Audit Event Catalog

This catalog lists all public-tier VaultPAM audit event names and their categories. It is intended for SIEM engineers building detection rules and compliance reviewers validating audit coverage — not for building client integrations against the full event schema. The full field schema (actor, target, metadata, retention) is available in the gated API reference; contact support to request access.

This catalog is auto-generated from source. Do not edit directly. To regenerate, run scripts/docs/generate_audit_event_catalog.sh.

Control-Plane Events

Constant	Wire String	Category
AGENT_PAIRING_INITIATED	Agent Pairing Initiated	Agent / Connectivity
AGENT_PAIRING_COMPLETED	Agent Pairing Completed	Agent / Connectivity
AGENT_PAIRING_FAILED	Agent Pairing Failed	Agent / Connectivity
AGENT_HEARTBEAT_RECEIVED	Agent Heartbeat Received	Agent / Connectivity
AGENT_CONNECTIVITY_CHECK	Agent Connectivity Check	Agent / Connectivity
CONNECTOR_REGISTRATION	Connector Registration	Agent / Connectivity
CONNECTOR_UPGRADE	Connector Upgrade	Agent / Connectivity
CONNECTOR_DECOMMISSIONED	Connector Decommissioned	Agent / Connectivity
USER_ACCESS_REQUEST_CREATED	User Access Request Created	Identity / Access / Sharing
ACCESS_REQUEST_APPROVED	Access Request Approved	Identity / Access / Sharing
ACCESS_REQUEST_REJECTED	Access Request Rejected	Identity / Access / Sharing
ACCESS_DELEGATION_GRANTED	Access Delegation Granted	Identity / Access / Sharing
ACCESS_DELEGATION_REVOKED	Access Delegation Revoked	Identity / Access / Sharing
ROLE_ASSIGNMENT_CHANGED	Role Assignment Changed	Identity / Access / Sharing
POLICY_ASSIGNMENT_CHANGED	Policy Assignment Changed	Identity / Access / Sharing
MFA_CHALLENGE_TRIGGERED	MFA Challenge Triggered	Identity / Access / Sharing
MFA_VERIFICATION_SUCCEEDED	MFA Verification Succeeded	Identity / Access / Sharing
MFA_VERIFICATION_FAILED	MFA Verification Failed	Identity / Access / Sharing
MFA_SESSIONS_INVALIDATED	MFA Sessions Invalidated	Identity / Access / Sharing
MFA_RECOVERY_REQUESTED	mfa.recovery.requested	Identity / Access / Sharing
MFA_RECOVERY_VERIFIED	mfa.recovery.verified	Identity / Access / Sharing
MFA_RECOVERY_PENDING_ADMIN_APPROVAL	mfa.recovery.pending_admin_approval	Identity / Access / Sharing
MFA_RECOVERY_APPROVED	mfa.recovery.approved	Identity / Access / Sharing
MFA_RECOVERY_DENIED	mfa.recovery.denied	Identity / Access / Sharing
MFA_RECOVERY_GRANT_ISSUED	mfa.recovery.grant_issued	Identity / Access / Sharing
MFA_RECOVERY_GRANT_CONSUMED	mfa.recovery.grant_consumed	Identity / Access / Sharing
MFA_RECOVERY_EXPIRED	mfa.recovery.expired	Identity / Access / Sharing
MFA_RECOVERY_COMPLETED	mfa.recovery.completed	Identity / Access / Sharing
MFA_BACKUP_CODES_GENERATED	mfa.backup_codes.generated	Identity / Access / Sharing
MFA_BACKUP_CODES_USED	mfa.backup_codes.used	Identity / Access / Sharing
MFA_BACKUP_CODES_REGENERATED	mfa.backup_codes.regenerated	Identity / Access / Sharing
PRIVILEGED_ACCOUNT_CREATED	Privileged Account Created	Accounts / Secrets / Credentials
PRIVILEGED_ACCOUNT_UPDATED	Privileged Account Updated	Accounts / Secrets / Credentials
PRIVILEGED_ACCOUNT_DISABLED	Privileged Account Disabled	Accounts / Secrets / Credentials
CREDENTIAL_CHECKOUT_STARTED	Credential Check-out Started	Accounts / Secrets / Credentials
CREDENTIAL_CHECKOUT_COMPLETED	Credential Check-out Completed	Accounts / Secrets / Credentials
CREDENTIAL_CHECKIN_COMPLETED	Credential Check-in Completed	Accounts / Secrets / Credentials
CREDENTIAL_ROTATION_STARTED	Credential Rotation Started	Accounts / Secrets / Credentials
