# Audit Log Format P0 streams structured audit logs to your configured SIEM integration. This reference documents the log payload format, the complete action hierarchy, and example payloads for each action. * [General fields](#general-fields) * [Action hierarchy](#action-hierarchy) * [Routing rule actions](#routing-rule-actions) * [JIT configuration actions](#jit-configuration-actions) * [Role management actions](#role-management-actions) * [Integration install actions](#integration-install-actions) * [API key actions](#api-key-actions) * [Permission request actions](#permission-request-actions) * [Permission request lifecycle](#permission-request-lifecycle) * [Pre-approval lifecycle actions](#pre-approval-lifecycle-actions) * [Authentication and authorization actions](#authentication-and-authorization-actions) ## General fields Every audit log event contains the following fields: | Field | Type | Description | | ---------------- | ------ | ---------------------------------------------------------------------- | | `vendor_account` | string | Your P0 organization (tenant) identifier | | `data` | object | Diff or data associated with the action | | `user` | object | The authenticated user who performed the action | | `type` | string | Event source: `api`, `permission-requests`, or `notifier` | | `timestamp` | string | ISO 8601 formatted timestamp (for example, `2025-01-17T18:15:11.458Z`) | | `action` | string | The specific audit action identifier | The `user` object contains: | Field | Type | Description | | ------------- | --------- | --------------------------------------- | | `isAnonymous` | boolean | Whether the user is anonymous | | `email` | string | Email address of the authenticated user | | `provider` | string | Authentication provider | | `groups` | string\[] | Groups the user belongs to | | `uid` | string | Unique user identifier | ### Example payload ```json { "vendor_account": "your-org", "data": {}, "user": { "isAnonymous": false, "email": "user@example.com", "provider": "google.com", "groups": ["engineering"], "uid": "abc123" }, "type": "api", "timestamp": "2025-01-17T18:15:11.458Z", "action": "admin.roles.user.added" } ``` ## Action hierarchy P0 audit actions follow a hierarchical naming convention. The top-level prefix indicates the category of the action. ``` admin .jit .approval-configuration.updated .expiry-option .created .deleted .reset .max-access-duration.set .roles .user .added .deleted .group .added .deleted .integration .installed .updated .removed .api-key .created .deleted .routing-rules.updated api .jit .permission-requests .created .approved .denied .revoked .preapproval .created .revoked auth .authentication.failed .authorization.failed ``` ## Routing rule actions These actions are logged when routing rules are created, updated, or deleted. ### `admin.routing-rules.created` A new routing rule was created. The `data` field has the difference between the old and new version of the routing rules document. ```json { "timestamp": "2025-08-11T15:29:16.802Z", "action": "admin.routing-rules.created", "user_agent": "Mozilla/5.0 ...", "data": { "version": { "-": "", "+": "" }, "rules": [ { "action": "admin.routing-rules.created", "name": "Test", "diff": { "+": { "disabled": false, "resource": { "type": "any" }, "requestor": { "type": "any" }, "approval": [{ "type": "persistent" }], "name": "Test" } } } ] }, "token_id": "", "vendor_account": "your-org", "src_ip": "::1", "user_id": "user@example.com", "user_type": "USER" } ``` ### `admin.routing-rules.updated` A routing rule update occurred. The `data` field has the difference between the old and new version of the routing rules document. ```json { "timestamp": "2025-08-11T15:29:16.802Z", "action": "admin.routing-rules.updated", "user_agent": "Mozilla/5.0 ...", "data": { "version": { "-": "", "+": "" }, "rules": [ { "action": "admin.routing-rules.updated", "name": "Test", "diff": { "approval": [ { "type": { "-": "persistent", "+": "p0" }, "options": { "+": { "allowOneParty": true } } } ] } } ] }, "token_id": "", "vendor_account": "your-org", "src_ip": "::1", "user_id": "user@example.com", "user_type": "USER" } ``` ### `admin.routing-rules.deleted` A routing rule was deleted. The `data` field has the difference between the old and new version of the routing rules document. ```json { "timestamp": "2025-08-11T15:29:16.802Z", "action": "admin.routing-rules.deleted", "user_agent": "Mozilla/5.0 ...", "data": { "version": { "-": "", "+": "" }, "rules": [ { "name": "Test", "diff": { "-": { "requestor": { "type": "any" }, "name": "Test", "approval": [ { "options": { "allowOneParty": true }, "type": "p0" } ], "disabled": false, "resource": { "type": "any" } } }, "action": "admin.routing-rules.deleted" } ] }, "token_id": "", "vendor_account": "your-org", "src_ip": "::1", "user_id": "user@example.com", "user_type": "USER" } ``` {% hint style="info" %} In routing rule diff payloads, `"+"` indicates added values and `"-"` indicates removed values. {% endhint %} ## JIT configuration actions These actions are logged when just-in-time access configuration settings are modified. ### Default approval configuration #### `admin.jit.approval-configuration.updated` Logged when the default approval settings are modified on the **Settings** page under the **Routing** section. This applies when no routing rules are configured. ```json { "action": "admin.routing-rules.approval-configuration.updated", "vendor_account": "your-org", "timestamp": "2025-01-17T18:11:26.880Z", "data": { "requireReason": false }, "type": "api" } ``` ### Expiry options #### `admin.jit.expiry-option.created` An expiry option has been created. ```json { "action": "admin.routing-rules.expiry-option.created", "type": "api", "vendor_account": "your-org", "timestamp": "2025-01-17T18:12:43.766Z" } ``` #### `admin.jit.expiry-option.deleted` An expiry option has been deleted. ```json { "action": "admin.routing-rules.expiry-option.deleted", "type": "api", "vendor_account": "your-org", "timestamp": "2025-01-17T18:12:43.766Z" } ``` #### `admin.jit.expiry-option.reset` Expiry options have been reset to defaults. ```json { "action": "admin.routing-rules.expiry-option.reset", "timestamp": "2025-01-17T18:15:11.458Z", "vendor_account": "your-org", "type": "api" } ``` ## Role management actions The system logs these actions when roles are added or removed from users or groups on the **Settings** page under the **Access Control** section. P0 roles include: `owner`, `iamViewer`, and `manager` (approver). You can assign roles to individual users or to groups. ### `admin.roles.user.added` An admin has assigned a role to a user. ```json { "action": "admin.roles.user.added", "vendor_account": "your-org", "type": "api" } ``` ### `admin.roles.user.deleted` An admin removed a role from a user. ```json { "action": "admin.roles.user.deleted", "vendor_account": "your-org", "type": "api" } ``` ### `admin.roles.group.added` A role is assigned to a group by the system. ```json { "action": "admin.roles.group.added", "vendor_account": "your-org", "type": "api" } ``` ### `admin.roles.group.deleted` The system removes a role from a group. ```json { "action": "admin.roles.group.deleted", "vendor_account": "your-org", "type": "api" } ``` ## Integration install actions These actions are logged when integrations are installed, updated, or removed. **Terminology:** | Term | Definition | | ----------- | ------------------------------------------------------------------------------------------------------------------------- | | Integration | A resource integration such as Google Cloud, AWS, Kubernetes, SSH, or Snowflake | | Component | The type of integration capability (for example, IAM management, IAM