Every row below carries a unique codestring, a severity (the value the security console uses for ranking), and a one-line description aimed at compliance and security teams. Use your browser's find shortcut (Cmd / Ctrl + F) to jump to any code, or follow the table-of-contents links on the right rail to walk a single domain end-to-end.
Account
Profile, preferences, personal-access tokens.
| Code | Description | Severity |
|---|---|---|
| ACCOUNT_PROFILE_UPDATE | User-editable profile fields changed (display name, time-zone, locale). | Info |
| ACCOUNT_AVATAR_UPDATE | User uploaded or removed their profile picture. | Info |
| ACCOUNT_PREFERENCES_UPDATE | Theme, notification, or accessibility preferences changed. | Info |
| ACCOUNT_NOTIF_PREFERENCE_UPDATE | Per-channel notification preference (email, in-app) toggled. | Info |
| ACCOUNT_PAT_CREATED | A personal-access token was issued. | Notice |
| ACCOUNT_PAT_REVOKED | A personal-access token was revoked. | Notice |
| ACCOUNT_LOGIN_ALERT_PREF_UPDATE | Sign-in alert preferences changed. | Notice |
| ACCOUNT_NOTIF_INBOX_READ | Daily aggregate of inbox-read activity (not per-row). | Info |
| ACCOUNT_NOTIF_INBOX_MARKED_READ | Bulk mark-as-read action against the inbox. | Info |
| ACCOUNT_AUDIT_LOG_EXPORTED | A workspace administrator exported the audit log. | Warning |
| ACCOUNT_SECURITY_ALERT_ACKNOWLEDGED | A workspace administrator acknowledged a security alert. | Info |
Sessions
Per-session lifecycle + revocation.
| Code | Description | Severity |
|---|---|---|
| ACCOUNT_SESSION_REVOKED | An individual session was revoked. | Warning |
| ACCOUNT_SESSIONS_REVOKED_ALL | All sessions for the user were revoked. | Warning |
Multi-factor authentication
Authenticator app, hardware key, recovery codes.
| Code | Description | Severity |
|---|---|---|
| ACCOUNT_MFA_ENROLLED | User enrolled a multi-factor method (legacy code; new flows emit ACCOUNT_MFA_DEVICE_ENROLLED). | Notice |
| ACCOUNT_MFA_DEVICE_ENROLLED | A new authenticator app or hardware key was registered. | Notice |
| ACCOUNT_MFA_DEVICE_VERIFIED | An enrolled device successfully completed a challenge. | Info |
| ACCOUNT_MFA_DEVICE_RENAMED | User renamed an enrolled device. | Info |
| ACCOUNT_MFA_DEVICE_REVOKED | An enrolled device was revoked. | Warning |
| ACCOUNT_MFA_DEVICE_REVOKE_BLOCKED | A revoke attempt was blocked by the last-factor guard. | Warning |
| ACCOUNT_MFA_RECOVERY_CODES_GENERATED | A new batch of recovery codes was generated. | Notice |
| ACCOUNT_MFA_RECOVERY_CODE_USED | A recovery code was redeemed for sign-in. | Warning |
| ACCOUNT_MFA_DISABLED | All MFA was disabled on the account. | Critical |
| ACCOUNT_MFA_DISABLE_BLOCKED | Disabling MFA was blocked by tenant policy. | Warning |
| ACCOUNT_MFA_LEGACY_MIGRATED | A legacy single-device enrollment was promoted to the multi-device model. | Notice |
| TENANT_MFA_POLICY_UPDATED | Workspace MFA policy was updated by an administrator. | Notice |
| TENANT_MFA_REQUIREMENT_ENFORCED | MFA-required signal applied during sign-in. | Notice |
| TENANT_MFA_GRACE_GRANTED | A grace period was granted to enroll MFA. | Notice |
| TENANT_MFA_GRACE_EXPIRED | An MFA grace period elapsed without enrollment. | Warning |
| TENANT_MFA_ACCEPTED_FACTORS_UPDATED | The list of acceptable MFA factors was changed (e.g. phishing-resistant-only). | Notice |
WebAuthn / Passkeys
Phishing-resistant credentials.
