List Audits

Lists audit events for this organization.

Returns a paginated list of Audit Records.

Audit events cover user actions such as inviting someone to an Organization INVITE_USER, or creating an application APPLICATION_ADDED and completing a scan SCAN_COMPLETED.

Audit events can also cover organization centric activity that's not tied to a user, such as scan data being shared with a third party EXTERNAL_ALERTS_SENT.

Audit logs are only available for Enterprise tier plans, and only accessible by Owner and Admin roles.

Audit Records

Represents an auditable event from within the StackHawk platform.

id""UUID identifier of this audit.
userActivityType"UNKNOWN"User audit activity from use of StackHawk platform.
organizationActivityType"UNKNOWN"Organization audit activity for a StackHawk organization.
organizationId""The organizationId associated with this audit.
userId""The userId associated with this audit.
userName""The userName associated with this audit.
userEmail""The user email associated with this audit.
payload""A JSON payload with specifics of the audit event.
timestamp0SecondsSinceEpoch timestamp of the event.
userIPAddr""The ip address associated with this audit.
  • Organization audit activity will have empty userId, userName and userEmail fields.
  • The timestamp is represented in milliseconds from unix epoch.
  • User audit activity will have the identifying userActivityType field. Organization audit activity has organizationActivityType.
  • The userIPAddr field is always empty.
  • The payload is a stringified JSON object with a variety of applicable fields for the audit event. Different audit types may have different payload fields.
  "id": "6a1292de-2fae-4107-a5ec-2374d3b2ec3f",
  "organizationId": "a0e05070-e594-4e0d-b72d-6c0033dc8cce",
  "userId": "4302d7d2-2d58-4b38-8051-34f0d73b7d87",
  "userName": "Ron Swanson",
  "userEmail": "[email protected]",
  "payload": "{\"scanId\":\"c4e3884b-2e21-4b04-b892-9d7934b3980e\",\"appName\":\"Pawnee Park Service Admissions\",\"envName\":\"Preprod\",\"apiSource\":\"HAWKSCAN\"}",
  "userIPAddr": "",
  "timestamp": 1587289200000,
  "userActivityType": "SCAN_COMPLETED"
const auditrecord = {
	id: "",
	userActivityType: "UNKNOWN",
	organizationActivityType: "UNKNOWN",
	organizationId: "",
	userId: "",
	userName: "",
	userEmail: "",
	payload: "",
	timestamp: 0,
	userIPAddr: "",
interface AuditRecord {
	id: string
	userActivityType: AuditUserActivityType
	organizationActivityType: AuditOrganizationActivityType
	organizationId: string
	userId: string
	userName: string
	userEmail: string
	payload: string
	timestamp: number
	userIPAddr: string

const auditrecord: AuditRecord = {
	id: "",
	userActivityType: "UNKNOWN",
	organizationActivityType: "UNKNOWN",
	organizationId: "",
	userId: "",
	userName: "",
	userEmail: "",
	payload: "",
	timestamp: 0,
	userIPAddr: "",
public class AuditRecord {

	public String id;
	public AuditUserActivityType userActivityType;
	public AuditOrganizationActivityType organizationActivityType;
	public String organizationId;
	public String userId;
	public String userName;
	public String userEmail;
	public String payload;
	public long timestamp;
	public String userIPAddr;

data class AuditRecord(
	var id: String,
	var userActivityType: AuditUserActivityType,
	var organizationActivityType: AuditOrganizationActivityType,
	var organizationId: String,
	var userId: String,
	var userName: String,
	var userEmail: String,
	var payload: String,
	var timestamp: Long,
	var userIPAddr: String
class AuditRecord:
	id = ""
	userActivityType = "UNKNOWN"
	organizationActivityType = "UNKNOWN"
	organizationId = ""
	userId = ""
	userName = ""
	userEmail = ""
	payload = ""
	timestamp = 0
	userIPAddr = ""
struct AuditRecord {
	id: &str,
	userActivityType: AuditUserActivityType,
	organizationActivityType: AuditOrganizationActivityType,
	organizationId: &str,
	userId: &str,
	userName: &str,
	userEmail: &str,
	payload: &str,
	timestamp: i64,
	userIPAddr: &str,

Audit Types

StackHawk collects and shares two kinds of audit information from the API:

  • User Audit Events types: these typically stem from use of the StackHawk Platform, API or Scanner, and are logged as userActivityType in audit records.
  • Organization Events orgTypes: these pertain to an organization, but may not specifically refer to a user, and are logged as organizationActivityType in audit records.

