Vault Audit Action Codes

The following tables list the action codes (audits) available to monitor the Vault and to highlight any operational failures.

The action codes are available in the User and Safe Activities report. For details, see Reports and Audits.

The report can also be exported using the ExportVaultData Utility.
The action codes can be integrated and sent to a SIEM solution using a Syslog protocol. For more information, see Security Information and Event Management (SIEM) Applications.

The Alert column in the tables indicates that an unauthorized operation was performed, such as performing a task without permission or authentication failure.
The Version column in the tables indicates the version when the action code was introduced. If the version is not listed, the code was introduced before v11.0.
A specific action may be represented by a single action code or, because of technical reasons that are transparent to the user, by multiple action codes.

Recommended Action Codes for Monitoring

The Vault has a large number of action codes that can be used to monitor different behaviors. For general monitoring, we recommend monitoring the action codes listed in the table below.

Code	Action
4	User Authentication
22	CPM Verify Password
24	CPM Change Password
31	CPM Reconcile Password
38	CPM Verify Password Failure
57	CPM Change Password Failure
60	CPM Reconcile Password Failure
130	CPM Disable Password
295	Retrieve Password
300	PSM Connect
302	PSM Disconnect
308	Use Password
319	Retrieve Password (from Provider)
344	Privileged Command Initiated
346	Privileged Command Completed
359	PSM SQL Command
360	PSM SQL Command Failure
361	PSM Keystrokes
362	PSM Keystrokes Failure
378	PSM Secure Connect Session Start
380	PSM Secure Connect Session End
411	PSM Window Title
412	PSM Windows Title Failure

All Action Codes

Codes 0 - 50

Code	Action	Info1	Info2	File Cat. for Syslog	Alert
0	Delete Directory Map (Unauthorized)	Username (map name)			ü
1	Delete Directory Map	Username (map name)
2	Add External User	Username
3	Get LDAP configuration data (Unauthorized)				ü
4	User Authentication Failure	Network area			ü
5	Unauthorized Station	Network area			ü
6	External Audit (Unauthorized Safe)				ü
7	Logon	Network area	Network area
8	Logoff	Network area
9	External Audit (Unauthorized User)				ü
10	Update user station (Unauthorized)	Username			ü
11, 12	Update Safe Share (Unauthorized)				ü
13, 14	Safe Access through Gateway (Unauthorized)				ü
15	Impersonation not by an agent				ü
16	Update Your Trusted Network Areas (Unauthorized)	Username			ü
17	Add Safe (Unauthorized)				ü
18	Non authorized impersonation	Username			ü
19	Full Gateway Connection	Username
20	Partial Gateway Connection	Username
21	Partial Gateway Connection (Incorrect Client Address)	Username			ü
22	CPM Verify Password	Filename	Additional Info	ü
23	Action On Closed Safe	Filename			ü
24	CPM Change Password	Filename	Additional Info	ü
25, 26	Open/Close Safe (Unauthorized)				ü
27	Open Safe (Unsecured Station)				ü
28, 29, 30	Add/Update Owner (Unauthorized)	Username			ü
31	CPM Reconcile Password	Filename	Additional Info	ü
32	Add Owner	Username
33	Update Owner	Username
34, 35	Rename Safe (Unauthorized)				ü
36	Confirm Open Safe	Username
37	Confirm Get File	Filename	Username	ü
38	CPM Verify Password Failure	Filename	Additional Info	ü	ü
39	Rename Safe
40, 41	List Files (Unauthorized)	Filename			ü
42, 43	Retrieve File (Unauthorized)	Filename		ü	ü
44, 45	Store File (Unauthorized)	Filename			ü
46, 47	Delete File (Unauthorized)	Filename			ü
48, 49	Add Note (Unauthorized)				ü
50	Store File	Filename

