# Audit log format P0 streams structured audit logs to your configured SIEM integration. This reference documents the log payload format, the complete action hierarchy, and example payloads for each action. * [General fields](#general-fields) * [Action hierarchy](#action-hierarchy) * [Access policy actions](#access-policy-actions) * [JIT configuration actions](#jit-configuration-actions) * [Role management actions](#role-management-actions) * [Integration install actions](#integration-install-actions) * [API key actions](#api-key-actions) * [Permission request actions](#permission-request-actions) * [Permission request lifecycle](#permission-request-lifecycle) * [Pre-approval lifecycle actions](#pre-approval-lifecycle-actions) * [Authentication and authorization actions](#authentication-and-authorization-actions) ## General fields Every audit log event contains the following fields: | Field | Type | Description | | ---------------- | ------ | ---------------------------------------------------------------------- | | `vendor_account` | string | Your P0 organization (tenant) identifier | | `data` | object | Diff or data associated with the action | | `user` | object | The authenticated user who performed the action | | `type` | string | Event source: `api`, `permission-requests`, or `notifier` | | `timestamp` | string | ISO 8601 formatted timestamp (for example, `2025-01-17T18:15:11.458Z`) | | `action` | string | The specific audit action identifier | The `user` object contains: | Field | Type | Description | | ------------- | --------- | --------------------------------------- | | `isAnonymous` | boolean | Whether the user is anonymous | | `email` | string | Email address of the authenticated user | | `provider` | string | Authentication provider | | `groups` | string\[] | Groups the user belongs to | | `uid` | string | Unique user identifier | ### Example payload ```json { "vendor_account": "your-org", "data": {}, "user": { "isAnonymous": false, "email": "user@example.com", "provider": "google.com", "groups": ["engineering"], "uid": "abc123" }, "type": "api", "timestamp": "2025-01-17T18:15:11.458Z", "action": "admin.roles.user.added" } ``` ## Action hierarchy P0 audit actions follow a hierarchical naming convention. The top-level prefix indicates the category of the action. ``` admin .jit .approval-configuration.updated .approvable-duration.set .expiry-option .created .deleted .reset .max-access-duration.set .standing-access-duration.set .roles .user .added .deleted .group .added .deleted .integration .installed .updated .removed .api-key .created .deleted .routing-rules.updated api .jit .permission-requests .created .approved .denied .revoked .preapproval .created .revoked auth .authentication.failed .authorization.failed ``` ## Access policy actions These actions are logged when access policies are created, updated, or deleted. ### `admin.routing-rules.created` A new access policy is created. The `data` field has the difference between the old and new version of the access policies document. ```json { "timestamp": "2025-08-11T15:29:16.802Z", "action": "admin.routing-rules.created", "user_agent": "Mozilla/5.0 ...", "data": { "version": { "-": "", "+": "" }, "rules": [ { "action": "admin.routing-rules.created", "name": "Test", "diff": { "+": { "disabled": false, "resource": { "type": "any" }, "requestor": { "type": "any" }, "approval": [{ "type": "persistent" }], "name": "Test" } } } ] }, "token_id": "", "vendor_account": "your-org", "src_ip": "::1", "user_id": "user@example.com", "user_type": "USER" } ``` ### `admin.routing-rules.updated` An access policy update occurred. The `data` field has the difference between the old and new version of the access policies document. ```json { "timestamp": "2025-08-11T15:29:16.802Z", "action": "admin.routing-rules.updated", "user_agent": "Mozilla/5.0 ...", "data": { "version": { "-": "", "+": "" }, "rules": [ { "action": "admin.routing-rules.updated", "name": "Test", "diff": { "approval": [ { "type": { "-": "persistent", "+": "p0" }, "options": { "+": { "allowOneParty": true } } } ] } } ] }, "token_id": "", "vendor_account": "your-org", "src_ip": "::1", "user_id": "user@example.com", "user_type": "USER" } ``` ### `admin.routing-rules.deleted` An access policy was deleted. The `data` field has the difference between the old and new version of the access policies document. ```json { "timestamp": "2025-08-11T15:29:16.802Z", "action": "admin.routing-rules.deleted", "user_agent": "Mozilla/5.0 ...", "data": { "version": { "-": "", "+": "" }, "rules": [ { "name": "Test", "diff": { "-": { "requestor": { "type": "any" }, "name": "Test", "approval": [ { "options": { "allowOneParty": true }, "type": "p0" } ], "disabled": false, "resource": { "type": "any" } } }, "action": "admin.routing-rules.deleted" } ] }, "token_id": "", "vendor_account": "your-org", "src_ip": "::1", "user_id": "user@example.com", "user_type": "USER" } ``` {% hint style="info" %} In access policy diff payloads, `"+"` indicates added values and `"-"` indicates removed values. {% endhint %} ## JIT configuration actions These actions are logged when just-in-time access configuration settings are modified. ### Default approval configuration #### `admin.jit.approval-configuration.updated` Logged when the default approval settings are modified on the **Settings** page under the **Routing** section. This applies when no access policies are configured. ```json { "action": "admin.routing-rules.approval-configuration.updated", "vendor_account": "your-org", "timestamp": "2025-01-17T18:11:26.880Z", "data": { "requireReason": false }, "type": "api" } ``` ### Approvable duration #### `admin.jit.approvable-duration.set` The approvable duration has been updated. This controls how long access requests remain open before being automatically denied. ```json { "action": "admin.jit.approvable-duration.set", "type": "api", "vendor_account": "your-org", "timestamp": "2025-01-17T18:12:43.766Z" } ``` ### Expiry options #### `admin.jit.expiry-option.created` An expiry option has been created. ```json { "action": "admin.routing-rules.expiry-option.created", "type": "api", "vendor_account": "your-org", "timestamp": "2025-01-17T18:12:43.766Z" } ``` #### `admin.jit.expiry-option.deleted` An expiry option has been deleted. ```json { "action": "admin.routing-rules.expiry-option.deleted", "type": "api", "vendor_account": "your-org", "timestamp": "2025-01-17T18:12:43.766Z" } ``` #### `admin.jit.expiry-option.reset` Expiry options have been reset to defaults. ```json { "action": "admin.routing-rules.expiry-option.reset", "timestamp": "2025-01-17T18:15:11.458Z", "vendor_account": "your-org", "type": "api" } ``` ## Role management actions The system logs these actions when roles are added or removed from users or groups on the **Settings** page under the **Access Control** section. P0 roles include: `owner`, `iamViewer`, and `manager` (approver). You can assign roles to individual users or to groups. ### `admin.roles.user.added` An admin has assigned a role to a user. ```json { "action": "admin.roles.user.added", "vendor_account": "your-org", "type": "api" } ``` ### `admin.roles.user.deleted` An admin removed a role from a user. ```json { "action": "admin.roles.user.deleted", "vendor_account": "your-org", "type": "api" } ``` ### `admin.roles.group.added` A role is assigned to a group by the system. ```json { "action": "admin.roles.group.added", "vendor_account": "your-org", "type": "api" } ``` ### `admin.roles.group.deleted` The system removes a role from a group. ```json { "action": "admin.roles.group.deleted", "vendor_account": "your-org", "type": "api" } ``` ## Integration install actions These actions are logged when integrations are installed, updated, or removed. **Terminology:** | Term | Definition | | ----------- | ------------------------------------------------------------------------------------------------------------------------- | | Integration | A resource integration such as Google Cloud, AWS, Kubernetes, SSH, or Snowflake | | Component | The type of integration capability (for example, IAM management, IAM assessment, Resource Explorer, HTTP Event Collector) | | Item | An individual installation identifier (for example, a Google Cloud project ID or an AWS account ID) | ### `admin.integration.installed` A new entry installs an integration component. ```json { "action": "admin.integration.installed", "vendor_account": "your-org", "data": { "component": "iam-assessment", "id": "test-project", "delta": { "state": { "+": "installed", "-": "configure" } } }, "type": "api" } ``` AWS integration example with federated login configuration: ```json { "action": "admin.integration.configured", "vendor_account": "your-org", "timestamp": "2025-01-16T22:05:23.273Z", "type": "api", "data": { "id": "123452051234", "delta": { "login": { "identity": { "-": { "type": "email" } }, "provider": { "+": { "identityProvider": "test_okta", "appId": "appid1", "type": "okta", "method": { "type": "saml", "accountCount": { "type": "single" } } } }, "type": { "-": "iam", "+": "federated" } }, "state": { "+": "installed", "-": "configure" } }, "component": "iam-write" } } ``` ### `admin.integration.removed` The system removed an installation entry from an integration component. This can apply to an entire integration or a specific item. Component deletion: ```json { "type": "api", "data": { "key": "aws" }, "action": "admin.integration.removed", "timestamp": "2025-01-16T21:46:36.144Z", "vendor_account": "your-org" } ``` Item deletion: ```json { "action": "admin.integration.removed", "data": { "id": "test-project", "component": "iam-assessment" }, "vendor_account": "your-org", "type": "api", "timestamp": "2025-01-16T22:23:05.096Z" } ``` ### `admin.integration.updated` An integration component is configured. For example, setting the account ID for an AWS integration before installing any of its components. ```json { "action": "admin.integration.updated", "data": { "key": "aws", "config": { "iam-write": {}, "base": {}, "inventory": {}, "iam-assessment": {} } }, "timestamp": "2025-01-16T21:46:51.260Z", "type": "api", "vendor_account": "your-org" } ``` ## API key actions These actions are logged when API keys for programmatic access to the P0 API are created or deleted. ### `admin.api-key.created` An API key has been created. ```json { "action": "admin.apiKey.created", "type": "api", "vendor_account": "your-org", "timestamp": "2025-01-17T00:48:09.227Z" } ``` ### `admin.api-key.deleted` An API key has been deleted. ```json { "action": "admin.apiKey.deleted", "timestamp": "2025-01-17T00:48:13.129Z", "vendor_account": "your-org", "type": "api" } ``` ## Permission request actions These actions are logged when users create, approve, revoke, or deny permission requests through the P0 web application, CLI, or notifier integrations (Slack, Microsoft Teams). {% hint style="info" %} For the approve, revoke, and deny events, the `type` field is `notifier` if the user takes the action via Slack or Microsoft Teams, or `api` if the user takes the action in the P0 web application. {% endhint %} ### `api.jit.permission-requests.created` The system has received a request to create a new permission request. ```json { "action": "api.jit.permission-requests.created", "user_type": "USER", "src_ip": "", "timestamp": "2025-07-07T23:19:20.126Z", "user_id": "user@example.com", "user_agent": "P0 CLI/0.18.6", "vendor_account": "your-org", "data": [ { "requestId": "9MMAsmlwAAnHjzNJkE5o", "message": "Access requested", "processingMillis": 1234, "scriptName": "p0", "command": [ "request", "ssh", "session", "", "--public-key", "" ] } ] } ``` ### `api.jit.permission-requests.approved` The system has approved a permission request. ```json { "action": "api.jit.permission-requests.approved", "vendor_account": "your-org", "timestamp": "2025-07-07T23:21:55.636Z", "src_ip": "", "params": { "requestId": "9MMAsmlwAAnHjzNJkE5o" }, "user_id": "user@example.com", "user_agent": "Chrome/137.0.0.0", "user_type": "USER" } ``` ### `api.jit.permission-requests.denied` The