the same categories but they are not enforced and usage is considered best effort. Refer to Audit logging overview for more information about the differences between the audit.2 and audit.3 schema.

An example auditing workflow using categories could be:

  1. Identify the audit categories of interest, such as dataLoad.
  2. Use Foundry pipelines or a SIEM to search all audit logs that contain any of these events. In pseudo-code:
allLogs.filter { log -> interestingCategories.any { log.categories.contains(X) } }
  1. For each of these logs, the request_params and result_params reflect the specific information submitted and viewed by a user. The request and response params are split to allow the consumer to differentiate between parameters that are provided by request and those that are part of the response as the result of the interaction.

For example, if your log contains the dataLoad category, then the request_params and/or the result_params will contain contain a list of all the resources loaded by the user during this interaction.

Below are the available audit log categories.

Audit Log CategoryCategory DescriptionRequest FieldsResponse Fields
appConfigAccessLoad application-specific configuration. These may be tied to a user or resource.accessedAppConfigIds
docs: The application resources that were accessed in this event.
type: required

accessAppConfigDescription
docs: A description of the configuration access.
type: required
appConfigCreateCreate application-specific configuration. These may be tied to a user or resource.createAppConfigDescription
docs: A description of the configuration creation.
type: required
createdAppConfigIds
docs: The application resources that were created in this event.
type: required
appConfigDeleteDelete application-specific configuration. These may be tied to a user or resource.deletedAppConfigIds
docs: The ApplicationResouces that were deleted in this event.
type: required

deleteAppConfigDescription
docs: A description of the configuration deletion.
type: required
appConfigSearchSearch for application-specific configuration. These may be tied to a user or resource. appConfigSearch should be used when the exact result values of a request are unknown, or variable.appConfigSearchQuery
docs: The search-query that this event is running.
type: required
appConfigSearchResults
docs: The search-results that are returned to the user in this event.
type: required
appConfigUpdateUpdate application-specific configuration. These may be tied to a user or resource.updatedAppConfigIds
docs: The application resources that were updated in this event.
type: required

updateAppConfigDescription
docs: A description of the configuration update.
type: required
assetFileLoadLoads a file from a static asset its full coordinate, such as group, artifact, and version.requestMavenCoordinate
docs: Maven coordinate for the asset requested. Might not include groupId or version.
type: required
type: required
responseMavenCoordinate
docs: The full maven coordinate for the returned asset.
type: required
authenticationCheckChecks authentication status via a programmatic or manual authentication event, such as token validation.authenticationCheckTargets
docs: The identifiers that auth is being checked against.
type: optional
authenticationCheckResult
docs: Whether this authentication check succeeded or not.
type: required

authenticationCheckResultMessage
docs: Further details on this authentication check result.
type: optional
authorizationCheckChecks authorization status via a programmatic or manual authorization event, like checking permissions.authorizationCheckTargets
docs: The identifiers that auth is being checked against.
type: optional

authorizationCheckOperations
docs: The values within the authorization attempt, such as the permission being checked for.
type: required
authorizationCheckSucceededTargets
docs: Targets that passed authorization.
type: required

authorizationCheckFailedTargets
docs: Targets that failed authorization.
type: required

authorizationCheckResultMessage
docs: Further details on this authorization check result.
type: optional
bulkDataImportBulk imports to the platform. Differs from dataImport in that the direct relationship between destinations and origins may not be known.bulkImportedFiles
docs: The files that were imported
type: required
bulkImportDestinations
docs: The destination for the bulk imports.
type: required
cancelCodeExecutionCancellation of an existing code execution.cancelledExecutedResources
docs: The specific resources that were being executed before cancellation. For example, this could be a modelUUID or a buildRID.
type: required

