AccessManagement

authz

---

AccountOwnershipAssigned

${userEmail} assigned account ownership to ${targetUser}.

	Severity	Status	Audit Event
Info	Success	Yes

AccountOwnershipRevoked

${userEmail} revoked account ownership from ${targetUser}.

	Severity	Status	Audit Event
Info	Success	Yes

AdminRequestedPasswordChange

${userName} initiated a mandatory password reset for ${userNames}.

	Severity	Status	Audit Event
Info	Success	Yes

AllRolesDeassignedFromUser

${userName} removed all role assignments from the user ${targetUser}.

	Severity	Status	Audit Event
Info	Success	Yes

AllRolesDeassignedFromUserGroup

${userEmail} revoked all roles from user group ${groupName}.

	Severity	Status	Audit Event
Info	Success	Yes

AuthorizedUserGroupsToOrg

${userEmail} authorized user groups in organization ${orgName}: ${userGroupNames}.

	Severity	Status	Audit Event
Info	Success	Yes

HideUser

${userName} updated the hidden status to ${hiddenStatus} for ${targetUserName}.

	Severity	Status	Audit Event
Info	Success	Yes

OrgCreated

${userEmail} created organization ${orgName}.

	Severity	Status	Audit Event
Info	Success	Yes

OrgCreationFailed

${userEmail} failed to create organization ${orgName}, Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

OrgDeleted

${userEmail} deleted organization ${orgName}.

	Severity	Status	Audit Event
Info	Success	Yes

OrgDeletionFailed

${userEmail} failed to delete organization ${orgName}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

OrgInviteEmailsFailedToSend

Unable to send user invite emails for organization ${orgName}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

OrgUpdated

${userEmail} modified organization ${orgName}.

	Severity	Status	Audit Event
Info	Success	Yes

OrgUpdateFailed

${userEmail} modified organization ${orgName}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

PasswordComplexityPolicyUpdated

${userName} updated the password policy (${changedPolicies}) for the ${orgName} organization.

	Severity	Status	Audit Event
Info	Success	Yes

PasswordComplexityPolicyUpdateFailed

${userName} failed to update the password policy for the ${orgName} organization.

	Severity	Status	Audit Event
Warning	Failure	Yes

RoleAssignedToUser

${userEmail} updated the assigned roles for ${principalType} ${principal} from ${previousRoles} to ${currentRoles}

	Severity	Status	Audit Event
Info	Success	Yes

RoleAssignedToUserGroup

${userEmail} updated the assigned roles for SSO group ${principal} from ${previousRoles} to ${currentRoles}

	Severity	Status	Audit Event
Info	Success	Yes

RoleAssignmentToUserFailed

${userEmail} failed to change role of ${targetUser} to ${role}. Reason: ${reason}

	Severity	Status	Audit Event
Info	Success	Yes

RoleAssignmentToUserGroupFailed

${userEmail} failed to change role of user group ${groupName} to ${role}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

RoleCreated

${userEmail} created role ${role}.

	Severity	Status	Audit Event
Info	Success	Yes

RoleCreationFailed

${userEmail} failed to create role ${role}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

RoleDeassignedFromUser

${userEmail} revoked role ${role} from user ${targetUser}.

	Severity	Status	Audit Event
Info	Success	Yes

RoleDeassignedFromUserGroup

${userEmail} revoked role ${role} from user group ${groupName}.

	Severity	Status	Audit Event
Info	Success	Yes

RoleDeleted

${userEmail} deleted sync ${syncStatus} role ${role}

	Severity	Status	Audit Event
Info	Success	Yes

RoleDeletionFailed

${userEmail} failed to delete role ${role}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

RoleSyncUpdated

${userEmail} modified role ${origRole}${role} and  ${updatedSyncStatus} syncing for the role to CDM clusters.

	Severity	Status	Audit Event
Info	Success	Yes

RoleUpdated

${userEmail} modified role ${origRole}${role}.

