Audit log data reference
HelloID uses the following indexes when storing audit log data in Elasticsearch, which you can use to Explore available audit log data.
Service Automation
Index | Description |
|---|---|
sa-* | All Service Automation events and log messages. |
sa-audit* | Log messages written from custom PowerShell code in Tasks and actions. |
sa-approval-* | Actions taken in Approval workflows (approve, deny). |
sa-data* | Actions taken on Data sources: create, update, delete |
sa-delegated-form-* | Delegated forms administration events: create, update, delete. |
sa-dynamic-form-* | Actions taken on Dynamic forms (graphical form definitions). |
sa-form* | Events related to the use of Delegated forms (service desk tiles): open, submit. |
sa-product* | Products administration events: create, clone, update, delete. |
sa-recertification-campaign-crud* | Recertification campaigns administration events: create, update, delete. |
sa-recertification-campaign-iteration* | Events related to the use of Recertification campaigns: start iteration, create recertification request. |
sa-recertification-recertify-request* | Actions and events related to Recertification requests. |
sa-request* | Product requests events: request, approve, deny, return. |
sa-variable* | Events related to Custom variables: create, update, delete. |
Provisioning
Indexes
Index | Description |
|---|---|
provisioning-* | All Service Provisioning events and log messages. |
provisioning-audit* | Log messages written from target systems and notification systems. |
provisioning-source-import* | Source imports starts, including details, such as whether they were scheduled or started by a user. |
provisioning-source-snapshot* | Source snapshots events, including details, such as the number of persons imported or deleted. |
provisioning-system-action* | Automatic merges of persons. |
provisioning-user-action* | All user actions in Provisioning. |
provisioning-user-action-aggregation* | Actions taken by users in Person aggregation: who merged which persons, either manually or following up on merge suggestions. |
provisioning-user-action-business-rules* | Business rules publications, including details such as differences between entitlements, conditions, and persons in scope, and whether entitlements were unmanaged or revoked. |
provisioning-user-action-entitlement* | Actions taken by users to manage or unmanage Entitlements. |
provisioning-user-action-evaluation* | Scheduled or user-initiated Evaluation and Enforcement actions, including who started them and whether Resources were included. |
provisioning-user-action-reconciliation* | Actions taken by users to resolve Reconciliation issues, such as excluding or deleting accounts. |
provisioning-user-action-source-system* | Actions taken by users on Source systems: running imports or snapshots, or updating a source system's configuration (e.g., scripting, mapping, custom configuration in JSON). |
provisioning-user-action-target-system* | Actions taken by users on Target systems: running imports or snapshots, or updating a target system's configuration (e.g., mapping, resources, or thresholds). |
provisioning-user-action-thresholds* | User approvals for provisioning actions paused by Thresholds, allowing blocked actions (e.g., account access grant or revoke) to proceed. |
Fields
These are some useful fields to filter user actions on when you Explore available audit log data for Provisioning.
Field | Possible values |
|---|---|
context | BusinessRules, Entitlements, Evaluation, PersonAggregationManual, PersonAggregationSuggestion, Reconciliation, SourceSystem, TargetSystem, Thresholds |
action | Approve, Cancel, Create, Delete, Disable, EntitlementImport, Exclude, Import, ManualUpdate, Merge |
area | Account, Administration Configuration, Agent Selection, Contract Mapping, Correlation, Custom Configuration, Custom Configuration - Form, Depends on system Configuration, Directory Configuration, Exchange |
Access Management
Index | Description |
|---|---|
authentication-* | All Access Management events and log messages. |
authentication-admin-* | HelloID portal configuration updates, including applications, Identity Providers, and access rules. |
authentication-application* | Applications start events, including who started the app, device, IP, browser, and whether it succeeded or failed. |
authentication-group-* | Groups settings updates (excluding memberships). |
authentication-login-* | Portal login events, including user, Identity Provider, IP address, browser, device, and success or failure details. |
authentication-mfa* | Login events with multi-factor authentication (2FA), including relevant details. |
authentication-user-* | All changes to Users, such as password, name, or manager updates. |