The audit log allows administrators to review important actions that have
occurred within Kolide.
You can view entries from the Audit Log both in the Kolide admin UI and
programmatically via Kolide’s REST API.
Note:
Only admins with “Full Access” can access the Audit Log in the Kolide UI.
Click your user avatar in the upper-right corner of the Kolide UI.
In the dropdown menu, click Settings.
In the menu on the left, click Audit Log.
If you haven’t already, create an API Key.
There are no special permissions required to access audit log entries programmatically.
Refer to Kolide’s API Reference
for documentation on how to programmatically access audit logs.
curl --request GET \
--url https://api.kolide.com/audit_logs \
--header 'accept: application/json' \
--header 'authorization: Bearer <TOKEN>' \
--header 'x-kolide-api-version: 2023-05-26'
{
"data": [
{
"id": "256",
"timestamp": "2019-10-25T13:25:46.213Z",
"actor_name": "Jason Meller",
"description": "user 'jason@kolide.co' accepted invitation to Kolide"
},
// SNIP
{
"id": "578",
"timestamp": "2019-11-18T21:24:40.204Z",
"actor_name": "Fritz Ifert-Miller",
"description": "Published Live Query Campaign ID 2: AirDrop Discoverability"
},
],
"pagination": {
"next": "https://api.kolide.com/audit_logs?cursor=NTg1LDU4NQ==",
"next_cursor": "NTg1LDU4NQ==",
"current_cursor": "",
"count": 25
}
}
The following is a complete list of audit log events for Kolide Device Trust,
including the name of the event, the description used in the audit log, and
when Kolide began collecting audit log events of that type.
Name |
Description |
Collected Since |
check deleted |
Deleted Check “{custom_check.name}”
|
Sep-27-2022 |
check configuration changed |
Changed Fix Instructions Template Text for Check ‘{name}’
|
Oct-6-2021 |
check configuration changed |
Changed Fix Instructions Template Strategy for Check ‘{name}’ from
‘{original}’ to ‘{new}’
|
Oct-6-2021 |
check configuration changed |
Changed Rationale Template Text for Check ‘{name}’
|
Oct-6-2021 |
check configuration changed |
Changed Rationale Template Strategy for Check ‘{name}’ from
‘{original}’ to ‘{new}’
|
Oct-6-2021 |
check configuration changed |
Reverted Check “{name}” fix instructions custom template to a prior version
|
Oct-6-2021 |
check configuration changed |
Reverted Check “{name}” fix instructions template supplement to a prior version
|
Oct-6-2021 |
check configuration changed |
Reverted Check “{name}” rationale custom template to a prior version
|
Oct-6-2021 |
check configuration changed |
Reverted Check “{name}” rationale template supplement to a prior version
|
Oct-6-2021 |
check reverted |
Reverted Check “{name}” to a prior version
|
Sep-27-2022 |
check updated |
Updated existing Check “{name}”
|
Sep-27-2022 |
check published |
Published new Check “{name}”
|
Sep-27-2022 |
check configuration options changed |
Check Configuration options were changed
|
Oct-20-2022 |
updated check device trust settings |
Updated device trust settings for ‘{name}’ from: {old_settings} to: {new_settings}
|
Nov-7-2022 |
updated check device trust settings |
Updated run targets for ‘{name}’ from: {old_targets} to: {new_targets}
|
Aug-25-2023 |
Check marked as out of scope |
Exempted all future issues for “{check}” for device: “{name}”.
|
Feb-9-2023 |
Name |
Description |
Collected Since |
device display name changed |
Changed device name from ‘{original}’ to ‘{new}’
|
Nov-20-2022 |
canceled device removal |
Cancelled pending deletion for ‘{device}’
|
Apr-16-2023 |
Name |
Description |
Collected Since |
device registration approved |
Approved pending device registration for “{email}” and device “{device_name}”. Reason: “{reason}”
|
Jan-22-2023 |
device registration denied |
Denied pending device registration for “{email}” and device “{device_name}”. Reason: “{reason}”
|
Jan-22-2023 |
device registration reopened |
Reopened previously {prev_status} device registration for “{email}” and device “{device_name}”.
