This endpoint will return a list ofAuditLogEvent objects, sorted by creation time in ascending order. Note that the Audit Log API captures events from October 8th, 2021 and later. Queries for events before this date will not return results.

There are a number of query parameters (below) that can be used to filter the set ofAuditLogEvent objects that are returned in the response. Any combination of query parameters is valid. When no filters are provided, all of the events that have been captured in your domain will match.

The list of events will always bepaginated. The default limit is 1000 events. The next set of events can be retrieved using theoffset from the previous response. If there are no events that match the provided filters in your domain, the endpoint will returnnull for thenext_page field. Querying again with the same filters may return new events if they were captured after the last request. Once a response includes anext_page with anoffset, subsequent requests can be made with the latestoffset to poll for new events that match the provided filters.

Note: If the filters you provided match events in your domain andnext_page is present in the response, we will continue to sendnext_page on subsequent requests even when there are no more events that match the filters. This was put in place so that you can implement an audit log stream that will return future events that match these filters. If you are not interested in future events that match the filters you have defined, you can rely on checking emptydata response for the end of current events that match your filters.

When nooffset is provided, the response will begin with the oldest events that match the provided filters. It is important to note thatAuditLogEvent objects will be permanently deleted from our systems after 90 days. If you wish to keep a permanent record of these events, we recommend using a SIEM tool to ingest and store these logs.