Codes 51 - 101

Code	Action	Info1	Info2	File Cat. for Syslog	Alert
51	Retrieve File succeeded	Filename		ü
52	Delete File	Filename
53, 54	Get Notes
55, 56	Find Files (Unauthorized)	Filename			ü
57	CPM Change Password Failure	Filename	Additional Info	ü	ü
58	Clear User History
59	Clear Safe History
60	CPM Reconcile Password Failure	Filename	Additional Info	ü	ü
61	Update Trusted Network Areas	Network area
62	Create File Version	Filename
63, 65	Rename User (Unauthorized)	Username	Username		ü
64, 66	Rename User	Username	Username
67	CPM Auto Detection Add Password	Filename	Additional Info	ü
68	Update Trusted User	Username
69	Add Location	Location
70	Add Location (Unauthorized)	Location			ü
71	Update Location	Location
72	Update Location (Unauthorized)	Location			ü
73	Delete Location	Location
74	Delete Location (Unauthorized)	Location			ü
75	Take Quota Ownership
76, 77	Take Quota Ownership (Unauthorized)				ü
78	Rename/Move Location (Unauthorized)	Location	Location		ü
79	Rename/Move Location	Location	Location
80	Add External Group	Username (group)
81	Update Address	Network area
82	Clear User History (Unauthorized)	Username			ü
83	Clear User History	Username
84	CPM Auto Detection Update Password	Filename	Additional Info	ü
85	Update Network Area (Unauthorized)	Network area			ü
86	Update Network Area	Network area
87	Update Address (Unauthorized)	Network area			ü
88	Set Password
89	Set Password (Incorrect Password)				ü
90	Rename Network Area (Unauthorized)	Network area			ü
91	Rename Network Area	Network area
92	Move Network Area (Unauthorized)	Network area			ü
93	Move Network Area	Network area
94	Backup Safe
95	Restore Safe
96, 97	Backup Safe (Unauthorized)				ü
98	Open File (Write Only)	Filename
99	Open File	Filename
100, 101	Open File (Unauthorized)	Filename			ü

Codes 102 - 150

Code	Action	Info1	Info2	File Cat. for Syslog	Alert
102	Logon Failed, User Time Limit Restriction	Network area			ü
103	Logon Failed, User Has Expired	Network area			ü
104	Logon Failed, User Is Disabled	Network area			ü
105	Add File Category	Filename	Category
106	Update File Category	Filename	Category
107	Delete File Category	Filename	Category
108	Open Safe Request
109	Get File Request	Filename		ü
110	Add Safe (More Secured Than Station)				ü
111	Delete Open Safe Request	Username
112	Delete Get File Request	Filename	Username
113	Cannot use station due to time limits	Network area			ü
114	Last Required Confirmation To Open Safe Given	Username
115	Last Required Confirmation To Get File Given	Filename	Username
116, 117	Confirmation Status Failure				ü
118	Reject Open Safe Request	Username
119	Reject Get File Request	Filename	Username	ü
120	Add automatic location	Location
122	Undelete File	Filename
123	Move File	Original file name and path	New file name and path
125	Rename File	Original file name and path	New file name
126	Unlock File	Filename
127	Hide Open Safe Request	Username
128	Hide Get File Request	Filename	Username
129	CPM Auto Detection Archive Password	Filename	Additional Info	ü
130	CPM Disable Password Failure	Filename	Additional Info	ü	ü
131	Update Safe (More Secured Than Station)				ü
132, 133	Add Safe Event (Unauthorized )				ü
134, 135	Get Safe Events List (Unauthorized )				ü
136	CPM Release Password	Filename	Additional Info	ü
137	CPM Release Password Failure	Filename	Additional Info	ü	ü
140	Rename Folder	Original folder name and path	New folder name and path
141	Move Folder	Original folder name and path	New folder path
142	Delete Safe Failure				ü
143	Store Picture	Username
144	Delete Picture	Username
145	Delete Safe (Has Locked Files)				ü
146, 147	Update Safe (Unauthorized)				ü
148	Delete Safe (Unauthorized )				ü
150	Restore Safe (Unauthorized )				ü