| Code | Description | Severity |
|---|---|---|
| ACCOUNT_WEBAUTHN_CREDENTIAL_ENROLLED | A passkey or hardware credential was registered. | Notice |
| ACCOUNT_WEBAUTHN_CREDENTIAL_VERIFIED | A passkey successfully completed an assertion. | Info |
| ACCOUNT_WEBAUTHN_CREDENTIAL_RENAMED | A passkey was renamed. | Info |
| ACCOUNT_WEBAUTHN_CREDENTIAL_REVOKED | A passkey was revoked. | Warning |
| ACCOUNT_WEBAUTHN_CREDENTIAL_REVOKE_BLOCKED | A revoke was blocked by the last-factor guard. | Warning |
| ACCOUNT_WEBAUTHN_SIGNIN_SUCCESS | Passkey sign-in succeeded. | Info |
| ACCOUNT_WEBAUTHN_SIGNIN_FAILED | Passkey sign-in failed verification. | Warning |
| ACCOUNT_WEBAUTHN_COUNTER_REGRESSION | A passkey returned a sign counter that went backward — possible cloning. | Critical |
| ACCOUNT_WEBAUTHN_ENROLL_BLOCKED_BY_POLICY | Passkey enrollment was blocked by the workspace attestation policy. | Warning |
Step-up authentication
Fresh-MFA challenges for high-impact actions.
| Code | Description | Severity |
|---|---|---|
| ACCOUNT_STEPUP_CHALLENGE_REQUESTED | A high-impact action requested a fresh-MFA proof. | Info |
| ACCOUNT_STEPUP_VERIFIED | Step-up challenge succeeded. | Info |
| ACCOUNT_STEPUP_FAILED | Step-up challenge failed. | Warning |
| ACCOUNT_STEPUP_REUSED | A step-up token was redeemed twice — possible replay attempt. | Critical |
| ACCOUNT_STEPUP_BLOCKED | A step-up attempt was blocked by tenant policy. | Warning |
SAML single sign-on
Identity-provider configuration + sign-in flow.
| Code | Description | Severity |
|---|---|---|
| TENANT_SAML_PROVIDER_CREATED | An identity provider was added. | Notice |
| TENANT_SAML_PROVIDER_UPDATED | An identity provider's configuration was changed. | Notice |
| TENANT_SAML_PROVIDER_ENABLED | An identity provider went live for sign-in. | Notice |
| TENANT_SAML_PROVIDER_DISABLED | An identity provider was paused. | Notice |
| TENANT_SAML_PROVIDER_DELETED | An identity provider was deleted. | Warning |
| ACCOUNT_SAML_SIGNIN_SUCCESS | A SAML sign-in succeeded. | Info |
| ACCOUNT_SAML_SIGNIN_FAILED | A SAML sign-in attempt was rejected. | Warning |
| ACCOUNT_SAML_JIT_PROVISIONED | A new user was just-in-time provisioned on first SAML sign-in. | Notice |
SCIM provisioning
Automated user lifecycle from your directory.
| Code | Description | Severity |
|---|---|---|
| TENANT_SCIM_TOKEN_CREATED | A SCIM bearer token was issued. | Notice |
| TENANT_SCIM_TOKEN_REVOKED | A SCIM bearer token was revoked. | Notice |
| ACCOUNT_SCIM_USER_CREATED | A user was provisioned via SCIM. | Info |
| ACCOUNT_SCIM_USER_UPDATED | A user was updated via SCIM. | Info |
| ACCOUNT_SCIM_USER_DEACTIVATED | A user was deactivated via SCIM. | Warning |
| ACCOUNT_SCIM_USER_REACTIVATED | A user was reactivated via SCIM. | Notice |
Network policy
IP allowlist / blocklist enforcement.
