Audit event fields

Best practices

To ensure your reports include the top actors, actions, and countries you must include information about each in audit events you send to Cased.

Those three fields are:

  • actor
  • action
  • location

Actor

Information about the actor must be included in the top level actor field. Cased recommends including an email addresses or username for the actor.

{
  "action": "user.login",
  "actor": "[email protected]"
}

📘

Including sensitive data inside actor?

If you include sensitive information in actor we recommend you protect your sensitive data.

Action

Every audit event you want to be reportable must have a unique action included in the top level action field:

{
  "action": "user.login",
  "actor": "[email protected]"
}

Location

Cased automatically geolocates any IPV4 or IPV6 provided in the top level location field which powers the Countries column in your reports:

{
  "action": "user.login",
  "actor": "[email protected]",
  "location": "116.100.170.108"
}

Questions? Contact us.
FAQ


Did this page help you?