Codes 151 - 201

Code	Action	Info1	Alert
151	Add Folder
152, 153	Add Folder (Unauthorized)		ü
154, 155	Delete Folder (Unauthorized)		ü
156	Backup Safe (Unauthorized)	Network area	ü
157	Get License Information (Unauthorized)		ü
158, 159	Move/Rename Folder (Unauthorized)		ü
160, 161	Move File (Unauthorized)	Filename	ü
162, 163	Undelete File (Unauthorized)	Filename	ü
164, 165	Rename File (Unauthorized)	Filename	ü
166, 167	Unlock File (Unauthorized)	Filename	ü
168, 169	Clear Expired History (Unauthorized)		ü
170	Delete Safe (Has Unexpired Files)		ü
171	Update Picture (Unauthorized)	Username	ü
172	Update Your Picture (Unauthorized)	Username	ü
173	Add User (Unauthorized)		ü
174	Update User (Unauthorized)	Username	ü
175	Update Your User (Unauthorized)	Username	ü
176	Delete User (Unauthorized)	Username	ü
177	Delete Your User (Unauthorized)	Username	ü
178	Get User's Details (Unauthorized)	Username	ü
179	Get Your User's Details (Unauthorized)	Username	ü
180	Add User	Username
181	Update Safe
182	Update User	Username
183	Delete Safe
184	Delete User	Username
185	Add Safe
186	Get UserDetails By Identifier (Unauthorized User)		ü
187	Add Folder	Filename (folder)
188	Delete Folder	Filename (folder)
189	Delete Folder (Has Unexpired Files)	Filename (folder)	ü
190	Lock As Draft	Filename
191	Lock As Draft (Unauthorized)	Filename	ü
192	Unlock Draft	Filename
193	Unlock Draft (Unauthorized)	Filename	ü
194	Backup Safe
195	Object content validated	Filename
196, 197	Update Owners (Unauthorized)		ü
198	Delete Folder (Has Locked Files)	Filename (folder)	ü
199	Object content invalidated	Filename
200, 201	Monitoring old backup files

Codes 202 - 250

Code	Action	Info1	Alert
202, 203	Deleting old backup files
204	Retrieve File (Wrong Key)	Filename	ü
205	Store File (Wrong Key)	Filename	ü
206	External Object Operation (Unauthorized)	Username	ü
207, 208	Compress Safe (Unauthorized)		ü
209	Compress Safe
211	Update User Detailed Information	Additional Info
214	Add Directory Map LDAP Branch (Unauthorized)	Username (map name)	ü
215	Update Directory Map LDAP Branch (Unauthorized)	Username (map name)	ü
216	Delete Directory Map LDAP Branch (Unauthorized)	Username (map name)	ü
217	Add Directory Map LDAP Branch	Username (map name)
218	Update Directory Map LDAP Branch	Username (map name)
219	Delete Directory Map LDAP Branch	Username (map name)
220	Protect Local Folder
221	Ownership Expired		ü
222	List Directory Map LDAP Branches (Unauthorized)	Username (map name)	ü
223	Unprotect Local Folder
224	Load metadata to backup
225, 226	Copy File Between Safes (Unauthorized)		ü
227, 228	Move File Between Safes (Unauthorized)		ü
229	Object content status pending	Filename
236	Metadata backup file fetched
237, 238	Rules List (Unauthorized)		ü
239	Update Directory Map Detailed Information	Additional Info
240	Release Gw Locks
241	Prepare Backup Metadata
243	Update user safe options (Unauthorized)		ü
244	Update user safe options (Unauthorized)		ü
246	LDAP Synchronization start
247	LDAP Synchronization end
248, 249	Add Rule Failure	Filename	ü
250	Restore metadata (Unauthorized)	Network area	ü

