Audit log events and metadata (Beta)
This information is part of a premium beta feature thatβs subject to quick, iterative changes. As a result, the latest product version may differ from the contents of this document.
The Sigma Audit Log is a connection that provides metadata related to user-initiated events that occur within your Sigma organization.
This document details audit log event categories, event types, and entry metadata. For more information about audit logging with Sigma, see the following:
- Enable audit logging
- Access and explore audit logs
- Create an audit logs storage integration
- Export audit log data to cloud storage
Documentation memo
This document references the audit log with its default column settings and connection configurations. If settings and configurations were customized by an Admin user, column visibility and naming in your audit log may differ.
To confirm column visibility and identify the default columns defined in this document, refer to the Column tab in your audit log. If necessary, you can cross-reference your audit log's custom βfriendly namesβ with cloud data warehouse (CDW) or database management system (DBMS) column IDs provided in the event metadata tables throughout this document.
Event categories
The audit log records user events in the following categories:
- ACCESS_SIGMA
- User access and interactions with passwords
- USER_ACCOUNT
- Admin interactions with member accounts and user invitations in the Administration > People page and Administration > Account Types page
- ACCOUNT_TYPE
- Admin interactions with account type configurations and member assignments in the Administration > Account Types page
- TEAM
- Admin interactions with team settings and member assignments in the Administration > Teams page
- CONNECTION
- Admin interactions with database connection configurations in the Administration > Connections page
- OBJECT_INTERACTION
- User interactions with workbooks, datasets, and workspaces
Event types and metadata
Base entry metadata (all entries)
All audit entriesβregardless of event category or typeβinclude the following base metadata:
Column name (default "friendly name") | Column ID (CDW/DBMS column ID) | Description |
---|---|---|
Organization Id | ORGANIZATION_ID | UUID associated with your Sigma instance |
Sigma Url | SIGMA_URL | URL of the application page where the event request occurred |
Request time | REQUEST_TIME | Date and time of the event request in UTC |
Request Id | REQUEST_ID | UUID associated with the event request |
Schema Version | SCHEMA_VERSION | Database schema model version |
Cloud Provider | CLOUD_PROVIDER | Cloud service provider for your Sigma instance |
User Id | USER_ID | System-generated ID associated with the user account responsible for the event request |
User Id | USER_EMAIL | Email assigned to the user account responsible for the event request |
User Ip | USER_IP | IP address associated with the device on which the event request occurred |
User Agent | USER_AGENT | Software and browser details associated with the event request |
Event Category | EVENT_CATEGORY | Event request category (primary event classification) |
Event Type | EVENT_TYPE | Event request type (secondary event classification) |
Event Status | EVENT_STATUS | Event response status |
Event Status Reason Code | EVENT_STATUS_REASON_CODE | Reason code for the event response Provided for select events when Event Status = SUCCESS, and provided for all events when Event Status = FAILURE |
User access entries
User access entries (Event Category column = ACCESS_SIGMA) record events related to user access and interactions with passwords. An entryβs Event Type and Auth Type depend on the authentication method and 2-factor authentication (2FA) requirement configured in the Admin > Authentication page.
User access events
Event type | Event status and entry triggers | Additional metadata columns |
---|---|---|
NEW_USER_SIGNUP |
| Auth Type = PasswordLogin SamlLogin OAuthLogin |
LOGIN |
| Auth Type = PasswordLogin |
LOGIN |
| Auth Type = PasswordLoginMfaTriggered |
LOGIN |
| Auth Type = PasswordLoginMfaVerify |
LOGIN |
| Auth Type = SamlLogin OAuthLogin |
LOGOUT |
| Auth Type = Logout |
PASSWORD_RESET |
| Auth Type = PasswordResetRequest |
PASSWORD_RESET |
| Auth Type = PasswordReset |
PASSWORD_UPDATE |
| Auth Type = PasswordUpdate |
User access metadata
Column name (default "friendly name") | Column ID (CDW/DBMS column ID) | Description |
---|---|---|
Auth Type | AUTH_TYPE | Type of authentication or authorization request associated with the event |
User account entries
User account entries (Event Category column = USER_ACCOUNTS) record events related to admin interactions with member accounts and user invitations in the Administration > People and Administration > Account Types page.
User account events
Event type | Event status and entry triggers | Additional metadata columns |
---|---|---|
USER_INVITE_SENT |
| Target User Emails Account Type ID User Kind |
USER_INVITE_RESENT |
| Target User Emails |
USER_INVITE_REVOKED |
| Target User Emails |
USER_UPDATED |
| Target User Ids Account Type ID User Kind |
USER_ARCHIVED |
| Target User Ids |
USER_UNARCHIVED |
| Target User Ids |
User account metadata
Column name (default "friendly name") | Column ID (CDW/DBMS column ID) | Description |
---|---|---|
Target User Ids | TARGET_USER_IDS | System-generated IDs associated with affected user accounts |
Target User Emails | TARGET_USER_EMAILS | Email address associated with user invite |
Account Type Id | ACCOUNT_TYPE_ID | UUID associated with the account type affected by or related to the event |
User Kind | USER_KIND | Member type assigned to affected user accounts |
Account type entries
Account type entries (Event Category column = ACCOUNT_TYPES) record events related to admin interactions with account type configurations and member assignments in the Administration > Account Types page.
