Understand tamper protection, categories, and common event types.
Audit logs are tamper-evident. Each entry includes a content hash and the previous entry hash.
Any change to history breaks the chain.
Events are grouped into these categories:
Authentication: logins, logouts, password changes, 2FA, session actions
Authorization: access denied attempts
Data access: recording views, downloads, exports
Data changes: create, edit, delete recordings, captures, folders, labels
Admin actions: SSO/SCIM changes, integrations, automation and triage rules
Security: suspicious activity, rate limiting, invalid tokens
user.login (Low)
user.login
user.login_failed (Medium)
user.login_failed
user.password_changed (Medium)
user.password_changed
user.two_factor_enabled (Medium)
user.two_factor_enabled
user.two_factor_disabled (High)
user.two_factor_disabled
user.saml_login (Low)
user.saml_login
user.api_token_created (Medium)
user.api_token_created
user.api_token_deleted (Medium)
user.api_token_deleted
user.mcp_token_created (Medium)
user.mcp_token_created
user.mcp_token_deleted (Medium)
user.mcp_token_deleted
recording.created (Low)
recording.created
recording.updated (Low)
recording.updated
recording.deleted (Medium)
recording.deleted
recording.bulk_deleted (High)
recording.bulk_deleted
capture.created (Low)
capture.created
capture.updated (Low)
capture.updated
capture.deleted (Medium)
capture.deleted
capture.bulk_deleted (High)
capture.bulk_deleted
folder.created (Low)
folder.created
folder.updated (Low)
folder.updated
folder.deleted (Medium)
folder.deleted
label.created (Low)
label.created
label.updated (Low)
label.updated
label.deleted (Low)
label.deleted
access.denied (Medium)
access.denied
Last updated 21 days ago
Was this helpful?