|
Jan-22-2023 |
device registration removed |
Removed device registration for “{device_name}” that was registered to {email}
|
Mar-20-2023 |
tofu device registration re-enabled |
TOFU device registration re-enabled for ‘{name}’
|
Jun-6-2023 |
device registration configuration changed |
Changed ‘Allows {platform} device registration’ from {old} to {new}
|
Jun-6-2023 |
device registration configuration changed |
Changed ‘Allows {platform} device registration’ from {old} to {new}
|
May-22-2023 |
device registration configuration changed |
Set ‘Required {platform} checks’ to {check_names}
|
May-22-2023 |
device registration auth_mode changed |
Updated device registration for “{device} changed auth mode from ”{prev_auth_mode}“ to ”{new_auth_mode} and changed allowed groups from {prev_groups} to {new_groups}“
|
Aug-16-2023 |
Name |
Description |
Collected Since |
exemption request approved |
Approved exemption request for ”{email}“ for check: ”{check}“. Reason: ”{reason}“
|
Jan-22-2023 |
exemption request denied |
Denied exemption request for ”{email}“ for check: ”{check}“. Reason: ”{reason}“
|
Jan-22-2023 |
exemption request reopened |
Reopened previously {prev_status} exemption for ”{check}“.
|
Jan-22-2023 |
exemption request withdrawn |
{email} withdrew exemption request for check: ”{check}“
|
Jan-22-2023 |
Name |
Description |
Collected Since |
factor enrollment reset |
Reset factor enrollment for ‘{username}’
|
Aug-7-2023 |
factor enrollment verified |
Verified factor enrollment for ‘{username}’
|
Aug-7-2023 |
A person record was merged |
Merged the person, {old}, with {new}
|
Jul-12-2023 |
A person record was unmerged |
Restored the person, {name}, to it’s original state
|
Jul-12-2023 |
Name |
Description |
Collected Since |
managed app created |
Created managed app ”{name}“
|
Oct-6-2024 |
managed app deleted |
Deleted managed app ”{name}“ with #{count} people
|
Oct-6-2024 |
managed app updated |
Updated managed app ”{name}“ from: {old_settings} to: {new_settings}
|
Oct-6-2024 |
managed app sign on settings updated |
Sign on settings were updated for ”{name}“ from: {old_settings} to: {new_settings}
|
Oct-6-2024 |
managed app direct assigned people membership changed |
Updated managed app ”#{name}“ directly assigned people membership from {old} to {new}
|
Oct-6-2024 |
managed app person groups membership changed |
Updated managed app ”#{name}“ directly assigned person groups membership from {old} to {new}
|
Oct-6-2024 |
Name |
Description |
Collected Since |
device group memberships removed |
Mass-Removed members from device group: ”{name}“. Device ID(s) removed: {ids}
|
Aug-30-2023 |
device group memberships removed |
Mass-Removed members from device group: ”{name}“. Device ID(s) removed: {ids}
|
Aug-30-2023 |
device group created |
Created device group ”{name}“
|
Aug-30-2023 |
device group deleted |
Deleted device group ”{name}“ with {count} members
|
Aug-30-2023 |
device group deleted |
Deleted device group ”{name}“ with {count} members
|
Aug-30-2023 |
Name |
Description |
Collected Since |
logging pipeline enabled |
Enabled the logging pipeline
|
Jan-1-2020 |
logging pipeline disabled |
Disabled the logging pipeline
|
Jan-1-2020 |
device property logger added |
Added device property logger ‘{name}’
|
Jan-1-2020 |
device property logger removed |
Removed device property logger ‘{name}’
|
Jan-1-2020 |
enabled log pipeline destination |
Enabled the log pipeline destination ‘{name}’
|
Jan-1-2020 |
disabled log pipeline destination |
Disabled the log pipeline destination ‘{name}’
|
Jan-1-2020 |
deleted log pipeline destination |
