Returns a list of events for all users in your organization's Tenable Vulnerability Management account.
You can see when each activity took place, the action, the actor, and other relevant information about the activity. You can specify various filters to limit the events that are returned, as well as the number of events. By default, a maximum of 50 events is returned.
Some common events include the following:
- audit.log.view—The system received and processed an audit-log request.
- session.create—The system created a session for the user. This event can be triggered by user login or authentication using an API key.
- session.delete—The session expired, or the user ended the session.
- session.impersonation.end—An administrator ended a session where they impersonated another user.
- session.impersonation.start—An administrator started a session where they impersonated another user.
- user.authenticate.mfa—The two-factor authentication challenge was successful, and login allowed.
- user.authenticate.password—The user authenticated a session start using a password.
- user.create—An administrator created a new user account.
- users.delete—An administrator deleted the user account.
- user.impersonation.end—An administrator stopped impersonating another user.
- user.impersonation.start—An administrator started impersonating another user.
- user.logout—The user logged out of the session.
- user.update—Either an administrator or the user updated the user account.
Note: Tenable retains activity log activity for 3 years, after which it is deleted from the Tenable database.
Note: If you configure SSO authentication, Tenable Vulnerability Management does not log user actions to the activity log. This information may be available from the identity services provider you use. For more information, see SSO Authentication.