CREDENTIAL_ROTATION_COMPLETED	Credential Rotation Completed	Accounts / Secrets / Credentials
CREDENTIAL_ROTATION_FAILED	Credential Rotation Failed	Accounts / Secrets / Credentials
SECRET_ACCESSED	Secret Accessed (Metadata-only)	Accounts / Secrets / Credentials
CONNECTION_DEFINITION_CREATED	Connection Definition Created	Connections / Sessions
CONNECTION_DEFINITION_UPDATED	Connection Definition Updated	Connections / Sessions
CONNECTION_DEFINITION_DELETED	Connection Definition Deleted	Connections / Sessions
SESSION_START_REQUESTED	Session Start Requested	Connections / Sessions
SESSION_ESTABLISHED	Session Established	Connections / Sessions
SESSION_RECORDING_STARTED	Session Recording Started	Connections / Sessions
SESSION_POLICY_ENFORCED	Session Policy Enforced	Connections / Sessions
SESSION_SUSPENDED	Session Suspended	Connections / Sessions
SESSION_TERMINATED_BY_USER	Session Terminated by User	Connections / Sessions
SESSION_TERMINATED_BY_ADMIN	Session Terminated by Admin	Connections / Sessions
SESSION_TERMINATED_BY_SYSTEM	Session Terminated by System	Connections / Sessions
SESSION_RECORDING_FINALIZED	Session Recording Finalized	Connections / Sessions
SESSION_PLAYBACK_ACCESSED	Session Playback Accessed	Connections / Sessions
HTTP_SESSION_STARTED	HTTP_SESSION_STARTED	Connections / Sessions
HTTP_SESSION_ENDED	HTTP_SESSION_ENDED	Connections / Sessions
HTTP_URL_DENIED	HTTP_URL_DENIED	Connections / Sessions
HTTP_CREDENTIAL_INJECTED	HTTP_CREDENTIAL_INJECTED	Connections / Sessions
AUDIT_LOG_VIEWED	Audit Log Viewed	Admin / Platform / Audit
AUDIT_LOG_EXPORT_REQUESTED	Audit Log Export Requested	Admin / Platform / Audit
AUDIT_LOG_EXPORT_COMPLETED	Audit Log Export Completed	Admin / Platform / Audit
RETENTION_POLICY_CHANGED	Retention Policy Changed	Admin / Platform / Audit
TENANT_SETTINGS_UPDATED	Tenant Settings Updated	Admin / Platform / Audit
API_TOKEN_CREATED	API Token Created	Admin / Platform / Audit
API_TOKEN_REVOKED	API Token Revoked	Admin / Platform / Audit
SECURITY_INCIDENT_FLAGGED	Security Incident Flagged	Admin / Platform / Audit
SYSTEM_ERROR_LOGGED	System Error Logged	Admin / Platform / Audit
INVITATION_SENT	Invitation Sent	Invitation Lifecycle
INVITATION_ACCEPTED	Invitation Accepted	Invitation Lifecycle
INVITATION_REVOKED	Invitation Revoked	Invitation Lifecycle
INVITATION_RESENT	Invitation Resent	Invitation Lifecycle
INVITATION_EXPIRED	Invitation Expired	Invitation Lifecycle
INVITATION_ACCEPT_BLOCKED	Invitation Accept Blocked	Invitation Lifecycle
INVITE_ACCEPT_STARTED	invite_accept_started	Invitation Lifecycle
INVITE_TOKEN_INVALID_OR_EXPIRED	invite_token_invalid_or_expired	Invitation Lifecycle
INVITE_EMAIL_MISMATCH_BLOCKED	invite_email_mismatch_blocked	Invitation Lifecycle
INVITE_ACCEPTED	invite_accepted	Invitation Lifecycle
ORG_SUBMISSION_STARTED	org_submission_started	Invitation Lifecycle
ORG_SUBMISSION_SUBMITTED	org_submission_submitted	Invitation Lifecycle
ORG_SUBMISSION_APPROVED	org_submission_approved	Invitation Lifecycle
ORG_SUBMISSION_REJECTED	org_submission_rejected	Invitation Lifecycle
PROVIDER_FLOW_FAILED	provider_flow_failed	Invitation Lifecycle
PENDING_STATE_VIEWED	pending_state_viewed	Invitation Lifecycle
PLATFORM_USER_INVITED	Platform User Invited	Platform Users Management
PLATFORM_USER_REMOVED	Platform User Removed	Platform Users Management
PLATFORM_USER_ROLE_CHANGED	Platform User Role Changed	Platform Users Management
PLATFORM_USER_MFA_RESET	Platform User MFA Reset	Platform Users Management