	Severity	Status	Audit Event
Info	Success	Yes

RoleUpdateFailed

${userEmail} failed to modify role ${role}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

ServiceAccountCreated

${actorSubjectName} created service account ${targetSubjectName}.

	Severity	Status	Audit Event
Info	Success	Yes

ServiceAccountCreationFailed

${actorSubjectName} failed to create service account ${targetSubjectName}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

ServiceAccountDeleted

${actorSubjectName} deleted service account ${targetSubjectName}.

	Severity	Status	Audit Event
Info	Success	Yes

ServiceAccountDeletionFailed

${actorSubjectName} failed to delete service account ${targetSubjectName}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

ServiceAccountDeletionPreparationFailed

${actorSubjectName} tried to start a delete request on ${count} service accounts. The preparation for the deletion failed. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

ServiceAccountSecretRotated

${actorSubjectName} rotated the secret of the service account ${targetSubjectName}.

	Severity	Status	Audit Event
Info	Success	Yes

ServiceAccountSecretRotationFailed

${actorSubjectName} failed to rotate the secret of the service account ${targetSubjectName}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

ServiceAccountUpdated

${actorSubjectName} udpated service account ${targetSubjectName}.

	Severity	Status	Audit Event
Info	Success	Yes

ServiceAccountUpdateFailed

${actorSubjectName} failed to update service account ${targetSubjectName}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

SSOUserCreated

${userName} created SSO user, ${targetUserName}.

	Severity	Status	Audit Event
Info	Success	Yes

SSOUserCreationFailed

${userName} failed to create SSO user, ${targetUserName}.

	Severity	Status	Audit Event
Warning	Failure	Yes

SyncedRoleCreated

${userEmail} created role ${role} and enabled syncing for the role to CDM clusters.

	Severity	Status	Audit Event
Info	Success	Yes

UpdatedUserGroupsInOrg

${userEmail} updated user groups in organization ${orgName}: ${userGroupNames}.

	Severity	Status	Audit Event
Info	Success	Yes

UserChangedOtherUserPassword

${userName} changed the password for user ${targetUser}.

	Severity	Status	Audit Event
Info	Success	Yes

UserChangeOtherUserPasswordFailed

${userName} failed to change the password for user ${targetUser}.

	Severity	Status	Audit Event
Warning	Failure	Yes

UserCreated

User ${userEmail} was created.

	Severity	Status	Audit Event
Info	Success	Yes

UserCreationFailed

User ${userEmail} failed to create.

	Severity	Status	Audit Event
Warning	Failure	Yes

UserDeleted

${actorUserEmail} deleted user ${targetUserEmail}.

	Severity	Status	Audit Event
Info	Success	Yes

UserDeletionFailed

${actorUserEmail} failed to delete user ${targetUserEmail}. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

UserDeletionPreparationFailed

${actorUserEmail} tried to start a delete request on ${count} users. The preparation for the deletion failed. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

UserGroupDeleted

${actorUserName} deleted role group mapping ${groupName}.

	Severity	Status	Audit Event
Info	Success	Yes

UserGroupDeletionFailed

${actorUserName} was unable to delete role group mapping ${groupName}.

	Severity	Status	Audit Event
Warning	Failure	Yes

UserInvited

${actorUserEmail} invited user ${targetUserEmail}.

	Severity	Status	Audit Event
Info	Success	Yes

classification_settings

---

DisabledClassificationBanner

${actorUserEmail} disabled the classification banners successfully.

	Severity	Status	Audit Event
Info	Success	Yes

DisabledLoginBanner

${actorUserEmail} disabled the login classification modal successfully.

	Severity	Status	Audit Event
Info	Success	Yes

EnabledClassificationBanner

${actorUserEmail} enabled the classification banners successfully.

	Severity	Status	Audit Event
Info	Success	Yes

EnabledLoginBanner

${actorUserEmail} enabled the login classification modal successfully.

	Severity	Status	Audit Event
Info	Success	Yes

UpdateClassificationBanner

${actorUserEmail} updated the classification banners successfully.