system has denied a permission request. ```json { "action": "api.jit.permission-requests.denied", "src_ip": "", "params": { "requestId": "aeRv8bsBOBvYbMXsNjrI" }, "user_type": "USER", "user_id": "user@example.com", "vendor_account": "your-org", "user_agent": "Chrome/137.0.0.0", "timestamp": "2025-07-07T23:30:48.275Z" } ``` ### `api.jit.permission-requests.revoked` A permission request has been revoked. ```json { "action": "api.jit.permission-requests.revoked", "params": { "requestId": "9MMAsmlwAAnHjzNJkE5o" }, "user_agent": "Chrome/137.0.0.0", "user_id": "user@example.com", "user_type": "USER", "timestamp": "2025-07-07T23:26:00.701Z", "vendor_account": "your-org", "src_ip": "" } ``` ## Permission request lifecycle The following audit events are logged as P0 processes a permission request through its lifecycle. These are system-generated events that track internal state transitions. ### `permission-requests.created` A permission request has been created and is in the `NEW` state. ```json { "action": "permission-requests.created", "timestamp": "2025-07-08T21:46:13.323Z", "request_id": "kYdqnPxnb7Gugp2iqKR5", "data": { "commandLine": "request ssh session --sudo false", "requestor": "user@example.com", "approvedOnly": false, "access": "session", "permission": { "provider": "gcloud", "destination": "", "sudo": false, "publicKey": "", "parent": "", "resource": { "zone": "", "projectId": "", "instanceName": "", "fullName": "" }, "zone": "" }, "lastUpdatedTimestamp": 1752011173323, "type": "ssh", "principal": "user@example.com", "status": "NEW", "requestedTimestamp": 1752011173323 } } ``` ### `permission-requests.granted` A permission request has been granted and access has been provisioned. ```json { "action": "permission-requests.granted", "timestamp": "2025-07-07T23:22:05.166Z", "request_id": "9MMAsmlwAAnHjzNJkE5o", "data": { "access": "session", "approvalDetails": { "approvalSource": "webapp", "approvedTimestamp": 1751930515300, "id": "approver@example.com", "email": "approver@example.com", "name": "approver@example.com" }, "principal": "user@example.com", "canEscalate": false, "requestedTimestamp": 1751930359906, "grantTimestamp": 1751930525165, "permission": { "zone": "", "parent": "", "provider": "gcloud", "resource": { "fullName": "", "instanceName": "", "zone": "", "projectId": "" }, "destination": "", "publicKey": "", "sudo": false }, "type": "ssh", "requestor": "user@example.com", "lastUpdatedTimestamp": 1751930525166, "status": "DONE", "approvedOnly": false, "expiryTimestamp": 1751930815529, "isAwaitingExpiry": true, "commandLine": "request ssh session --sudo false" } } ``` ### `permission-requests.denied` The system has denied the permission request. ```json { "action": "permission-requests.denied", "request_id": "Dc7PgjoZSYpG47wAi7H4", "data": { "approvalDetails.id": "approver@example.com", "approvalDetails.email": "approver@example.com", "approvalDetails.name": "approver@example.com", "approvalDetails.approvedTimestamp": 1751995305355, "approvalDetails.approvalSource": "webapp", "status": "DENIED" }, "timestamp": "2025-07-08T17:21:45.497Z" } ``` ### `permission-requests.revoked` A permission request has been revoked and access has been deprovisioned. ```json { "action": "permission-requests.revoked", "request_id": "9MMAsmlwAAnHjzNJkE5o", "timestamp": "2025-07-07T23:26:03.241Z", "data": { "requestor": "user@example.com", "requestedTimestamp": 1751930359906, "isAwaitingExpiry": false, "approvalDetails": { "approvedTimestamp": 1751930515300, "id": "approver@example.com", "name": "approver@example.com", "email": "approver@example.com", "approvalSource": "webapp" }, "grantTimestamp": 1751930525165, "principal": "user@example.com", "approvedOnly": false, "commandLine": "request ssh session --sudo false", "type": "ssh", "expiryTimestamp": 