User Activity Types

UNKNOWNUnknown activity.
INVITE_USERAn invite to join the organization was sent.
USER_INVITE_REVOKEDAn invite to join the organization was rescinded.
REMOVE_USERA user was removed from the organization.
SCAN_STARTEDA scan was started.
SCAN_ERROREDA running scan errored.
SCAN_COMPLETEDA running scan completed.
INTEGRATION_ADDEDAn integration was added to the organization.
INTEGRATION_MODIFIEDAn integration was changed.
INTEGRATION_REMOVEDAn integration was removed from the organization.
TECH_FLAG_ADDEDA tech flag has been applied to an application.
TECH_FLAG_MODIFIEDA tech flag was modified.
TECH_FLAG_REMOVEDA tech flag was removed.
SCAN_CONFIG_MODIFIEDA scan configuration was modified.
APPLICATION_ADDEDAn application was added to the organization.
APPLICATION_MODIFIEDAn application was changed.
APPLICATION_REMOVEDAn application was removed from the organization.
ENVIRONMENT_ADDEDAn environment was added.
ENVIRONMENT_MODIFIEDAn environment was changed.
ENVIRONMENT_REMOVEDAn environment was removed.
ALERT_RULE_TRIAGEDAn alert was triaged.
API_KEY_ADDEDA API key was added.
API_KEY_REMOVEDA API key was removed.
USER_JOINED_ORGA new user joined the integration.
ALERT_RULE_REMOVEDA scan alert rule was removed.
USER_PASSWORD_MODIFIEDA user's password was changed.
USER_PREFERENCES_MODIFIEDA user's preferences were modified.
ORG_MODIFIEDAn organization was modified.
SCAN_REMOVEDA scan was deleted.
SUBSCRIPTION_MODIFIEDA billing subscription was changed.
SUBSCRIPTION_ADDEDA billing subscription was added.
ORG_DOWNGRADEDThe organization lost users, app, integrations or features forcefully.
DOWNLOAD_SCAN_ASSETA scan asset was downloaded.
CUSTOM_TEST_SCRIPT_ADDEDA custom test script has been registered for the organization.
CUSTOM_TEST_SCRIPT_REMOVEDA custom test script has been removed from an organization.
APPLICATION_POLICY_ADDEDA scan policy has been added to an application.
APPLICATION_POLICY_MODIFIEDAn application policy was changed.
APPLICATION_POLICY_REMOVEDA policy was removed from an application.
TEAM_ADDEDA team was added.
TEAM_UPDATEDA team was updated.
TEAM_DELETEDA team was deleted.
USER_MODIFIEDUser preferences were changed.
INTEGRATION_START_AUTHORIZATIONAuthorize integration started.
APPLICATIONS_ADDED_FOR_REPOSApplications were created & added to repos.
REPO_MODIFIEDA repo was updated.
REPO_REMOVEDA repo was deleted.
ORGANIZATION_POLICY_ADDEDA scan policy has been added to an organization.
ORGANIZATION_POLICY_MODIFIEDAn organization policy was changed.
ORGANIZATION_POLICY_REMOVEDA policy was removed from an organization.

Organization Activity Types

UNKNOWNUnknown activity.
EXTERNAL_ALERTS_SENTScan result data for this organization was sent to a third party.
EXTERNAL_API_UNSUCCESSFUL_RESPONSEA third party API responded with a non-2xx response when invoked on behalf of this organization.
ORG_USER_INVITE_REMINDER_SENTA user invite reminder was sent out to invitees of this organization.

Audit Payload

The Audit payload is a json string blob with contextual data added for this audit event.

These are field names that can show up in an audit payload.
There is not an explicit schema for the audit payload object for each audit type, but field names are consistent and may include the following:


Audit type availability

StackHawk will add audit type annotations to be requested, sometimes before there are actual audit events of the type even sent by the platform.

Most audit event payload fields may change, and two audit events of the same type may have different payload fields. The overall structure of an audit event is stable.

We strive for accuracy with sent audit events, but please let us know of any deficiencies.

Click Try It! to start a request and see the response here!