cancelledExecutedResourceEnvironment
docs: The encompasssing environment for the resources that were being executed before cancellation. For example, this could be a liveRID or a workbookRID.
type: required
codeExecutionOccurrence of code execution, which might not write results to a dataResource.executedResourceEnvironment
docs: The encompasssing environment for the resources that were executed. For example, this could be a liveRID or a workbookRID.
type: required
executedResources
docs: The specific resources that were executed. For example, this could be a modelUUID or a buildRID or if run on a container, pass in the identifier of the container.
type: required
configureInfraA user configures some infrastructure like a node or a service.configureInfraTargets
docs: The SystemResources that are being configured.
type: required
configureInfraRequestId
docs: The request-id of this configuration event.
type: required
containerLaunchRegisters the preparation of a compute environment. This should be emitted when, for example, a Spark module is launched. If possible, pass in a location identifier of the compute environment like a host name.requestedContainerIdsToLaunch
docs: The IDs of the resources that were requested to be launched.
type: optional
launchedContainerIds
docs: The IDs of the resources that were launched.
type: required
containerLoadRegisters the load of a compute environment. This should be emitted when, for example, a spark module is read. If possible, pass in a location identifier of the compute environment like a host name.requestedContainerLoadIds
docs: The IDs of the resources that were requested.
type: required
loadedContainerLoadIds
docs: The IDs of the resources that were loaded.
type: required
containerSearchRegisters the search of compute environments. This should be emitted when, for example, spark module list is read.containerSearchQuery
docs: The search-query that this event is running.
type: optional
containerSearchResults
docs: The search-results that are returned to the user in this event.
type: required
containerStopRegisters the shutdown of a compute environment. If possible, pass in a human readable reason for the shutdown, for example "failure" or "user request".stoppedContainerIds
docs: The IDs of the resources that were stopped.
type: required

containerStopReason
docs: The reason why the resource was stopped.
type: optional
createInfraA user creates some infrastructure like a node or a service.createInfraTargets
docs: The SystemResources that are being created.
type: required
createdInfraResources
docs: The SystemResources that were created. This should have a more explicit identifier.
type: required
dataCreateIndicates the addition of some new entry of data into the platform where it did not exist prior. This event may be reflected as a dataPromote in a separate service if it is logged in the landing service.createdResources
docs: The DataResources that were created in this event.
type: required
dataDeleteRelated to the deletion of data, independent of the granularity of that deletion.deletedResources
docs: The DataResources that were deleted in this event.
type: required
dataExportExport of data from the platform. Use for things like downloading data from the platform, such as a system external to Palantir, csv file and more. If data was exported to another Palantir system, use the dataPromote category.downloadedResources
docs: All resources that were downloaded in this event.
type: required
downloadedSize
docs: The size, in bytes, of the downloaded data.
type: required
dataImportImports to the platform. Unlike dataPromote, dataImport refers only to data being ingested from outside the platform. This means that a dataImport in Palantir Gotham could show up as a dataPromote in a separate service.importedFilename
docs: The filename of the imported data.
type: required

importedFileType
docs: The filetype of the imported data.
type: required

importParentResourceId
docs: The parent of the destination resource.
type: optional
importResourceId:
docs: The destination resource for the imported data.
type: required

importedSize
docs: The total size, in bytes, of the imported data.
type: optional
dataLoadRefers to the loading of data to be returned to a user. For purely back-end loads, use internal.loadedResources
docs: The DataResources that were loaded in this event.
type: required
dataMergeRefers to the combination of two datasources into one. This would be triggered by a JOIN in Contour or a Resolution event in Palantir Gotham.resourcesToMerge
docs: The resources that were merged in this event.
type: required
mergedResult
docs: The resultant DataResource from the merging of the resources.
type: required
dataPromoteIndicates that a user promoted data to an external Palantir system, Gotham or otherwise.promotionDestinations
docs: The destinations to which the DataResources were promoted to.
type: required

promotionDescription
docs: A description of this promotion event.
type: required

promotedResources
docs: The resources that were promoted to another system.
type: required
dataSearchSearches of datasets, objects, or other searches for data within the system.dataSearchQuery
docs: The query that this search is executing.
type: required

dataSearchContext
docs: Further information to contextualize the current query. This information is unstructured and should not be relied upon beyond informing auditors.
type<common.ResourceContext>
dataSearchResults
docs: All resources that were presented to the user by this search result.
type: required
dataShareCreateCreation of a share of data. For example, when creating a link that grants access to resources on visit.dataShareCreateId
docs: An optional identifier for this share, if available.
type: optional

dataShareCreateTargets
type: required
dataShareDisableDeactivation of a mechanism to share data. For example, the disabling of a link that grants access to resources on visit.dataShareDisableId
docs: An optional identifier for this share, if available.
type: optional

dataShareDisableTargets
type: required
dataShareDiscretionary share of data.dataShareId
docs: An optional identifier for this share, if available.
type: optional

dataShareTargets
type: required

dataShareReason
docs: A human-readable reason this data was shared (e.g. "visited a share link").
type: required
dataTransformTransform one or more DataResources in some way.transformTargets
docs: The resources that were transformed.
type: required

transformDescription
docs: A description of the transformation that was performed.
type: required
dataUpdateUpdates or attempted updates of data. This is a catch-all field and we recommend using dataTransform or dataMerge instead.
apiGatewayRequestA request to an API gateway.

