Account Management audit log examples

  • Explanation
  • 5-min read
  • Published Nov 11, 2025

This page provides JSON examples of different types of audit events. Administrators can view these audit logs as described in Account Management audit logs.

The contents of the JSON schema may be extended in the future to accommodate additional information, but nothing will be removed.

Group permission changes



{
    "event.provider": "IAM",
    "event.type": "UPDATE_ROLES",/ UPDATE_POLICIES / UPDATE


    "resource.type": "GROUP",
    "resource.id": "<group-id>",


    "account.uuid": "<account-uuid>",


    "event.source": "UI",
    // other common fields
    "event.id": "2f02f2fc-3c37-4bd0-9e3e-2ea9df9c6e37",
    "event.version": "1.0.0",
    "event.kind": "AUDIT_EVENT",
    "dt.security_context": "AUDIT_EVENT",
    "timestamp": 1674149215539703700,
    "event.outcome": "success",
    "user.id": "ff5dbf61-fa17-4394-848b-f9c45a45268d", // this is the user that performed the action (in that case its same "resource")
    "user.organization": "CUSTOMER",
    "origin.type": "REST",
    "origin.address": "10.11.12.13",
    "origin.x_forwarded_for": "1.2.3.4",
    "origin.session": "node0hfznc",
    "authentication.type": "OAUTH2",
    "authentication.grant.type": "AUTHORIZATION_CODE",
    "authentication.client.id": "clientId",


    "details.json_before": "<plain JSON>",
    "details.json_after": "<plain JSON>",
    "details.json_patch": "<JSON Diff>"


    "details.link-to-resource": "link to the group"
    "details.resource.name"
}
group-roles:
{
    "roles": [
        {my-role1, environment: environment1}
    ]
}
group-policies:
{
    "policy-bindings": [
        {policy1,level1,parameters1,boundary1},
        {policy2,level2,parameters2,boundary2},
    ]
}

User to group membership changes



{
    "event.provider": "IAM",
    "event.type": "UPDATE_MEMBERS"


    "resource.type": "GROUP",
    "resource.id": "<group-id>",


    "account.uuid": "<account-uuid>",


    "event.source": "UI",
    // other common fields
    "event.id": "2f02f2fc-3c37-4bd0-9e3e-2ea9df9c6e37",
    "event.version": "1.0.0",
    "event.kind": "AUDIT_EVENT",
    "dt.security_context": "AUDIT_EVENT",
    "timestamp": 1674149215539703700,
    "event.outcome": "success",
    "user.id": "ff5dbf61-fa17-4394-848b-f9c45a45268d", // this is the user that performed the action (in that case its same "resource")
    "user.organization": "CUSTOMER",
    "origin.type": "REST",
    "origin.address": "10.11.12.13",
    "origin.x_forwarded_for": "1.2.3.4",
    "origin.session": "node0hfznc",
    "authentication.type": "OAUTH2",
    "authentication.grant.type": "AUTHORIZATION_CODE",
    "authentication.client.id": "clientId",


    "details.json_before": "<plain JSON>",
    "details.json_after": "<plain JSON>",
    "details.json_patch": "<JSON Diff>"


    "details.user-added": [{"<uuid-of-user added>"}]
    "details.user-removed": [{"<uuid-of-user added>"}]


    "details.link-to-resource": "link to the group"
    "details.resource.name"
}
group-users:
{
    "user-ids": [
        user1,
        user2,
        user3,
        ...
        user4
    ]
}

Changes to custom policies



{
    "event.provider": "IAM",
    "event.type": "UPDATE" / "CREATE" / "DELETE"


    "resource.type": "POLICY",
    "resource.id": "<policy-id>",


    "account.uuid": "<account-uuid>",


    "event.source": "UI",
    // other common fields
    "event.id": "2f02f2fc-3c37-4bd0-9e3e-2ea9df9c6e37",
    "event.version": "1.0.0",
    "event.kind": "AUDIT_EVENT",
    "dt.security_context": "AUDIT_EVENT",
    "timestamp": 1674149215539703700,
    "event.outcome": "success",
    "user.id": "ff5dbf61-fa17-4394-848b-f9c45a45268d", // this is the user that performed the action (in that case its same "resource")
    "user.organization": "CUSTOMER",
    "origin.type": "REST",
    "origin.address": "10.11.12.13",
    "origin.x_forwarded_for": "1.2.3.4",
    "origin.session": "node0hfznc",
    "authentication.type": "OAUTH2",
    "authentication.grant.type": "AUTHORIZATION_CODE",
    "authentication.client.id": "clientId",


    "details.json_before": "<plain JSON>",
    "details.json_after": "<plain JSON>",
    "details.json_patch": "<JSON Diff>"


    "details.link-to-resource": "link to the policy"
    "details.resource.name"
}
policy:
{
    ...
}

Changes to boundaries



{
    "event.provider": "IAM",
    "event.type": "UPDATE" / "CREATE" / "DELETE"


    "resource.type": "BOUNDARY",
    "resource.id": "<boundary-id>",


    "account.uuid": "<account-uuid>",


    "event.source": "UI",
    // other common fields
    "event.id": "2f02f2fc-3c37-4bd0-9e3e-2ea9df9c6e37",
    "event.version": "1.0.0",
    "event.kind": "AUDIT_EVENT",
    "dt.security_context": "AUDIT_EVENT",
    "timestamp": 1674149215539703700,
    "event.outcome": "success",
    "user.id": "ff5dbf61-fa17-4394-848b-f9c45a45268d", /system // this is the user that performed the action (in that case its same "resource")
    "user.organization": "CUSTOMER", / DYNATRACE /SYSTEM
    "origin.type": "REST",
    "origin.address": "10.11.12.13",
    "origin.x_forwarded_for": "1.2.3.4",
    "origin.session": "node0hfznc",
    "authentication.type": "OAUTH2",
    "authentication.grant.type": "AUTHORIZATION_CODE",
    "authentication.client.id": "clientId",


    "details.json_before": "<plain JSON>",
    "details.json_after": "<plain JSON>",
    "details.json_patch": "<JSON Diff>"


    "details.link-to-resource": "link to the boundary"
    "details.resource.name"
}
policy:
{
    ...
}
Related tags
Dynatrace Platform