Codes 251 - 300

Code	Action	Info1	Info2	File Cat. for Syslog	Alert
251	Restore metadata	Network area
252	Update Directory Map	Username (map name)
253	Update Directory Map (Unauthorized)	Username (map name)			ü
254	Add Directory Map	Username (map name)
255	Add Directory Map (Unauthorized)	Username (map name)			ü
256	Update External User	Username
257	Update External Group	Username (group)
259	Add/Update Group	Username (group)
260	Add/Update Group (Unauthorized)	Username (group)			ü
261	Add Group Member (Unauthorized)	Username (group)			ü
262	Delete Group Member (Unauthorized)	Username (group)			ü
263	Update Group (Unauthorized)	Username (group)			ü
264	Update Group	Username (group)
265	Add Group Member	Username (group)	Username
266	Remove Group Member	Username (group)	Username
269	Delete Group (Unauthorized)	Username (group)			ü
270	Delete Group	Username (group)
271	List Group Members (Unauthorized)	Username (group)			ü
272	Delete Folder (Folder not Empty)	Filename (folder)			ü
273	Remove Owner	Username
276	Delete External User	Username
277	Delete External Group	Username (group)
278	Add Rule	Filename	Username
279	Delete Rule	Filename	Username
280, 281	Delete Rule Failure	Filename			ü
282	Read email key
283	Delete email key
284	Unauthorized Firewall Network Areas refresh				ü
285	Firewall Network Areas refresh
286	Add Group Member - Sync From Ldap	Username (group)
287	Delete Group Member - Sync From Ldap	Username (group)
288	Auto Clear Users History start
289	Auto Clear Users History end
290	Auto Clear Safes History start
291	Auto Clear Safes History end
292	Auto Download Certificate Revocation List Data start
293	Auto Download Certificate Revocation List Data end
294	Store password	Filename		ü
295	Retrieve password	Filename		ü
296	Open Safe
297, 298	Rules List Failure	Filename			ü
300	PSM Connect	Filename	Additional Info	ü

Codes 301 - 350

Code	Action	Info1	Info2	Info3	File Cat. for Syslog	Alert
301	PSM Connect Failed	Filename	Additional Info		ü	ü
302	PSM Disconnect	Filename	Additional Info		ü
303	PSM Disconnect Failed	Filename	Additional Info		ü	ü
304	PSM Upload Recording	Filename	Additional Info		ü
305	Run Report
306, 307	Use Password (Unauthorized)	Filename			ü	ü
308	Use Password	Filename			ü
309	Undefined User Logon	Report Name				ü
310	Monitor DR Replication start
311	Monitor DR Replication end
312	Monitor Backup Replication start
313	Monitor Backup Replication end
314	Reset Password User (Unauthorized)	Username				ü
315	Reset Password Your User (Unauthorized)	Username				ü
316	Reset User Password Detailed Information	Username	Additional Info
317	Reset User Password	Username
318	Activate/Deactivate Trusted Network Areas	Username
319	Retrieve password (From Provider)	Filename			ü
320	Retrieve password (From Provider) Failure	Filename			ü	ü
321	Add Report Definition
322	Edit Report Definition
323	Delete Report Definition
324	Hide Report
325	Send Report
326	CPM Auto Detection Start Automatic Detection
327	CPM Auto Detection End Automatic Detection
328	CPM Auto Detection Add Usage	Filename	Additional Info		ü
329	CPM Auto Detection Update Usage	Filename	Additional Info		ü
330	CPM Auto Detection Delete Usage	Filename	Additional Info		ü
331	Add User By Template	Username
333	Add Privileged Command failed on account	Filename	Username			ü
334	Add Privileged Command succeeded	Filename	Username	Resource
336	Delete Privileged Command failed on account	Filename	Username			ü
337	Delete Privileged Command succeeded	Filename	Username	Resource
338, 339	Add Privileged Command failed on policy	Platform Name	Username			ü
340	Add Privileged Command succeeded	Platform Name	Username	Resource
342	Delete Privileged Command on policy	Platform Name	Username			ü
343	Delete Privileged Command succeeded	Platform Name	Username	Resource
344 S	Privileged command initiated	Filename	Additional Info		ü
345 S	Privileged command initiation failed	Filename	Additional Info		ü	ü
346 S	Privileged command completed	Filename	Additional Info		ü
347 S	OPM failed to execute privileged command	Filename	Additional Info		ü	ü
348 S	PIMSu recording uploaded	Filename	Additional Info		ü
349, 350	Update Privileged Command failed on account	Filename	Username			ü

