Audit Service

The audit service provides organizations with a way to keep track of what actions have occurred within the Unit21 platform.

Currently the actions available for audit are:

  • agent.login - when an agent logs in
  • team.create - when a team is created

Unit21 will be adding additional actions in the future.

The audit service is only available as a S3 bucket replication and therefore requires organization to have AWS and a S3 bucket created for this purpose. Please see additional requirements below.

Examples of audited actions:

  "actor": "146",
  "action": "agent.login",
  "asset": "146",
  "org_id": "11",
  "ip": "",
  "metadata": {
    "actor_type": "agent",
    "asset_type": "agent",
    "action_details": []
  "created_at": 1.656407774456435e9,
  "id": "bac507ae-9ec5-477f-b829-eb7ad73d705f",
  "submitted_at": 1.65640777447856e9,
  "env": "dev"
  "actor": "146",
  "action": "team.create",
  "asset": "2",
  "org_id": "11",
  "ip": "",
  "metadata": {
    "actor_type": "agent",
    "asset_type": "team",
    "action_details": [
      { "detail_id": "146", "detail_type": "agent" },
      { "detail_id": "134", "detail_type": "agent" }
  "created_at": 1.656407774456435e9,
  "id": "bac507ae-9ec5-477f-b829-eb7ad73d705f",
  "submitted_at": 1.65640777447856e9,
  "env": "dev"

Field descriptions for the actions:




The id of who performed/initiated the action (an agent for Unit21) — set to system possibly if it’s something like bulk actions happening on a cron


This is what was done, we should codify this to match our APIs.


What was acted against


All actions take context within an organization, this is the organization id where the action took place


If we have it, the ip address of the actor


Additional information about the action.

  • actor_type

The type of actor

  • asset_type

The type of the asset

  • action_details

Optional. If applicable, a list of what was impacted by the action

-- detail_type

The type of asset impacted by the action

-- detail_id

The id of the asset impacted by the action


The time the action took place


When the action was submitted to the service


Unit21 action id



Setup requirements:

  1. AWS is required.
  2. Create a new S3 bucket.
  3. Ask Unit21 for the policy.
  4. Add the policy to the bucket.
  5. Enable versioning.
  6. Watch our audit service replicate to your bucket.

Did this page help you?