User actions may result in requests that are fulfilled by an API gateway. Use this audit log to view the name or origin of the request. To get more information about this user action, find other audit logs associated with this request by filtering to logs with the same traceId field. To find audit logs for requests made by the API gateway when fulfilling the user-initiated request, further filter to logs that have a userAgent field starting with the service name in this audit log.
operationNames
docs: The name of the request. If a batch request, this may include multiple names.
type: optional
infraLogsAccessUser requests logs from an infrastructure resource like a node or a service.infraLogsAccessTarget
docs: The SystemResource from which logs are being requested.
type: required
infraLogsAccessRequestId
docs: The request-id of this access request event.
type: required
internalCatch-all for all internal events. These typically are low signal for audit users.
logicAccessAccess of logic. For example, viewing a Contour analysis.accessedLogicResources
docs: All LogicResources accessed in this event.
type: required
logicCreateCreation of new logic. For example, when a new Contour board is created.createdLogicResources
docs: All LogicResources created in this event.
type: required
logicDeleteDeletion of logic. For example, deleting a Contour board.deletedLogicResources
docs: All LogicResources deleted in this event.
type: required
logicSearchSearch of some logic. For example, searching for a Contour analysis.logicSearchQuery
docs: The query that this search is executing.
type: required
logicSearchResults
docs: All underlying LogicResources returned by this search request.
type: required
logicUpdateAn update to existing logic. For example, when a user saves a file, a push to a stemma repo occurs, or the logic of an existing Contour board is updated.updatedLogicResources
docs: All LogicResources updated in this event.
type: required
managementGroupsChanges to group membership should always go through here.groupPatches
type: required
managementPermissionsAnything that changes permissions on the platform. These logs should use the result_params changes field to enumerate the precise change that occurred. Examples include sharing a resource or changing a resource's provenance.resourcesWithPermissionsChanges
docs: The resources affected by the change in permissions
type: required

permissionChangeContext
docs: Further information to contextualise changed resources
type: optional
managementUsersChanges and modifications to what users exist or their personal information. For events related to user permissions, use managementPermissions. For events where a user is added or removed from a group, use managementGroups.managedUserIds
type: required
managementTokensSpecific action related to token management, such as enabling, disabling, or revoking tokens.managedTokens
docs: All tokens affected by the change.
type: required
managementMarkingsAnything that modifies access to mandatory controls.markingPatches
type: required
mandatoryControlManagementPrivileged action affecting mandatory controls in the system. Replaced by managementMarkings in audit.3.
mandatoryControlApplicationPrivileged action affecting mandatory controls in the system. Replaced by managementPermissions in audit.3.
metaDataAccessRefers to the loading of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more. As such, metadata may not have its own identifier but instead will be related to the data that it describes.accessedMetaDataResources
docs: The underlying DataResources that the accessed metadata describes.
type: required

accessedMetaDataDescription
docs: A description of the metadata access.
type: required
metaDataCreateThe creation of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more.createdMetaDataDescription
docs: A description of the metadata creation.
type: required
createdMetaDataResources
docs: The underlying DataResources that the created metadata describes.
type: required
metaDataDeleteThe deletion of metadata. Metadata is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more.deletedMetaDataResources
docs: The underlying DataResources that the deleted metadata describes.
type: required

deletedMetaDataDescription
docs: A description of the metadata deletion.
type: required
metaDataSearchSearch of metadata associated with a dataset, objects, or other searches for metadata within the system.metaDataSearchQuery
docs: The query that this search is executing.
type: required
metaDataSearchResults
docs: All underlying resources that had metadata presented to the user by this search result.
type: required
metaDataUpdateThe updating of metadata. MetaData is data about data; for example, various API-accessible metrics that describe data within a pipeline, like counts, dataset names, transaction IDs and more.updatedMetaDataResources
docs: The underlying DataResources that the updated metadata describes.
type: required

updatedMetaDataDescription
docs: A description of the metadata update.
type: required
monitorAccessAccess of a monitor, for example viewing details about how it works.accessedMonitorResources
docs: The MonitorResources that were accessed in this event.
type: required

accessedMonitorDescription
docs: A description of the monitor access.
type: optional
monitorCreateCreation of a monitor.createdMonitorDescription
docs: A description of the monitor creation.
type: optional
createdMonitorResources
docs: The MonitorResources that were created in this event.
type: required
monitorDeleteDeletion of a monitor.deletedMonitorResources
docs: The MonitorResources that were deleted in this event.
type: required

