Audit User Activity
Required User Role: Administrator
In Tenable.io, the audit log records user events that take place in your organization's Tenable.io account. For each event, the log includes information about:
- the action taken
- the time at which the action was taken
- the user ID
- the target entity ID
The audit log provides visibility into the actions that users in your organization take in Tenable.io, and can be helpful for identifying security issues and other potential problems.
To view the audit log for your organization's Tenable.io account:
- Use the Audit Log endpoint as documented in the Tenable Developer Portal.
Note: If you configure SAML SSO authentication for your users, Tenable.io does not write activity for those users to the audit log.
Audit log events include the following:
| Action | Description |
|---|---|
| audit.log.view | The system received and processed an audit-log request. |
| session.create | The system created a session for the user. This event is triggered by user login. |
| session.delete | The session expired, or the user ended a session. |
| session.impersonation.end | An administrator ended a session where they impersonated another user. |
| session.impersonation.start | An administrator started a session where they impersonated another user. |
| user.authenticate.mfa | Two-factor authentication was successful, and login was allowed. |
| user.authenticate.password | The user authenticated a session start using a password. |
| user.create | An administrator created a new user account. |
| user.delete | An administrator deleted a user account. |
| user.impersonation.end | An administrator stopped impersonating another user. |
| user.impersonation.start | An administrator started impersonating another user. |
| user.logout | The user logged out of their session. |
| user.update | Either an administrator or the user updated a user account. |