Working with audit activities and events

Audit activities and events

The audit reporting service caches incoming audit messages and provides endpoints to request audit events for a specified date range. The following events and actors are tracked:

  • Actions

    Logs any action or activity against a defined PingOne resource. Sample actions include, created, deleted, updated, and authenticated. The audit message includes the ID for the resource affected by the event.

  • Actors

    Tracks the actor or agent who initiated the action. The audit message includes the unique identifier and the friendly name of the actor (end user) responsible for the event and the client used by the actor to perform the action on the resource.

  • Date and time

    The date and time the audit activity was recorded.

  • Status

    Tracks and caches the resulting status of the action. The audit message specifies the success or failure of the event, and if a failure occurred, it provides the reason for the failure.

Filtering result data

GET requests for audit activities require a SCIM filter to specify start and end dates for the result data. For large collections, additional filtering expressions can be added to the request URL to focus on particular event types. For example, this SCIM filter returns audit events from the start date of “2018-01-01” and an end date of “2018-03-31”:{id}/activities?filter=recordedat gt "2018-01-01T00:00:00Z" AND recordedat lt "2018-03-31T23:59:00Z"

These SCIM operators can be applied to the following attributes:

  • eq (equals)

    Supported attributes: correlationid,,,, action.type,, resources.type,,,

  • gt (greater than)

    Supported attributes: recordedat

  • lt (less than)

    Supported attributes: recordedat

  • ge (greater than or equal to)

    Supported attributes: recordedat

  • le (less than or equal to)

    Supported attributes: recordedat

  • in (includes)

    Supported attributes: action.type,

  • and (logical AND)

    Logical AND for building compound expressions where both expressions are true.

  • or (logical OR)

    Logical OR for building compound expressions if either expression is true.

Note: These SCIM operators are not supported: ne (not equal), co (contains), ew (ends with), pr (present, is a non-empty or non-null value), sw (starts with), not (logical NOT).

For more information about SCIM syntax and operators, see Conventions.

Get audit activities for an environment

You can get all audit activity events for a selected environment. The GET /environments/{id}/activities request must specify a SCIM filtering expression that designates a time range for the result data.

Note: For more information about supported filtering expressions for the GET operation, see Audit Reporting.

The following sample shows the GET /environments/{id}/activities?filter=recordedat gt "2018-01-01T00:00:00Z" AND recordedat lt "2018-03-31T23:59:00Z" operation to return all audit-activity events for the specified environment. The filtering expression designates a time period between 01/01/2018 and 03/31/2018.

curl -vX GET "" \
-H "Content-type: application/json" \
-H "Authorization: Bearer jwtToken"

The response data for the audit-activities event list looks like this:

    "_links": {
        "self": {
            "href": ""
    "_embedded": {
        "activities": [
                "id": "cf4465f2-d75e-4fd5-9fe9-d9280c72086d",
                "recordedAt": "2018-03-09T00:09:34.421Z",
                "correlationId": "ea10fe7e-e341-45f5-b5de-38b821b1f8cd",
                "actors": {
                    "client": {
                        "id": "identity-directory-synthetic-testing",
                        "name": "identity-directory-synthetic-testing",
                        "type": "CLIENT"
                "action": {
                    "type": "PASSWORD.CHECKED",
                    "description": "Password Checked"
                "resources": [
                        "type": "USER",
                        "id": "2c820676-3f02-49fe-b3c6-0fd854e53d4e",
                        "name": "2c820676-3f02-49fe-b3c6-0fd854e53d4e",
                        "environment": {
                            "id": "58f92121-b753-4e7e-8d82-23b5bf80efe5"
                        "href": ""
                "result": {
                    "status": "SUCCESS",
                    "description": "Checked Password 2c820676-3f02-49fe-b3c6-0fd854e53d4e"