deletedMonitorDescription
docs: A description of the monitor deletion.
type: optional
monitorRunExecution of a particular monitor, potentially triggering actions or notifications.runMonitorTargets
docs: The MonitorResources that were ran in this event.
type: required
monitorSearchSearching for a monitor.monitorSearchQuery
docs: The search-query that this event is running.
type: required
monitorSearchResults
docs: The search-results that are returned to the user in this event.
type: required
monitorUpdateUpdate a monitor, potentially changing how it behaves.updatedMonitorResources
docs: The MonitorResources that were updated in this event.
type: required

updatedMonitorDescription
docs: A description of the monitor update.
type: optional
oauth2InitiateAuthFlowStart the OAuth 2.0 Authorization Code flow with the external OAuth 2.0 server.oauth2InitiateAuthFlowUser
docs: The user for whom this oauth2 flow is being started.
type: required

oauth2InitiateAuthClientId
docs: The client-id the oauth2 flow is being performed for.
type: required
onBehalfOfThe request was made on behalf of other users, usually by a service user.onBehalfOfUserIds
docs: The upstream users. The first user ID is the most upstream user.
type: required
ontologyDataLoadThe loading of ontology data to be returned to a user.ontologyDataLoadContext
docs: Further context to identify this load request, such as the owning RID.
type: optional

requestedOntologyDataResources
docs: The OntologyDataResources that were requested in this event.
type: required
loadedOntologyDataResources
docs: The OntologyDataResources that were loaded in this event.
type: required
ontologyDataTransformThe modification of ontology data via patches or edits.ontologyDataTransformTargets
docs: The OntologyDataResources that the user intends to transform.
type: optional

ontologyDataTransformContext
docs: Further context to identify this transform request.
type: optional

ontologyDataTransformDescription
docs: A description of the transformation that was performed.
type: optional
transformedOntologyDataResources
docs: The OntologyDataResources that were transformed by the request.
type: optional
ontologyDataSearchSearch of ontology data within the system.ontologyDataSearchContext
docs: Further context to identify this load request, such as the owning RID.
type: optional

searchedOntologyLogicResources
docs: The logical selections included in this search.
type: required
ontologyDataSearchResults
docs: All resources that were presented to the user by this search result.
type: required
ontologyLogicAccessAccess of ontology logic. For example, viewing an object set or sets.requestedOntologyLogicResources
docs: The OntologyLogicResources that were requested.
type: required
loadedOntologyLogicResources
docs: The OntologyLogicResources that were present in the response.
type: required
ontologyLogicCreateCreation of new ontology logic. For example, when a new object set is created.createOntologyLogicContext
docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more.
type: optional
createdOntologyLogicResources
docs: All LogicResources created in this event.
type: required
ontologyLogicDeleteDeletion of ontology logic, for example a new object set.deleteOntologyLogicContext
docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more.
type: optional
deletedOntologyLogicResources
docs: All LogicResources deleted in this event.
type: required
ontologyLogicUpdateUpdate ontology logic, for example saving a new version of an object set.updateOntologyLogicContext
docs: Further context to narrow down an identifier, or further identify this request. For example, owning RID, or parent Compass RID. This includes a "type" context identifying the type represented by this request, for example, temporary object set, permanent object set, versioned object set, and more.
type: optional
updatedOntologyLogicResources
docs: All LogicResources updated in this event.
type: required
ontologyMetaDataCreateThe creation of OntologyMetaDataResources.createdOntologyMetaDataResources
docs: All OntologyMetaDataResources created in this event.
type: required
ontologyMetaDataDeleteThe deletion of OntologyMetaDataResources.deletedOntologyMetaDataResources
docs: All OntologyMetaDataResources deleted in this event.
type: required
ontologyMetaDataLoadThe loading of Ontology MetaData to be returned to a user.requestedOntologyMetaDataResources
docs: The OntologyMetadataResources that were requested.
type: required
loadedOntologyMetaDataResources
docs: The OntologyMetaDataResources that were present in the response.
type: required
ontologyMetaDataSearchSearch for OntologyMetaDataResources that meet criteria.ontologyMetaDataSearchedResources
docs: The OntologyMetaDataResources included in the search query.
type: required

