Security
Audit events catalogue
The full catalogue of audit actions the platform emits — namespaces, resource types, payload shape, and the compliance controls each one satisfies.
The platform emits a fixed, enumerated set of audit actions. Free-form action strings are not permitted — every action your SIEM receives is from this catalogue. This guarantees the events are machine-parseable and that the same action means the same thing across customers.
For the audit log's storage model, retention, and forwarding, see Audit logging. For the SIEM wire format, see SIEM forwarding.
Actions by namespace
Secrets
| Action | Description |
|---|---|
SECRET_CREATE | A secret was created. |
SECRET_UPDATE | A secret was updated. |
SECRET_DELETE | A secret was deleted. |
SECRET_ACCESS | A secret value was read (decrypted). |
Secret providers
| Action | Description |
|---|---|
PROVIDER_CREATE | A secret provider configuration was created. |
PROVIDER_UPDATE | A secret provider configuration was updated. |
PROVIDER_DELETE | A secret provider configuration was deleted. |
PROVIDER_TEST | A secret provider was test-connected. |
Generic resources
For resources without a dedicated namespace (workflows, knowledge-base documents, managed tables, etc.):
| Action | Description |
|---|---|
RESOURCE_CREATE | A resource was created. |
RESOURCE_UPDATE | A resource was updated. |
RESOURCE_DELETE | A resource was deleted. |
RESOURCE_ACCESS | A resource was read. |
Authorization decisions
These events record denied and granted authorisation decisions for sensitive operations:
| Action | Description |
|---|---|
AUTH_READ_DENIED | Read access denied. |
AUTH_WRITE_DENIED | Write access denied. |
AUTH_DELETE_DENIED | Delete access denied. |
AUTH_EXECUTE_DENIED | Execute access denied (e.g. workflow run). |
AUTH_ADMIN_DENIED | Admin-level access denied. |
AUTH_DELETE_GRANTED | Destructive delete granted. |
AUTH_EXECUTE_GRANTED | Execute access granted. |
AUTH_ADMIN_GRANTED | Admin-level access granted. |
Only denied decisions and granted decisions for destructive / privileged operations are logged. Routine "this user can read their own workflows" decisions are not — that would drown the log.
Execution grants
Workflow execution grants — the short-lived server-issued tokens that authorise a workflow run. See Authorization.
| Action | Description |
|---|---|
EXECUTION_GRANT_CREATE | A workflow execution grant was issued. |
EXECUTION_GRANT_BIND | A grant was bound to a workflow instance. |
EXECUTION_GRANT_REJECT | A grant was presented but rejected (expired / revoked / instance mismatch). |
EXECUTION_GRANT_EXPIRE | A grant expired without being used. |
EXECUTION_GRANT_REVOKE | A grant was explicitly revoked (e.g. workflow cancellation). |
SCIM provisioning
| Action | Description |
|---|---|
scim.token.created | A SCIM API token was generated. |
scim.token.revoked | A SCIM API token was revoked. |
scim.user.provisioned | A user was created or linked via SCIM. |
scim.user.updated | A user was updated via SCIM. |
scim.user.deactivated | A user was deactivated via SCIM. |
scim.user.reactivated | A previously deactivated user was re-activated via SCIM. |
scim.group.created | A SCIM group was mapped to a team. |
scim.group.updated | A SCIM group was updated. |
scim.group.deleted | A SCIM group was unmapped (team is preserved). |
scim.group.member.added | A user was added to a SCIM-mapped team. |
scim.group.member.removed | A user was removed from a SCIM-mapped team. |
scim.error.invalid_token | A SCIM call was rejected for an invalid token. |
scim.error.scale_cap_hit | A SCIM call hit an organisation cap. |
scim.error.email_conflict | A SCIM call was rejected due to an email collision. |
Integration entitlements
For installed integrations and the hard-fencing setup:
| Action | Description |
|---|---|
INTEGRATION_ENTITLEMENT_GRANT | An integration entitlement was granted to a workspace. |
INTEGRATION_ENTITLEMENT_REVOKE | An integration entitlement was revoked. |
INTEGRATION_ENTITLEMENT_SYNC | A hard-fence sync ran (the platform pushed delta to the IdP). |
INTEGRATION_ENTITLEMENT_DISABLED | Hard fencing was disabled for a credential. |
INTEGRATION_INSTALL | A vendor integration was installed. |
INTEGRATION_UNINSTALL | A vendor integration was uninstalled. |
SIEM / audit-log self-events
| Action | Description |
|---|---|
SUBSCRIPTION_CREATE | An audit-log webhook subscription was created. |
audit.test | A synthetic test event (emitted from the audit-log admin UI). |
audit.export | An audit-log export was requested. |
audit.retention.updated | The audit-log retention policy was changed. |
AUDIT_FORWARDING_DEGRADED | The forwarder buffer is near full / backpressuring (operational event). |
License
| Action | Description |
|---|---|
LICENSE_APPLIED | A new license JWT was applied to the cluster. |
LICENSE_VALIDATED | The daily heartbeat to license.scrydon.com succeeded. |
