Activity Log
In Tenable Vulnerability Management, all user events for your organization are recorded in the activity log. This log provides a comprehensive list of events, including when each activity occurred, the action taken, the actor, and other relevant details. To programmatically retrieve these events, use the View activity log endpoint. For more information, see Activity Logs in the Tenable Vulnerability Management User Guide.
Note
Tenable retains activity log data for three years, after which it is permanently deleted from the database.
Example Activity Log
The following is an example of an activity log event entry. Each entry includes the action that triggered the event, the actor, and relevant metadata. The description property specifies the API endpoint that initiated the event.
{
"id": "fcce3e2fbbe04019a07da098b13e1ad5",
"action": "audit.log.view",
"crud": "r",
"actor": {
"id": "e63d99b9-e5ae-459e-a8e1-3971bb5e8e40",
"name": "[email protected]"
},
"target": {
"id": null,
"name": null,
"type": null
},
"description": "GET /audit-log/v1/events",
"is_anonymous": null,
"is_failure": null,
"fields": null,
"received": "2025-07-09T16:43:46.904Z"
}
How Actions Are Generated
Understanding how activity log event actions are constructed can help you interpret log entries more effectively. Actions are typically generated based on the API endpoint called and the HTTP method used. For example, if you send a POST request to the /scans endpoint to create a new scan, the activity log records the action as scans.create.
In general, the action follows the format {resource}.{operation}, where the operation corresponds to the HTTP method:
POST→createPUT→updateDELETE→delete
Common Event Actions and Descriptions
The following tables highlight common activity log events, along with descriptions to help you understand what each event represents.
User and Session Events
Activity log events related to user administration and authentication:
| Event Action | Description |
|---|---|
| audit.log.view | A user requested and viewed the audit log. |
| user.create | An administrator created a new user account. |
| user.update | A user or administrator updated the user account. |
| users.delete | An administrator deleted the user account. |
| user.authenticate.mfa | The user successfully completed multi-factor authentication. |
| user.authenticate.password | The user authenticated using a password. |
| user.logout | The user logged out of the system. |
| session.create | A new session was created, either by user login or API key authentication. |
| session.delete | The session ended, either due to expiration or user logout. |
| session.impersonation.start | An administrator began a session impersonating another user. |
| session.impersonation.end | An administrator ended an impersonation session. |
| user.impersonation.start | An administrator began impersonating another user. |
| user.impersonation.end | An administrator stopped impersonating another user. |
Export Events
Activity log events related to data export actions:
| Event Action | Description |
|---|---|
| api-exports.vulns-host.create | A user initiated a vulnerabilities export using the Export vulnerabilities endpoint. |
| api-exports.vulns-host.cancel | A user canceled a vulnerabilities export using the Cancel vuln export endpoint. |
| api-exports.assets.create | A user initiated an asset export using either the Export assets v1 or Export assets v2 endpoint. |
| api-exports.assets.cancel | A user canceled an asset export using the Cancel asset export endpoint. |
| api-exports.compliance.create | A user initiated a compliance export using the Export compliance data endpoint. |
| api-exports.compliance.cancel | A user canceled a compliance export using the Cancel compliance export endpoint. |
| api-exports.vulns-was.create | A user initiated a Web App Scanning findings export using the WAS Export findings endpoint. |
| api-exports.vulns-was.cancel | A user canceled a Web App Scanning findings export using the WAS Cancel findings export endpoint. |
Updated about 4 hours ago