Codes 351 - 400

Code	Action	Info1	Info2	Info3	File Cat. for Syslog	Alert
351	Update Privileged Command	Platform Name	Username	Resource
352, 353	Update Privileged Command failed on policy	Platform Name	Username			ü
354	Update Privileged Command	Platform Name	Username	Resource
355	Monitor License Expiration Date start	Username
356	Monitor License Expiration Date end	Username
357	Monitor FW rules start	Username
358	Monitor FW Rules end	Username
359	SQL command	Username	Safe	File	ü
360	SQL Command audit failed	Username	Account Safe	Account Object	ü	ü
361	SSH Command	Username	Safe	File	ü
362	Keystroke logging audit failed	Username	Account Safe	Account Object	ü	ü
363	Ownership not yet active	Username	Safe			ü
364	LDAP Configuration Refresh success	Username
365	LDAP Configuration Refresh failed	Username				ü
366	Object content validated failed	Username	Safename	File name		ü
367	Update Email Notifications Configuration	Username
368	Forget My Password Requested	Username	Username	Note
369	Forget My Password Requested failed	Username	Username	Note		ü
370	Forget My Password Completed	Username	Username	Note
371	Forget My Password Completed failed	Username	Username	Note		ü
372	Terminate Session	Username	Recordings Safe	Target Session File	ü
373	Terminate Session Failed	Username	Recordings Safe	Target Session File	ü	ü
374	Monitor Session Start	Username	Recordings Safe	Target Session File	ü
375	Monitor Session Start Failed	Username	Recordings Safe	Target Session File	ü	ü
376	Monitor Session End	Username	Recordings Safe	Target Session File	ü
377	Monitor Session End Failed	Username	Recordings Safe	Target Session File	ü	ü
378	PSM Secure Connect Session Start	Username	PSM Internal Accounts Safe	Secure Connect Internal Account Object name	ü
379	PSM Secure Connect Session Start Failed	Username	PSM Internal Accounts Safe	Secure Connect Internal Account Object name	ü	ü
380	PSM Secure Connect Session End	Username	PSM Internal Accounts Safe	Secure Connect Internal Account Object name	ü
381	PSM Secure Connect Session End Failed	Username	PSM Internal Accounts Safe	Secure Connect Internal Account Object name	ü	ü
382	Add App Authentication	Username	Target Application ID	[auth type] auth value
383	Delete App Authentication	Username	Target Application ID	[auth type] auth value
384	Avector Integration Audit
385	Changes were made successfully to the Master Policy	Action
386	Changes to the Master Policy failed	Action			ü
387	Process has started with admin rights added to token	Filename	Additional Info		ü
388	Process has been started from the shell context menu with admin rights added to token	Filename	Additional Info		ü
389	Process has started with admin rights added to token, which were inherited from its parent.	Filename	Additional Info		ü
390	Process has started with admin rights dropped from token.	Filename	Additional Info		ü
391	Process has been started from the shell context menu with admin rights dropped from token.	Filename	Additional Info		ü
392	Process has started with admin rights dropped from token, which were inherited from its parent.	Filename	Additional Info		ü
393	Process has started with no change to the access token (passive mode).	Filename	Additional Info		ü
394	Process started from shell context menu with no change to the access token (passive mode).	Filename	Additional Info		ü
395	Process started with no change to the access token inherited from parent (passive mode).	Filename	Additional Info		ü
396	Process has started with user’s default rights enforced.	Filename	Additional Info		ü
397	Process has started from the shell context menu with user’s default rights enforced.	Filename	Additional Info		ü
398	Process has started with user’s default rights enforced, which were inherited from its parent.	Filename	Additional Info		ü
399	Process requires elevated rights to run.	Filename	Additional Info		ü	ü
400	Process has started with custom token applied.	Filename	Additional Info		ü