Deleted the log pipeline destination ‘{name}’
|
Jan-1-2020 |
updated osquery decorator |
Updated the osquery decorator ‘{name}’
|
Jan-1-2020 |
added osquery decorator |
Added an osquery decorator ‘{name}’
|
Jan-1-2020 |
enabled osquery decorator |
Enabled osquery decorator ‘{name}’
|
Jan-1-2020 |
deleted osquery decorator |
Deleted osquery decorator ‘{name}’
|
Jan-1-2020 |
updated osquery fim category |
Updated the osquery FIM category ‘{name}’
|
Jan-1-2020 |
created osquery fim category |
Created osquery FIM category ‘{name}’
|
Jan-1-2020 |
enabled osquery fim category |
Enabled osquery FIM category ‘{name}’
|
Jan-1-2020 |
disabled osquery fim category |
Disabled osquery FIM category ‘{name}’
|
Jan-1-2020 |
deleted osquery fim category |
Deleted the osquery FIM category ‘{name}’
|
Jan-1-2020 |
updated osquery options |
Updated osquery options
|
Jan-1-2020 |
reset osquery options |
Reset all osquery options to their default value
|
Jan-1-2020 |
created discovery query |
Created discovery query ‘{name}’
|
Jan-1-2020 |
updated discovery query |
Updated the osquery discovery query ‘{name}’
|
Jan-1-2020 |
deleted discovery query |
Deleted discovery query ‘{name}’
|
Jan-1-2020 |
created osquery pack query |
Created osquery pack query ‘{name}’
|
Jan-1-2020 |
updated osquery pack query |
Updated the osquery query ‘{name}’
|
Jan-1-2020 |
updated osquery pack query |
Deleted osquery pack query ‘{name}’
|
Jan-1-2020 |
created osquery pack |
Created osquery pack ‘{name}’
|
Jan-1-2020 |
updated osquery pack |
Updated the osquery pack ‘{name}’
|
Jan-1-2020 |
enabled osquery pack |
Enabled osquery pack ‘{name}’
|
Jan-1-2020 |
disabled osquery pack |
Disabled osquery pack ‘{name}’
|
Jan-1-2020 |
deleted osquery pack |
Deleted the osquery pack ‘{name}’
|
Jan-1-2020 |
updated log pipeline destination |
Updated the {type} log destination ‘{name}’
|
Jan-1-2020 |
created log pipeline destination |
Created a {type} log pipeline destination named ‘{name}’
|
Jan-1-2020 |
Name |
Description |
Collected Since |
live query created and run |
Created and ran Live Query Campaign ID {id} that targets {counts}
that uses table(s): {tables}
|
Nov-18-2019 |
live query updated and run |
Updated and ran Live Query Campaign ID {id} that targets {counts}
that uses table(s): {tables}
|
Nov-18-2019 |
live query deleted |
Deleted Live Query Campaign ID {id} : {name}
|
Nov-18-2019 |
live query single result csv exported |
CSV Downloaded For Device {name} - Live Query Campaign ID {id}
|
Nov-18-2019 |
live query unpublished |
Unpublished Live Query Campaign ID {id}
|
Nov-18-2019 |
live query csv exported |
CSV Downloaded For Live Query Campaign ID {id}
|
Nov-20-2020 |
live query published |
Published Live Query Campaign ID {id}
|
Nov-20-2020 |
Name |
Description |
Collected Since |
saml_idp_factor_removed |
Okta event hook received for ‘saml_idp_factor_removed’
|
Oct-18-2023 |
saml_idp_factor_setup |
Okta event hook received for ‘saml_idp_factor_setup’
|
Oct-18-2023 |
saml_webhook_verification |
Okta event hooks verified
|
Oct-18-2023 |
Name |
Description |
Collected Since |
billing email updated |
Updated billing email to ‘{email}’ from ‘{original_email}’
|
Jul-30-2021 |
Name |
Description |
Collected Since |
privacy center configuration changed |
Changed ‘Privacy Center Access Restriction Settings’ from ‘{old}’ to ‘{new}’
|
Sep-1-2021 |
privacy center configuration changed |
Changed Privacy Center Custom Resource Section visibility from {old} to {new}
|
Sep-1-2021 |
privacy center configuration changed |
Changed Privacy Center Custom Resource Section text
|
Sep-1-2021 |
privacy center configuration changed |