| Code | Description | Severity |
|---|---|---|
| TENANT_NETWORK_POLICY_UPDATED | The workspace network policy (allowlist/blocklist) was changed. | Notice |
| TENANT_NETWORK_RULE_ADDED | A network rule was added. | Notice |
| TENANT_NETWORK_RULE_REMOVED | A network rule was removed. | Notice |
| ACCOUNT_NETWORK_POLICY_BLOCKED | A request was blocked by the workspace network policy. | Warning |
| ACCOUNT_NETWORK_POLICY_ADMIN_BYPASS | An administrator bypassed the network policy for a one-time action. | Warning |
Attestation policy
WebAuthn authenticator restrictions.
| Code | Description | Severity |
|---|---|---|
| TENANT_ATTESTATION_POLICY_UPDATED | The workspace's WebAuthn attestation allowlist was changed. | Notice |
Event webhooks
Outbound HMAC-signed event delivery.
| Code | Description | Severity |
|---|---|---|
| TENANT_WEBHOOK_CREATED | A webhook subscription was created. | Notice |
| TENANT_WEBHOOK_UPDATED | A webhook subscription was updated. | Notice |
| TENANT_WEBHOOK_DISABLED | A webhook subscription was disabled. | Notice |
| TENANT_WEBHOOK_DELETED | A webhook subscription was deleted. | Notice |
| TENANT_WEBHOOK_CIRCUIT_TRIPPED | A webhook circuit breaker tripped after repeated failures. | Warning |
| TENANT_WEBHOOK_TEST_SENT | A test event was delivered to a webhook endpoint. | Info |
Audit-log retention
Per-category retention windows + prune cron.
| Code | Description | Severity |
|---|---|---|
| TENANT_AUDIT_RETENTION_POLICY_UPDATED | Per-category retention windows were changed. | Notice |
| AUDIT_PRUNE_RUN_COMPLETED | Daily retention prune cron completed; the metadata carries which categories pruned and how many rows fell out. | Info |
| AUDIT_PRUNE_RUN_FAILED | Daily retention prune cron failed. | Warning |
Data erasure
Right-to-erasure workflow + holds.
| Code | Description | Severity |
|---|---|---|
| ACCOUNT_DATA_EXPORT_REQUEST | The user requested a copy of their data. | Notice |
| ACCOUNT_DATA_EXPORT_READY | A data export is ready to download. | Info |
| ACCOUNT_DATA_EXPORT_DOWNLOADED | A prepared data export was downloaded. | Info |
| ACCOUNT_DELETION_REQUEST | The user requested account erasure. | Notice |
| ACCOUNT_DELETION_APPROVED | An administrator approved the erasure request. | Notice |
| ACCOUNT_DELETION_REJECTED | An administrator rejected the erasure request. | Warning |
| ACCOUNT_DELETION_CANCELLED | An erasure request was cancelled before completion. | Info |
| ACCOUNT_DELETION_COMPLETED | An erasure was fully completed. | Warning |
| ACCOUNT_DELETION_BLOCKED_BY_HOLDS | Erasure could not complete because a module reported a regulatory retention hold. | Warning |
| ACCOUNT_DELETION_HOLDS_OVERRIDDEN | An administrator overrode retention holds to force completion (10-year retention on this row per SOX § 802). | Critical |
| ACCOUNT_DELETION_DUAL_CONTROL_BLOCKED | Completion was blocked because the completer is the same administrator who approved. | Warning |
| ACCOUNT_DELETION_COOLOFF_BLOCKED | Completion was blocked because the cooling-off window had not yet elapsed. | Warning |
Print this page for audit evidence.
Use your browser's print dialog (Cmd / Ctrl + P) — the site strips chrome on print so you get a clean, paginated table ready to attach to an audit work-paper. Every row prints with its anchor URL so the auditor can link back to the live source.