ontologyMetaDataSearchContext
docs: Further context to the search query - such as DatasourceType.
type: optional
ontologyMetaDataSearchResults
docs: All OntologyMetaDataResources that were returned to the user.
type: required
ontologyMetaDataUpdateThe modification of OntologyMetaDataResources.updatedOntologyMetaDataResources
docs: All OntologyMetaDataResources updated in this event.
type: required
passThroughA category where the set of auditable parameters is determined at runtime, typically by an external systempassThroughRequestParams
type: required
passThroughResponseParams
type: required
requestAccessThe loading of a request.accessedRequestIds
docs: The requests that were accessed in this request.
type: required

accessedRequestDescription
docs: A description of the request access.
type: optional
requestApproveApproving a request, or part of a request. A request may require multiple approvals before it can be performed.approvedRequestIds
docs: The requests that are being approved
type: required

approveRequestUserId
docs: The user that approved the request
type: optional
requestCancelCanceling the request so that it will no longer be performed, such as closing a pull request.canceledRequestIds
docs: The requests that are being canceled
type: required
requestCreateThe creation of a request. Requests represent an action that has not yet been taken and may require approval, such as a pull request, access request, or checkpoint.createdRequestAffectedResources
docs: The resources that are directly affected by the request. For example, for an update request this would be the updated resource, and for a create request this could be the parent resource.
type: required

createdRequestDescription
docs: A description of the request creation.
type: optional
createdRequestIds
docs: The requests that were created in this request
type: required
requestDisapproveDisapproving a request.disapprovedRequestIds
docs: The requests that are being disapproved.
type: required

disapproveRequestUserId
docs: The user that disapproved the request.
type: optional
requestExecuteExecuting the action associated with a request, such as merging a pull request or applying an access request.executedRequestIds
docs: The requests that are being executed.
type: required
executeRequestAffectedResources
docs: The resources that were affected by this request. This may not include all of the resources that were provided when creating the request.
type: optional
requestSearchSearching for requests.requestSearchQuery
docs: The search-query that this event is running.
type: required
requestSearchResults
docs: The search-results that are returned to the user in this event.
type
requestUpdateThe update of an existing request.updatedRequestIds
docs: The requests that were updated in this request
type: required

updatedRequestDescription
docs: A description of the request update.
type: optional
restartInfraRestarts some infrastructure like a node or a service.restartedResources
docs: All SystemResources that were restarted in this event.
type: required
reviewInfraActionA user approves or denies an action within the infrastructure space, such as configuring a node, a service and more.reviewInfraActionRequestId
docs: The request-id of this review.
type: required

reviewInfraActionUser
docs: The user who reviewed this action.
type: required
reviewInfraActionWasApproved
docs: Whether the review was approved.
type: required
secretCreateCreate a secret string.createdSecretType
docs: The kind of secrets that were created
type: required
createdSecretIdentifiers
docs: The identifiers of the secrets that were created.
type: required
secretDeprecateMark a secret as deprecated.deprecatedSecretIdentifier
docs: The identifier of the secret that was deprecated.
type: required
secretLoadRetrieve a secret from the backing store.loadedSecretIdentifiers
docs: The identifiers of the secrets that were loaded.
type: required
secretUseUse a secret via a backend endpoint.usedSecretOperation
docs: The operation used for the secret.
type: required

usedSecretIdentifiers
docs: The identifiers of the secrets that were used.
type: required
systemManagementModification of or access to metadata that determines the layout and configuration of applications on the environment. Replaced by appConfigCreate/Access/Update/Delete/Search in audit.3.
tokenAccessAccessing a previously generated token.accessedTokens
docs: A description of how these tokens were accessed, for auditor-context.
type: required
tokenGenerationAction that leads to generation of a new token.generateTokensDescription
docs: A description of how these tokens were generated, for auditor-context.
type: optional
generatedTokens
docs: All tokens that were generated
type: optional
tokenRevokeAction that leads to the deletion of tokens.revokeTokensDescription
docs: A description of how these tokens were generated, for auditor-context.
type: optional
revokedTokens
docs: All tokens that were revoked.
type: required
upgradeInfraSome infrastructure was upgraded, including downgrades.upgradedResources
docs: All SystemResources that were upgraded in this event.
type: required
userJustifyEvent when a user specifies a purpose justification for taking an action.userJustifyId
docs: The user justifying the action.
type: required

userJustification
docs: The user's justification for taking the action. Multiple justifications can be provided.
type: required
userLoginLogin events of users.loginUserId
type: optional
userLogoutLogout events of users.logoutUserId
type: optional