assessment, Resource Explorer, HTTP Event Collector) | | Item | An individual installation identifier (for example, a Google Cloud project ID or an AWS account ID) | ### `admin.integration.installed` A new entry installs an integration component. ```json { "action": "admin.integration.installed", "vendor_account": "your-org", "data": { "component": "iam-assessment", "id": "test-project", "delta": { "state": { "+": "installed", "-": "configure" } } }, "type": "api" } ``` AWS integration example with federated login configuration: ```json { "action": "admin.integration.configured", "vendor_account": "your-org", "timestamp": "2025-01-16T22:05:23.273Z", "type": "api", "data": { "id": "123452051234", "delta": { "login": { "identity": { "-": { "type": "email" } }, "provider": { "+": { "identityProvider": "test_okta", "appId": "appid1", "type": "okta", "method": { "type": "saml", "accountCount": { "type": "single" } } } }, "type": { "-": "iam", "+": "federated" } }, "state": { "+": "installed", "-": "configure" } }, "component": "iam-write" } } ``` ### `admin.integration.removed` The system removed an installation entry from an integration component. This can apply to an entire integration or a specific item. Component deletion: ```json { "type": "api", "data": { "key": "aws" }, "action": "admin.integration.removed", "timestamp": "2025-01-16T21:46:36.144Z", "vendor_account": "your-org" } ``` Item deletion: ```json { "action": "admin.integration.removed", "data": { "id": "test-project", "component": "iam-assessment" }, "vendor_account": "your-org", "type": "api", "timestamp": "2025-01-16T22:23:05.096Z" } ``` ### `admin.integration.updated` An integration component is configured. For example, setting the account ID for an AWS integration before installing any of its components. ```json { "action": "admin.integration.updated", "data": { "key": "aws", "config": { "iam-write": {}, "base": {}, "inventory": {}, "iam-assessment": {} } }, "timestamp": "2025-01-16T21:46:51.260Z", "type": "api", "vendor_account": "your-org" } ``` ## API key actions These actions are logged when API keys for programmatic access to the P0 API are created or deleted. ### `admin.api-key.created` An API key has been created. ```json { "action": "admin.apiKey.created", "type": "api", "vendor_account": "your-org", "timestamp": "2025-01-17T00:48:09.227Z" } ``` ### `admin.api-key.deleted` An API key has been deleted. ```json { "action": "admin.apiKey.deleted", "timestamp": "2025-01-17T00:48:13.129Z", "vendor_account": "your-org", "type": "api" } ``` ## Permission request actions These actions are logged when users create, approve, revoke, or deny permission requests through the P0 web application, CLI, or notifier integrations (Slack, Microsoft Teams). {% hint style="info" %} For the approve, revoke, and deny events, the `type` field is `notifier` if the user takes the action via Slack or Microsoft Teams, or `api` if the user takes the action in the P0 web application. {% endhint %} ### `api.jit.permission-requests.created` The system has received a request to create a new permission request. ```json { "action": "api.jit.permission-requests.created", "user_type": "USER", "src_ip": "", "timestamp": "2025-07-07T23:19:20.126Z", "user_id": "user@example.com", "user_agent": "P0 CLI/0.18.6", "vendor_account": "your-org", "data": [ { "requestId": "9MMAsmlwAAnHjzNJkE5o", "message": "Access requested", "processingMillis": 1234, "scriptName": "p0", "command": [ "request", "ssh", "session", "", "--public-key", "" ] } ] } ``` ### `api.jit.permission-requests.approved` The system has approved a permission request. ```json { "action": "api.jit.permission-requests.approved", "vendor_account": "your-org", "timestamp": "2025-07-07T23:21:55.636Z", "src_ip": "", "params": { "requestId": "9MMAsmlwAAnHjzNJkE5o" }, "user_id": "user@example.com", "user_agent": "Chrome/137.0.0.0", "user_type": "USER" } ``` ### `api.jit.permission-requests.denied` The