Account type events
Event type | Event status and entry triggers | Additional metadata columns |
---|---|---|
ACCOUNT_TYPE_CREATED |
| Features Added Features Removed |
ACCOUNT_TYPE_UPDATED |
| AccountType ID Features Added Features Removed |
ACCOUNT_TYPE_DELETED |
| AccountType Id Delegate AccountType Id |
Account type metadata
Column name (default "friendly name") | Column ID (CDW/DBMS column ID) | Description |
---|---|---|
Account Type Id | ACCOUNT_TYPE_ID | UUID associated with the account type |
Delegate Account Type Id | DELEGATE_ACCOUNT_TYPE_ID | New UUID associated with the account type |
Features Added | FEATURES_ADDED | Permissions included in the account type |
Features Removed | FEATURES_REMOVED | Permissions excluded from the account type |
Team entries
Team entries (Event Category column = TEAMS) record events related to admin interactions with team settings and member assignments in the Administration > Teams page.
Team events
Event type | Event status and entry triggers | Additional metadata columns |
---|---|---|
TEAM_CREATED |
| Target User Ids Change Type Team Name Team Kind Create Team Folder Is Team Admin |
TEAM_UPDATED |
| Target User Ids Change Type Team Id Is Team Admin |
TEAM_DELETED |
| Team Id |
Team metadata
Column name (default "friendly name") | Column ID (CDW/DBMS column ID) | Description |
---|---|---|
Target User Ids | TARGET_USER_IDS | System-generated IDs associated with affected user accounts |
Change Type | CHANGE_TYPE | Type of membership change |
Team Id | TEAM_ID | UUID associated with the team |
Team Name | TEAM_NAME | Team name assigned to the team |
Team Kind | TEAM_KIND | Team type associated with the team |
Create Team Folder | CREATE_TEAM_FOLDER | Team workspace added during team creation (true/false) |
Create Team Folder | IS_TEAM_ADMIN | Team admin role reassigned to user account responsible for the event (true/false) |
Connection entries
Connection entries (Event Category column = CONNECTIONS) record events related to admin interactions with the CDW or DBMS connection configurations in the Administration > Connections page.
Connection events
Event type | Event status and entry triggers | Additional metadata columns |
---|---|---|
CONNECTION_CREATED |
| Connection Type Connection Name Connection Details Connection Description Connection Timeoutsecs Default Connection Use Oauth Cron Spec Timezone |
CONNECTION_UPDATED |
| Connection Id Connection Type Connection Name Connection Details Connection Description Connection Timeoutsecs Default Connection Use Oauth Cron Spec Timezone |
CONNECTION_ARCHIVED |
| Connection Id |
Connection metadata
Column name (default "friendly name") | Column ID (CDW/DBMS column ID) | Description |
---|---|---|
Connection Id | CONNECTION_ID | UUID associated with the connection |
Connection Type | CONNECTION_TYPE | CDW or DBMS provider associated with the connection |
Connection Name | CONNECTION_NAME | Connection name assigned to the connection |
Connection Details | CONNECTION_DETAILS | Connection credentials (host, account, warehouse, user, role) |
Connection Timeoutsecs Default | CONNECTION_TIMEOUTSECS_DEFAULT | Connection timeout duration assigned to the connection |
Connection Use Oauth | CONNECTION_USE_OAUTH | OAuth access configuration |
Cron Spec | CRON_SPEC | Auto indexing schedule for the connection |
Timezone | TIMEZONE | Auto indexing schedule's time zone |
Object interaction entries
Object interaction entries (Event Category = OBJECT_INTERACTION) record events related to user interactions with workbooks, datasets, and workspaces.
Object interaction events
Event type | Event status and entry triggers | Additional metadata columns |
---|---|---|
OBJECT_CREATED (exploration/workbook) |
| Inode Id Parent Inode Id Object Type Object Name Object Description Source Inode Id Source Version Is Reusable |
OBJECT_CREATED (dataset) |
| Connection Id Inode Id Parent Inode Id Object Type Object Name Source Inode Id Source Version |
OBJECT_CREATED (workspace) |
| Inode Id Object Type Object Name |
OBJECT_UPDATED |
| Inode Id Object Name Object Description Is Run As Service Account (workbook only) |
OBJECT_ARCHIVED |
| Inode Id |
OBJECT_UNARCHIVED |
| Inode Id Object Type Object Name |
OBJECT_OPENED |
| Inode Id Object TypeObject Name |
OBJECT_UPLOADED |
| Object Type Object Name |
Object interaction metadata
Column name (default "friendly name") | Column ID (CDW/DBMS column ID) | Description |
---|---|---|
Connection Id | CONNECTION_ID | UUID associated with the connection |
Inode Id | INODE_ID | UUID associated with the inode containing the object's metadata |
Parent Inode id | PARENT_INODE_ID | UUID associated with the parent inode referencing the object's inode |
Object Type | OBJECT_TYPE | Type of object created |
Object Name | OBJECT_NAME | System- or user-generated name associated with the object |
Source Inode Id | SOURCE_INODE_ID | Inode ID of the object's source (if created from an existing object) |
Source Version | SOURCE_VERSION | Source code version of the object's source (if created from an existing object) |
Is Reusable | IS_REUSABLE | Workbook saved as a reusable dataset (true/false) |
Is Run as Service Account | IS_RUN_AS_SERVICE_ACCOUNT | Workbook configured to execute queries using a service account (true/false) |
Updated 2 months ago