	Severity	Status	Audit Event
Info	Success	Yes

UpdateLoginBanner

${actorUserEmail} updated the login classification modal successfully.

	Severity	Status	Audit Event
Info	Success	Yes

federated_access

---

SetCDMInventoryDisabledSucceeded

${actorUserEmail} disabled the Display Rubrik CDM inventory in Polaris successfully.

	Severity	Status	Audit Event
Info	Success	Yes

SetCDMInventoryEnabledFailed

${actorUserEmail} failed to change the Display Rubrik CDM inventory in Polaris. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

SetCDMInventoryEnabledSucceeded

${actorUserEmail} enabled the Display Rubrik CDM inventory in Polaris successfully.

	Severity	Status	Audit Event
Info	Success	Yes

SetFederatedAccessDisabledSucceeded

${actorUserEmail} disabled the Rubrik CDM federated access successfully.

	Severity	Status	Audit Event
Info	Success	Yes

SetFederatedAccessEnabledFailed

${actorUserEmail} failed to change the Rubrik CDM federated access. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

SetFederatedAccessEnabledSucceeded

${actorUserEmail} enabled the Rubrik CDM federated access successfully.

	Severity	Status	Audit Event
Info	Success	Yes

mfa

---

MaxPasskeysChanged

${username} has changed the maximum allowed passkeys from ${prevValue} to ${newValue}.

	Severity	Status	Audit Event
Info	Success	Yes

MfaRememberDisable

${username} disabled Rubrik Two-Step Verification to remember device.

	Severity	Status	Audit Event
Info	Success	Yes

MfaRememberHoursUpdate

${username} updated Rubrik Two-Step Verification to remember device from ${initialHours} to ${hours} hours.

	Severity	Status	Audit Event
Info	Success	Yes

PasskeyAdded

${username} has added ${type} passkey ${passkeyName} for MFA.

	Severity	Status	Audit Event
Info	Success	Yes

PasskeyDeleted

${username} has deleted ${type} passkey ${passkeyName} for MFA.

	Severity	Status	Audit Event
Info	Success	Yes

PasskeysAllowed

${username} has enabled passkeys for the account.

	Severity	Status	Audit Event
Info	Success	Yes

PasskeysDisallowed

${username} has disabled passkeys for the account.

	Severity	Status	Audit Event
Info	Success	Yes

PasskeyTypeAllowed

${username} has enabled ${passkeyType} passkeys for the account.

	Severity	Status	Audit Event
Info	Success	Yes

PasskeyTypeDisallowed

${username} has disabled ${passkeyType} passkeys for the account.

	Severity	Status	Audit Event
Info	Success	Yes

PasswordlessLoginDisabled

${username} has disabled passwordless login for the account.

	Severity	Status	Audit Event
Info	Success	Yes

PasswordlessLoginEnabled

${username} has enabled passwordless login for the account.

	Severity	Status	Audit Event
Info	Success	Yes

TotpGlobalEnforce

${username} set Rubrik Two-Step Verification enforced globally.

	Severity	Status	Audit Event
Info	Success	Yes

TotpGlobalUnenforce

${username} set Rubrik Two-Step Verification not enforced globally.

	Severity	Status	Audit Event
Warning	Success	Yes

TotpLdapEnforce

${username} set Rubrik Two-Step Verification enforced on LDAP domain ${ldapName}.

	Severity	Status	Audit Event
Info	Success	Yes

TotpLdapUnenforce

${username} set Rubrik Two-Step Verification not enforced on LDAP domain ${ldapName}.

	Severity	Status	Audit Event
Warning	Success	Yes

TotpReconfigure

${username} reconfigured Rubrik Two-Step Verification.

	Severity	Status	Audit Event
Info	Success	Yes

TotpReminderDisable

${username} disabled Rubrik Two-Step Verification reminder.

