Audit User Activity

Required User Role: Administrator

In Tenable.io, the audit log records user events that take place in your organization's Tenable.io account. For each event, the log includes information about:

  • the action taken
  • the time at which the action was taken
  • the user ID
  • the target entity ID

The audit log provides visibility into the actions that users in your organization take in Tenable.io, and can be helpful for identifying security issues and other potential problems.

To view the audit log for your organization's Tenable.io account:

Logged Events

Note: If you configure SAML SSO authentication for your users, Tenable.io does not write activity for those users to the audit log.

Audit log events include the following:

Action Description
audit.log.view The system received and processed an audit-log request.
session.create The system created a session for the user. This event can be triggered by user login or authentication using an API key.
session.delete The session expired, or the user ended a session.
session.impersonation.end An administrator ended a session where they impersonated another user.
session.impersonation.start An administrator started a session where they impersonated another user.
user.authenticate.mfa Two-factor authentication was successful, and login was allowed.
user.authenticate.password The user authenticated a session start using a password.
user.create An administrator created a new user account.
user.delete An administrator deleted a user account.
user.impersonation.end An administrator stopped impersonating another user.
user.impersonation.start An administrator started impersonating another user.
user.logout The user logged out of their session.
user.update Either an administrator or the user updated a user account.