The audit-log endpoint supports server-side filters for action, target type, and target ID. Use pagination for complete investigations. Filtering by actor, success, IP address, or date is not currently supported by the endpoint and must be applied to retrieved pages on the client.
Common Use Cases
Security Investigation
Scenario: Investigate suspicious activity after detecting an anomaly.
# 1. Find all actions by a specific user
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=100" \
-H "Authorization: Bearer ..." | jq '.logs[] | select(.actor.email == "suspect@acme.com")'
# 2. Check for service deletions
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?action=service.deleted" \
-H "Authorization: Bearer ..."
# 3. Review failed actions
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=100" \
-H "Authorization: Bearer ..." | jq '.logs[] | select(.success == false)'
# 4. Check actions from unusual IP
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=100" \
-H "Authorization: Bearer ..." | jq '.logs[] | select(.ip_address == "suspicious.ip.address")'
Configuration Change Tracking
Scenario: Track changes to a specific service.
# Get all events for a specific service
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?target_type=service&target_id=service-uuid" \
-H "Authorization: Bearer ..."
# Example response shows:
# - When service was created
# - All configuration updates
# - OAuth credential changes
# - API key creations/deletions
# - Plan additions
User Activity Report
Scenario: Review all actions performed by a team member before offboarding.
# 1. Get all audit logs
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=1000" \
-H "Authorization: Bearer ..."
# 2. Filter by actor email on client
jq '.logs[] | select(.actor.email == "leaving-employee@acme.com")' audit_logs.json
# 3. Group by action type
jq 'group_by(.action) | map({action: .[0].action, count: length})' filtered_logs.json
Query strategy
- Start with a narrow server-side action or target filter when possible.
- Request at most 100 records per page and follow pagination metadata.
- Apply unsupported actor, success, address, or date filters locally.
- Preserve the raw export before transforming evidence.
- Record query parameters, collection time, and page coverage with the result.