PLATFORM_INVITATION_ACCEPTED	Platform Invitation Accepted	Platform Users Management
PLATFORM_USER_INVITE_REJECTED	Platform User Invite Rejected	Platform Users Management
PLATFORM_SELF_REMOVAL_BLOCKED	Platform Self Removal Blocked	Platform Users Management
PLATFORM_LAST_ADMIN_REMOVAL_BLOCKED	Platform Last Admin Removal Blocked	Platform Users Management
PLATFORM_LAST_ADMIN_MFA_RESET_BLOCKED	Platform Last Admin MFA Reset Blocked	Platform Users Management
PLATFORM_USERS_LISTED	Platform Users Listed	Platform Users Management
PLATFORM_INVITATIONS_LISTED	Platform Invitations Listed	Platform Users Management
GROUP_CREATED	group.created	Groups / Safe Access
GROUP_UPDATED	group.updated	Groups / Safe Access
GROUP_DELETED	group.deleted	Groups / Safe Access
GROUP_MEMBER_ADDED	group.member.added	Groups / Safe Access
GROUP_MEMBER_REMOVED	group.member.removed	Groups / Safe Access
SAFE_GROUP_ASSIGNMENT_CREATED	safe.group_assignment.created	Groups / Safe Access
SAFE_GROUP_ASSIGNMENT_UPDATED	safe.group_assignment.updated	Groups / Safe Access
SAFE_GROUP_ASSIGNMENT_REMOVED	safe.group_assignment.removed	Groups / Safe Access
SAFE_MEMBER_ADDED	safe.member.added	Groups / Safe Access
SAFE_MEMBER_ROLE_UPDATED	safe.member.role_updated	Groups / Safe Access
SAFE_MEMBER_REMOVED	safe.member.removed	Groups / Safe Access
SAFE_DERIVED_ACCESS_GRANTED	safe.derived_access.granted	Groups / Safe Access
SAFE_DERIVED_ACCESS_REVOKED	safe.derived_access.revoked	Groups / Safe Access
SAFE_DERIVED_ACCESS_ROLE_CHANGED	safe.derived_access.role_changed	Groups / Safe Access
GROUP_MUTATION_DENIED	group.mutation.denied	Groups / Safe Access
ORG_GOVERNANCE_ACTION_REQUESTED	org_governance.action_requested	Org-Scoped Governance Actions
ORG_GOVERNANCE_ACTION_APPROVED	org_governance.action_approved	Org-Scoped Governance Actions
ORG_GOVERNANCE_ACTION_REJECTED	org_governance.action_rejected	Org-Scoped Governance Actions
PLATFORM_CROSS_ORG_GOVERNANCE_VIEWED	platform.cross_org_governance_viewed	Cross-Org Governance
ORG_GOVERNANCE_QUEUE_EXPORTED	org_governance.queue_exported	Cross-Org Governance
ORG_GOVERNANCE_SELF_APPROVAL_BLOCKED	org_governance.self_approval_blocked	Cross-Org Governance
PHONE_VERIFICATION_CODE_SENT	phone_verification_code_sent	Phone / SMS Verification
PHONE_VERIFICATION_SUCCEEDED	phone_verification_succeeded	Phone / SMS Verification
PHONE_VERIFICATION_FAILED	phone_verification_failed	Phone / SMS Verification
PHONE_VERIFICATION_EXPIRED	phone_verification_expired	Phone / SMS Verification
PHONE_CHANGE_REQUESTED	phone_change_requested	Phone / SMS Verification
PHONE_CHANGE_COMMITTED	phone_change_committed	Phone / SMS Verification
PHONE_CHANGE_ABANDONED	phone_change_abandoned	Phone / SMS Verification
AUDIT_PHONE_DIGEST_KEY_ROTATED	audit_phone_digest_key_rotated	Phone / SMS Verification
PHONE_VERIFICATION_CODE_SEND_BLOCKED_PROVIDER_UNAVAILABLE	phone_verification_code_send_blocked_provider_unavailable	Phone / SMS Verification
PHONE_VERIFICATION_BOOT_PROVIDER_GATE_PASSED	phone_verification_boot_provider_gate_passed	Phone / SMS Verification
PHONE_VERIFICATION_CODE_SEND_BLOCKED_RATE_LIMIT	phone_verification_code_send_blocked_rate_limit	Phone / SMS Verification
PHONE_CHANGE_CONCURRENT_MODIFICATION	phone_change_concurrent_modification	Phone / SMS Verification
PHONE_CHANGE_CANCEL	phone_change_cancel	Phone / SMS Verification
USERS_PHONE_PROPAGATED_FROM_REGISTRATION	users_phone_propagated_from_registration	Phone / SMS Verification
USERS_PHONE_PROPAGATION_SKIPPED_CONFLICT	users_phone_propagation_skipped_conflict	Phone / SMS Verification

