P0 streams structured audit logs to your configured SIEM integration. This reference documents the log payload format, the complete action hierarchy, and example payloads for each action.
Every audit log event contains the following fields:
Your P0 organization (tenant) identifier
Diff or data associated with the action
The authenticated user who performed the action
Event source: api, permission-requests, or notifier
ISO 8601 formatted timestamp (for example, 2025-01-17T18:15:11.458Z)
The specific audit action identifier
The user object contains:
Whether the user is anonymous
Email address of the authenticated user
Groups the user belongs to
Example payload
Action hierarchy
P0 audit actions follow a hierarchical naming convention. The top-level prefix indicates the category of the action.
Routing rule actions
These actions are logged when routing rules are created, updated, or deleted.
admin.routing-rules.created
A new routing rule was created. The data field has the difference between the old and new version of the routing rules document.
admin.routing-rules.updated
A routing rule update occurred. The data field has the difference between the old and new version of the routing rules document.
admin.routing-rules.deleted
A routing rule was deleted. The data field has the difference between the old and new version of the routing rules document.
JIT configuration actions
These actions are logged when just-in-time access configuration settings are modified.
Default approval configuration
admin.jit.approval-configuration.updated
Logged when the default approval settings are modified on the Settings page under the Routing section. This applies when no routing rules are configured.
admin.jit.expiry-option.created
An expiry option has been created.
admin.jit.expiry-option.deleted
An expiry option has been deleted.
admin.jit.expiry-option.reset
Expiry options have been reset to defaults.
Role management actions
The system logs these actions when roles are added or removed from users or groups on the Settings page under the Access Control section.
P0 roles include: owner, iamViewer, and manager (approver). You can assign roles to individual users or to groups.
admin.roles.user.added
An admin has assigned a role to a user.
admin.roles.user.deleted
An admin removed a role from a user.
admin.roles.group.added
A role is assigned to a group by the system.
admin.roles.group.deleted
The system removes a role from a group.
Integration install actions
These actions are logged when integrations are installed, updated, or removed.
Terminology:
A resource integration such as Google Cloud, AWS, Kubernetes, SSH, or Snowflake
The type of integration capability (for example, IAM management, IAM assessment, Resource Explorer, HTTP Event Collector)
An individual installation identifier (for example, a Google Cloud project ID or an AWS account ID)
admin.integration.installed
A new entry installs an integration component.
AWS integration example with federated login configuration:
admin.integration.removed
The system removed an installation entry from an integration component. This can apply to an entire integration or a specific item.
Component deletion:
Item deletion:
admin.integration.updated
An integration component is configured. For example, setting the account ID for an AWS integration before installing any of its components.
API key actions
These actions are logged when API keys for programmatic access to the P0 API are created or deleted.
admin.api-key.created
An API key has been created.
admin.api-key.deleted
An API key has been deleted.
Permission request actions
These actions are logged when users create, approve, revoke, or deny permission requests through the P0 web application, CLI, or notifier integrations (Slack, Microsoft Teams).
api.jit.permission-requests.created
The system has received a request to create a new permission request.
api.jit.permission-requests.approved
The system has approved a permission request.
api.jit.permission-requests.denied
The system has denied a permission request.
api.jit.permission-requests.revoked
A permission request has been revoked.
Permission request lifecycle
The following audit events are logged as P0 processes a permission request through its lifecycle. These are system-generated events that track internal state transitions.
permission-requests.created
A permission request has been created and is in the NEW state.
permission-requests.granted
A permission request has been granted and access has been provisioned.
permission-requests.denied
The system has denied the permission request.
permission-requests.revoked
A permission request has been revoked and access has been deprovisioned.
permission-requests.expired
A permission request has expired and access has been automatically deprovisioned.
Pre-approval lifecycle actions
These actions are logged when pre-approvals are created or revoked.
api.jit.preapproval.created
A new pre-approval was created.
api.jit.preapproval.revoked
An existing pre-approval has been manually revoked.
Authentication and authorization actions
These actions are logged when P0 receives invalid authentication or authorization requests.
auth.authentication.failed
A call to the API lacked a valid access token.
auth.authorization.failed
A call to the API had a valid access token but attempted an action the user lacked permissions for.