Codes 401 - 450

Code	Action	Info1	Info2	File Cat. for Syslog	Alert
401	Process has started from the shell context menu with user’s custom token applied.	Filename	Additional Info	ü
402	Process has started with custom token applied, which was inherited from its parent.	Filename	Additional Info	ü
403	Process execution was blocked.	Filename	Additional Info	ü	ü
404	Process has stopped (deprecated).	Filename	Additional Info	ü	ü
405	Process started in the context of the authorizing user.	Filename	Additional Info	ü
406	Process started from the shell menu in the context of the authorizing user.	Filename	Additional Info	ü
407	Process execution was cancelled by the user.	Filename	Additional Info	ü
408	Privileged group modification blocked.	Filename	Additional Info	ü	ü
409	Process execution was blocked, the maximum number of challenge/response failures was exceeded.	Filename	Additional Info	ü	ü
410	Unknown elevation-related operation performed on process.	Filename	Additional Info	ü
411	PSM Window Titles
412	Keystroke logging	Filename	Additional Info	ü
413	Keystroke logging failed	Filename	Additional Info	ü	ü
414	CPM Verify SSH Key
415	CPM Verify SSH Key Failed
416	CPM Rotate SSH Key
417	CPM Rotate SSH Key Failed
418	CPM Reconcile SSH Key
419	CPM Reconcile SSH Key Failed
420	CPM Release SSH Key
421	CPM Release SSH Key Failed
422	User creation success
423	User creation failed
424	User group assignment
425	User group assignment failed
426	CPM Disable SSH Key
427	Store SSH Key
428	Retrieve SSH Key
429	User Deletion Success
430	User Deletion Failed
431	User De-Provision Failed
432	UID Change Success
433	UID Change Failed
434	CPM has deleted the public SSH key
435	CPM failed to delete the SSH key
436	SCP Command	Username	File	ü
440	Get SSH Public Keys Failed	Username	Username		ü
441	Add SSH Public Keys Succeeded	Username	Username
442	Add SSH Public Keys Failed	Username	Username		ü
443	Delete SSH Public Keys Succeeded	Username	Username
444	Delete SSH Public Keys Failed	Username	Username		ü

Codes 451 - 500

Code	Action	Info1	Info2	Info3	Alert	Ver.
460	Privileged Threat Analytics event for managed account	Filename	Anomaly name triggered in PTA	Full PTA event details		9.10 (external) / 9.99 (Internal)
461	Privileged Threat Analytics event for Vault user			Full PTA event details		9.10 (external) / 9.99 (Internal)
462	Password sent to endpoint					10.2
463	Agent successfully changed the password for account					10.2
464	Agent failed to change the password for account				ü	10.2
471	Grant Administrative Access Succeeded					10.6
472	Grant Administrative Access Failed					10.6
473	Remove Administrative Access Succeeded					10.6
474	Remove Administrative Access Failed					10.6
475	Security warning - Failed to rotate OpenID token keys				ü	11.5
476	Security warning - Failed to rotate custom token keys				ü	11.5
477	New DR or Satellite Vault registration succeeded	Username	Source Address			11.5
478	New DR or Satellite Vault registration failed	Username	Source Address		ü	11.5
479	Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.	Vault Address			ü	11.5