LICENSE_VALIDATION_FAILED | The daily heartbeat failed (network or invalid license). |
LICENSE_EXPIRED | The license exp timestamp has passed. |
Resource types
The resourceType field on each event identifies what was acted on:
| Type | Description |
|---|---|
secret | A secrets-vault entry. |
secretProvider | A secret provider configuration. |
user | A user account. |
organization | An organisation. |
workspace | A workspace. |
file | A file in storage. |
workflow | A workflow definition or run. |
knowledgeBase | A knowledge base. |
document | A knowledge-base document. |
folder | A folder in storage. |
template | A workflow template. |
processTemplate | A process flow. |
schedule | A scheduled trigger. |
memory | An agent memory store. |
chat | A chat session. |
webhook | A webhook subscription. |
copilotTool | A Copilot tool. |
auditLogSubscription | An audit-log forwarder subscription. |
auditLog | A self-reference (e.g. for retention changes). |
auditLogRetentionConfig | The audit-log retention configuration. |
executionGrant | A workflow execution grant. |
integration | An installed vendor integration. |
integrationEntitlement | A workspace's entitlement to use an integration. |
scimToken | A SCIM API token. |
license | The license JWT. |
Event payload
Every event carries:
| Field | Description |
|---|---|
id | Stable event ID. |
action | One of the actions above. |
resourceType | One of the types above. |
resourceId | The specific resource ID. |
actorId | The user or service that performed the action. |
organizationId | The organisation scope. |
metadata | A structured payload, action-specific. Never contains secret values or document content. |
ipAddress | Caller IP (configurable, captured by default). |
userAgent | Caller user-agent (configurable, captured by default). |
createdAt | ISO 8601 timestamp. |
Example payloads
SECRET_ACCESS
{
"id": "aud_abc123",
"action": "SECRET_ACCESS",
"resourceType": "secret",
"resourceId": "sec_xyz789",
"actorId": "usr_456",
"organizationId": "org_001",
"metadata": { "secretName": "OPENAI_API_KEY", "strategy": "LOCAL" },
"ipAddress": "10.0.1.42",
"userAgent": "Mozilla/5.0...",
"createdAt": "2026-03-16T10:30:00Z"
}AUTH_EXECUTE_DENIED
{
"id": "aud_def456",
"action": "AUTH_EXECUTE_DENIED",
"resourceType": "workflow",
"resourceId": "wf_q3report",
"actorId": "usr_789",
"organizationId": "org_001",
"metadata": {
"policy": "workflow.execute",
"reason": "actor not a workspace member"
},
"ipAddress": "10.0.1.99",
"userAgent": "PostmanRuntime/7.32.0",
"createdAt": "2026-03-16T10:31:15Z"
}INTEGRATION_ENTITLEMENT_SYNC
{
"id": "aud_ghi789",
"action": "INTEGRATION_ENTITLEMENT_SYNC",
"resourceType": "integrationEntitlement",
"resourceId": "ent_m365_alpha",
"actorId": "system",
"organizationId": "org_001",
"metadata": {
"provider": "microsoft",
"scopeId": "<entra-security-group-object-id>",
"added": 3,
"removed": 1,
"unchanged": 12,
"unmappable": 0
},
"ipAddress": null,
"userAgent": null,
"createdAt": "2026-03-16T11:00:00Z"
}What's deliberately not in the log
The catalogue records that something happened, not the data it operated on:
- Secret values are never logged. Secret names and IDs are.
- Knowledge-base document content is never logged. Document IDs and classifications are.
- Workflow input and output payloads are never logged. Workflow IDs, durations, and outcomes are.
- LLM prompt content is never logged. Token counts, model IDs, cost, and the integration source are.
- User passwords are never logged. Sign-in events are.
This separation is what lets the audit log be exposed to auditors without also exposing the underlying data.
Compliance mapping
| Control | Actions that satisfy it |
|---|---|
| ISO 27001 A.5.16 (Identity management) | scim.*, INTEGRATION_ENTITLEMENT_* |
| ISO 27001 A.5.17 (Authentication information) | SECRET_*, PROVIDER_* |
| ISO 27001 A.8.5 (Secure authentication) | scim.*, sign-in events (when extended — see roadmap) |
| ISO 27001 A.8.15 (Logging) | Every event |
| ISO 27001 A.8.16 (Monitoring activities) | All AUTH_*, INTEGRATION_*, SCIM_* |
| SOC 2 CC6.1 / CC6.6 (Logical access) | All AUTH_*, RESOURCE_ACCESS |
| SOC 2 CC7 (System operations) | LICENSE_*, AUDIT_FORWARDING_DEGRADED |
| SOC 2 CC8 (Change management) | RESOURCE_CREATE / _UPDATE / _DELETE on workflow, template, processTemplate |
| GDPR Article 32 (Security of processing) | AUTH_*, SECRET_* |
| EU AI Act Article 12 (Record-keeping) | Workflow run events via RESOURCE_* |
Vanta automation
Many compliance frameworks ask the same questions ("show me failed logins", "show me access reviews"). The audit-event catalogue is wired into Vanta's evidence collection — see Compliance for which Vanta slots each event family fills.
Related
- Audit logging — storage, retention, query.
- SIEM forwarding — push events to your SIEM in near real-time.
- Compliance — framework mappings.
- Permission model — what generates
AUTH_*events.