	Severity	Status	Audit Event
Warning	Success	Yes

TotpReminderHoursUpdate

${username} updated the Rubrik Two-Step Verification reminder frequency from every ${initialHours} hours to once every ${hours} hours.

	Severity	Status	Audit Event
Info	Success	Yes

TotpReset

${username} disabled Rubrik Two-Step Verification for  ${targetUsername}.

	Severity	Status	Audit Event
Warning	Success	Yes

TotpSetup

${username} enabled Rubrik Two-Step Verification.

	Severity	Status	Audit Event
Info	Success	Yes

TotpUserLevelEnforce

${username} set Rubrik Two-Step Verification enforced for ${targetUsername}.

	Severity	Status	Audit Event
Info	Success	Yes

TotpUserLevelUnenforce

${username} set Rubrik Two-Step Verification not enforced for ${targetUsername}.

	Severity	Status	Audit Event
Warning	Success	Yes

moat

---

AddIPWhitelistEntries

${actorUserEmail} added new addresses, (${newIpCidrs}), to IP allowlist.

	Severity	Status	Audit Event
Info	Success	Yes

DeleteIPWhitelistEntries

${actorUserEmail} deleted addresses, (${deletedIpCidrs}), from IP allowlist.

	Severity	Status	Audit Event
Critical	Success	Yes

FailedAPICallDueToIPViolation

${api_name} failed to execute as it was accessed from an  unauthorized IP address ${ip_address} for the ${user_domain} ${username}

	Severity	Status	Audit Event
Warning	Failure	Yes

SetIPWhitelistSetting

${actorUserEmail} updated IP allowlist settings to (enabled: ${newEnabled}, mode: ${newMode}).

	Severity	Status	Audit Event
Critical	Success	Yes

SetWhitelistDisabledSucceeded

${actorUserEmail} disabled the IP whitelist successfully.

	Severity	Status	Audit Event
Info	Success	Yes

SetWhitelistEnabledFailed

${actorUserEmail} failed to change the IP whitelist enforcement. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

SetWhitelistEnabledSucceeded

${actorUserEmail} enabled the IP whitelist successfully.

	Severity	Status	Audit Event
Info	Success	Yes

UpdateIPWhitelistEntry

${actorUserEmail} updated an entry in the IP allowlist from (ip: ${oldIpCidr}, description: ${oldDescription}) to (ip: ${newIpCidr}, description: ${newDescription}).

	Severity	Status	Audit Event
Info	Success	Yes

UpdateWhitelistFailed

${actorUserEmail} failed to update IP whitelist. Reason: ${reason}

	Severity	Status	Audit Event
Warning	Failure	Yes

UpdateWhitelistSucceeded

${actorUserEmail} updated IP whitelist successfully.

	Severity	Status	Audit Event
Info	Success	Yes

userlockout

---

AutoUnlocked

User account for ${username} has been auto-unlocked.

	Severity	Status	Audit Event
Info	Success	Yes

LockedByAdmin

${username} has been locked by administrator ${admin}.

	Severity	Status	Audit Event
Info	Success	Yes

LockedByBruteForce

The user account for ${username} has been locked due to multiple  failed login attempts.

	Severity	Status	Audit Event
Warning	Success	Yes

LockedDueToInactivity

${username} has been locked due to inactivity.

	Severity	Status	Audit Event
Info	Success	Yes

LockedDueToLeakedPassword

User ${email}'s account was locked because the account is at risk of being compromised.  The account credentials were found to have been compromised in another vendors security breach.

	Severity	Status	Audit Event
Warning	Success	Yes

LockoutConfigChanged

${admin} updated the account lockout configuration, (${changedConfigs}), for the ${orgName} organization.

	Severity	Status	Audit Event
Info	Success	Yes

UnlockedByAdmin

${username} has been unlocked by administrator ${admin}.

	Severity	Status	Audit Event
Info	Success	Yes

UnlockedBySupport

${username} has been unlocked by Rubrik Support.

	Severity	Status	Audit Event
Info	Success	Yes