1751930815529, "access": "session", "permission": { "destination": "", "sudo": false, "parent": "", "zone": "", "resource": { "fullName": "", "zone": "", "instanceName": "", "projectId": "" }, "publicKey": "", "provider": "gcloud" }, "lastUpdatedTimestamp": 1751930763241, "status": "REVOKED", "canEscalate": false, "revokedTimestamp": 1751930763241 } } ``` ### `permission-requests.expired` A permission request has expired and access has been automatically deprovisioned. ```json { "action": "permission-requests.expired", "timestamp": "2025-07-08T16:52:37.198Z", "request_id": "R4EuCBttAGQIPfreDfVC", "data": { "principal": "user@example.com", "approvalDetails": { "approvalSource": "webapp", "email": "approver@example.com", "name": "approver@example.com", "id": "approver@example.com", "approvedTimestamp": 1751993254002 }, "isAwaitingExpiry": false, "approvedOnly": false, "access": "session", "permission": { "provider": "gcloud", "parent": "", "publicKey": "", "zone": "", "resource": { "projectId": "", "zone": "", "instanceName": "", "fullName": "" }, "sudo": false, "destination": "" }, "expiryTimestamp": 1751993554159, "revokedTimestamp": 1751993557198, "lastUpdatedTimestamp": 1751993557198, "type": "ssh", "requestor": "user@example.com", "commandLine": "request ssh session --sudo false", "status": "EXPIRED", "grantTimestamp": 1751993258475, "requestedTimestamp": 1751993250693, "canEscalate": false } } ``` ## Pre-approval lifecycle actions These actions are logged when pre-approvals are created or revoked. ### `api.jit.preapproval.created` A new pre-approval was created. ```json { "action": "api.jit.preapproval.created", "data": { "type": "ssh", "access": "group", "permission": { "provider": "aws", "name": "group-name", "key": "Developer", "sudo": false, "parent": "391052057035", "alias": "p0-dev", "resource": {} }, "allowId": "32cdcab1-bae1-4a21-9fc3-a4234cac87f6", "source": "allow", "principal": "user@example.com", "isAwaitingExpirationReminder": true, "expirationReminderTimestamp": 1755302400000, "approver": { "approvalSource": "evidence", "approvedTimestamp": 1754330463656, "id": "user@example.com", "name": "user@example.com", "email": "user@example.com" }, "startsAt": 1754330463656, "endsAt": 1756512000000, "createdAt": 1754330463723 }, "prior_approval_id": "PzCPjpJeYgAGw3koW6Tb", "status": "created", "timestamp": 1754330464112, "type": "prior-approval" } ``` ### `api.jit.preapproval.revoked` An existing pre-approval has been manually revoked. ```json { "action": "api.jit.preapproval.revoked", "data": { "evidenceId": "TX7lyLXt29zcGumgxWyW" }, "params": { "evidenceId": "TX7lyLXt29zcGumgxWyW" }, "status": "created", "timestamp": 1754331366618, "vendor_account": "your-org", "src_ip": "::1", "type": "api", "user_agent": "Mozilla/5.0 ...", "user_type": "USER", "user_id": "user@example.com", "token_id": "" } ``` ## Authentication and authorization actions These actions are logged when P0 receives invalid authentication or authorization requests. ### `auth.authentication.failed` A call to the API lacked a valid access token. ```json { "action": "auth.authentication.failed", "src_ip": "209.169.98.86", "status": "CREATED", "timestamp": 1754006124918, "type": "api", "user_agent": "Mozilla/5.0 ...", "vendor_account": "your-org", "user_type": "USER", "user_id": "user@example.com", "token_id": "" } ``` ### `auth.authorization.failed` A call to the API had a valid access token but attempted an action the user lacked permissions for. ```json { "action": "auth.authorization.failed", "src_ip": "209.169.98.86", "status": "CREATED", "timestamp": 1754006124918, "type": "api", "user_agent": "Mozilla/5.0 ...", "vendor_account": "your-org", "user_type": "USER", "user_id": "user@example.com", "token_id": "", "data": { "permissions": ["integration.read", "catalog.view"], "roles": ["owner"] } } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.p0.dev/integrations/siem-integrations/audit-log-format.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.