Reverted Privacy Center Custom Resource Section to a prior version
|
Sep-1-2021 |
Name |
Description |
Collected Since |
device deletion requested |
triggered device deletion for inactive device named ‘{name}’
|
Jun-9-2021 |
device removed |
Device ‘{name}’ removed
|
Dec-2-2024 |
Name |
Description |
Collected Since |
osquery blocklist updated |
Osquery Blocklist Updated From: ”{old_tables}“ To: ”{new_tables}“
|
Oct-23-2019 |
feature restriction changed |
Changed ‘{feature}’ from ‘{old}’ to {new}
|
Nov-19-2019 |
Name |
Description |
Collected Since |
kolide team member created |
user ‘{email}’ accepted invitation to Kolide
|
Oct-23-2019 |
kolide team member invited |
Invited ‘{email}’ to access kolide
|
Oct-23-2019 |
kolide team member deleted |
Removed access for Kolide user ‘{name}’
|
Oct-23-2019 |
user feature restriction changed |
Updated {feature} restriction on {name} from ‘{old}’ to ‘{new}’
|
Nov-19-2019 |
user access changed |
Updated access for user ‘{email}’ from ‘{old}’ to ‘{new}’
|
Aug-3-2023 |
invitations revoked because inviter access changed |
Revoked invitations created by ‘{email}’ because admin access was removed.
Revoked invitations with email address(es): {emails}
|
Aug-3-2023 |
Name |
Description |
Collected Since |
idp settings changed |
Kolide IdP settings were updated from: {previous_values} to: {new_values}
|
Jun-29-2023 |
webhook token generated |
IdP Proxy webhook token generated for ‘{organization}’
|
Apr-24-2023 |
factor sequencing enabled |
Kolide IdP: Additional Factor Sequencing was ‘disabled’
|
Aug-10-2023 |
factor sequencing disabled |
Kolide IdP: Additional Factor Sequencing was ‘enabled’
|
Aug-10-2023 |
updated saml configuration |
Updated SAML configuration
|
Jan-21-2023 |
Name |
Description |
Collected Since |
vanta integration created |
created a Vanta integration
|
Aug-12-2022 |
vanta integration deleted |
removed vanta integration
|
Aug-12-2022 |
Name |
Description |
Collected Since |
end user remediation configuration changed |
modified the organization’s end user remediation configuration
|
Apr-19-2024 |
Name |
Description |
Collected Since |
device management provider added |
Added a Device Management Provider {name}
|
Jun-3-2024 |
device management provider updated |
Updated Device Management Provider: {name} from: {old_settings} to: {new_settings}
|
Jun-3-2024 |
device management provider deleted |
Removed Device Management Provider: {name}
|
Jun-3-2024 |
Name |
Description |
Collected Since |
api key created |
Created an API key
|
Nov-18-2019 |
api key secret viewed |
Revealed full API Key token {name}
|
Nov-18-2019 |
api key deleted |
Removed an API key
|
Nov-18-2019 |
api key secret rotated |
Rotated API key
|
Nov-24-2021 |
updated api key |
API Key {name} from: {previous_permissions} to: {new_permissions}
|
Dec-2-2021 |
webhook created |
Created webhook with url ‘{url}’
|
Dec-31-2019 |
webhook created |
Created webhook with url ‘{url}’
|
Dec-31-2019 |
webhook deleted |
Deleted webhook with url ‘{url}’
|
Dec-31-2019 |
webhook enabled |
Enabled webhook with url ‘{url}’
|
Dec-31-2019 |
webhook disabled |
Disabled webhook with url ‘{url}’
|
Dec-31-2019 |
webhook signing secret viewed |
Revealed full webhook signing secret {url}
|
Jan-27-2022 |
webhook url changed |
Updated webhook url from ‘{old}’ to ‘{new}’
|
Oct-25-2023 |
webhook event subscriptions changed |
Updated event subscriptions for webhook ‘{url}’ from ‘{previous_subscriptions}’ to ‘{new_subscriptions}’
|
Oct-25-2023 |
webhook signing secret rolled |
Rolled signing secret for webhook with url ‘{url}’
|
Nov-12-2021 |