system has denied a permission request. ```json { "action": "api.jit.permission-requests.denied", "src_ip": "", "params": { "requestId": "aeRv8bsBOBvYbMXsNjrI" }, "user_type": "USER", "user_id": "user@example.com", "vendor_account": "your-org", "user_agent": "Chrome/137.0.0.0", "timestamp": "2025-07-07T23:30:48.275Z" } ``` ### `api.jit.permission-requests.revoked` A permission request has been revoked. ```json { "action": "api.jit.permission-requests.revoked", "params": { "requestId": "9MMAsmlwAAnHjzNJkE5o" }, "user_agent": "Chrome/137.0.0.0", "user_id": "user@example.com", "user_type": "USER", "timestamp": "2025-07-07T23:26:00.701Z", "vendor_account": "your-org", "src_ip": "" } ``` ## Permission request lifecycle The following audit events are logged as P0 processes a permission request through its lifecycle. These are system-generated events that track internal state transitions. ### `permission-requests.created` A permission request has been created and is in the `NEW` state. ```json { "action": "permission-requests.created", "timestamp": "2025-07-08T21:46:13.323Z", "request_id": "kYdqnPxnb7Gugp2iqKR5", "data": { "commandLine": "request ssh session --sudo false", "requestor": "user@example.com", "approvedOnly": false, "access": "session", "permission": { "provider": "gcloud", "destination": "", "sudo": false, "publicKey": "", "parent": "", "resource": { "zone": "", "projectId": "", "instanceName": "", "fullName": "" }, "zone": "" }, "lastUpdatedTimestamp": 1752011173323, "type": "ssh", "principal": "user@example.com", "status": "NEW", "requestedTimestamp": 1752011173323 } } ``` ### `permission-requests.granted` A permission request has been granted and access has been provisioned. ```json { "action": "permission-requests.granted", "timestamp": "2025-07-07T23:22:05.166Z", "request_id": "9MMAsmlwAAnHjzNJkE5o", "data": { "access": "session", "approvalDetails": { "approvalSource": "webapp", "approvedTimestamp": 1751930515300, "id": "approver@example.com", "email": "approver@example.com", "name": "approver@example.com" }, "principal": "user@example.com", "canEscalate": false, "requestedTimestamp": 1751930359906, "grantTimestamp": 1751930525165, "permission": { "zone": "", "parent": "", "provider": "gcloud", "resource": { "fullName": "", "instanceName": "", "zone": "", "projectId": "" }, "destination": "", "publicKey": "", "sudo": false }, "type": "ssh", "requestor": "user@example.com", "lastUpdatedTimestamp": 1751930525166, "status": "DONE", "approvedOnly": false, "expiryTimestamp": 1751930815529, "isAwaitingExpiry": true, "commandLine": "request ssh session --sudo false" } } ``` ### `permission-requests.denied` The system has denied the permission request. ```json { "action": "permission-requests.denied", "request_id": "Dc7PgjoZSYpG47wAi7H4", "data": { "approvalDetails.id": "approver@example.com", "approvalDetails.email": "approver@example.com", "approvalDetails.name": "approver@example.com", "approvalDetails.approvedTimestamp": 1751995305355, "approvalDetails.approvalSource": "webapp", "status": "DENIED" }, "timestamp": "2025-07-08T17:21:45.497Z" } ``` ### `permission-requests.revoked` A permission request has been revoked and access has been deprovisioned. ```json { "action": "permission-requests.revoked", "request_id": "9MMAsmlwAAnHjzNJkE5o", "timestamp": "2025-07-07T23:26:03.241Z", "data": { "requestor": "user@example.com", "requestedTimestamp": 1751930359906, "isAwaitingExpiry": false, "approvalDetails": { "approvedTimestamp": 1751930515300, "id": "approver@example.com", "name": "approver@example.com", "email": "approver@example.com", "approvalSource": "webapp" }, "grantTimestamp": 1751930525165, "principal": "user@example.com", "approvedOnly": false, "commandLine": "request ssh session --sudo