Proxy-Shared SSH Events

Re-exported by the control-plane as PROXY_SSH_* event types.

Constant	Wire String	Description
PROXY_SSH_SESSION_OPENED	proxy.ssh.session.opened	SSH session successfully opened — post-grant verify, upstream connect, channel ready.
PROXY_SSH_SESSION_CLOSED	proxy.ssh.session.closed	SSH session closed — channel close, upstream EOF, or client disconnect.
PROXY_SSH_AUTH_REJECTED	proxy.ssh.auth.rejected	SSH authentication rejected at the proxy — invalid grant, expired grant, replay, or unauthorized key.
PROXY_SSH_RECORDING_WRITTEN	proxy.ssh.recording.written	SSH recording artifact finalized and persisted to the recordings store.

Severity Levels

Value	Meaning
DEBUG	Low-level diagnostic; not forwarded to SIEM by default.
INFO	Normal operation record.
WARN	Recoverable condition that may need attention.
ERROR	Operation failed; may require investigation.
CRITICAL	Security-significant failure; always forwarded to SIEM.

Actor Types

Value	Description
User	End-user acting on their own behalf.
TenantAdmin	Org-level administrator.
System	Automated system action with no direct user trigger.
ServiceAccount	API token or machine account.
PlatformAdmin	Cross-org platform operator.
OrgAdmin	Organization-scoped admin role.
Connector	Connector agent acting autonomously.

Target Types

Value	Description
Account	Privileged account or credential object.
Connection	Connection definition.
Session	Active or completed session.
Agent	Connector or proxy agent.
Policy	Access or session policy.
Secret	Secret or credential payload.
Tenant	Tenant/org entity.
API Token	API token object.
Invitation	Invitation record.
AuditLog	Audit log query or export.
GovernanceAction	Governance approval request.
Safe	Safe container.