false", "type": "ssh", "expiryTimestamp": 1751930815529, "access": "session", "permission": { "destination": "", "sudo": false, "parent": "", "zone": "", "resource": { "fullName": "", "zone": "", "instanceName": "", "projectId": "" }, "publicKey": "", "provider": "gcloud" }, "lastUpdatedTimestamp": 1751930763241, "status": "REVOKED", "canEscalate": false, "revokedTimestamp": 1751930763241 } } ``` ### `permission-requests.expired` A permission request has expired and access has been automatically deprovisioned. ```json { "action": "permission-requests.expired", "timestamp": "2025-07-08T16:52:37.198Z", "request_id": "R4EuCBttAGQIPfreDfVC", "data": { "principal": "user@example.com", "approvalDetails": { "approvalSource": "webapp", "email": "approver@example.com", "name": "approver@example.com", "id": "approver@example.com", "approvedTimestamp": 1751993254002 }, "isAwaitingExpiry": false, "approvedOnly": false, "access": "session", "permission": { "provider": "gcloud", "parent": "", "publicKey": "", "zone": "", "resource": { "projectId": "", "zone": "", "instanceName": "", "fullName": "" }, "sudo": false, "destination": "" }, "expiryTimestamp": 1751993554159, "revokedTimestamp": 1751993557198, "lastUpdatedTimestamp": 1751993557198, "type": "ssh", "requestor": "user@example.com", "commandLine": "request ssh session --sudo false", "status": "EXPIRED", "grantTimestamp": 1751993258475, "requestedTimestamp": 1751993250693, "canEscalate": false } } ``` ## Pre-approval lifecycle actions These actions are logged when pre-approvals are created or revoked. ### `api.jit.preapproval.created` A new pre-approval was created. ```json { "action": "api.jit.preapproval.created", "data": { "type": "ssh", "access": "group", "permission": { "provider": "aws", "name": "group-name", "key": "Developer", "sudo": false, "parent": "391052057035", "alias": "p0-dev", "resource": {} }, "allowId": "32cdcab1-bae1-4a21-9fc3-a4234cac87f6", "source": "allow", "principal": "user@example.com", "isAwaitingExpirationReminder": true, "expirationReminderTimestamp": 1755302400000, "approver": { "approvalSource": "evidence", "approvedTimestamp": 1754330463656, "id": "user@example.com", "name": "user@example.com", "email": "user@example.com" }, "startsAt": 1754330463656, "endsAt": 1756512000000, "createdAt": 1754330463723 }, "prior_approval_id": "PzCPjpJeYgAGw3koW6Tb", "status": "created", "timestamp": 1754330464112, "type": "prior-approval" } ``` ### `api.jit.preapproval.revoked` An existing pre-approval has been manually revoked. ```json { "action": "api.jit.preapproval.revoked", "data": { "evidenceId": "TX7lyLXt29zcGumgxWyW" }, "params": { "evidenceId": "TX7lyLXt29zcGumgxWyW" }, "status": "created", "timestamp": 1754331366618, "vendor_account": "your-org", "src_ip": "::1", "type": "api", "user_agent": "Mozilla/5.0 ...", "user_type": "USER", "user_id": "user@example.com", "token_id": "" } ``` ## Authentication and authorization actions These actions are logged when P0 receives invalid authentication or authorization requests. ### `auth.authentication.failed` A call to the API lacked a valid access token. ```json { "action": "auth.authentication.failed", "src_ip": "209.169.98.86", "status": "CREATED", "timestamp": 1754006124918, "type": "api", "user_agent": "Mozilla/5.0 ...", "vendor_account": "your-org", "user_type": "USER", "user_id": "user@example.com", "token_id": "" } ``` ### `auth.authorization.failed` A call to the API had a valid access token but attempted an action the user lacked permissions for. ```json { "action": "auth.authorization.failed", "src_ip": "209.169.98.86", "status": "CREATED", "timestamp": 1754006124918, "type": "api", "user_agent": "Mozilla/5.0 ...", "vendor_account": "your-org", "user_type": "USER", "user_id": "user@example.com", "token_id": "", "data": { "permissions": ["integration.read", "catalog.view"], "roles": ["owner"] } } ```