Virtru's Audit Export API was recently upgraded to Audit 2.0. This update introduces a more comprehensive and flexible structure for capturing a wider range of events beyond policy-related transactions. Audit 2.0 expands auditable events to include User Management, Security Rule Management, and other additional events.
The purpose of this article is to help customers who currently leverage Audit 1.0 understand how it is different from Audit 2.0.
Please Note
Audit 2.0 is only available via the Audit Export API. The Audit Page in Control Center is still on Audit 1.0 and will be migrated to the Audit 2.0 schema at a future date.
Table of Contents:
Schema Comparison
Schema Summary
Event Comparison
Event Summary
Schema Comparison
Column Name | Audit 1.0 | Audit 2.0 | Description | Details |
id | UUID | UUID | Unique identifier for the event or transaction | The id column remains the same in both schemas, serving as a unique identifier for each event or transaction. |
transaction_id | UUID | ✗ | Identifier for the associated transaction (Audit 1.0 only) | Audit 1.0 includes a transaction_id column to associate related transactions, which is not present in Audit 2.0. |
object_id | TEXT (tdf_id) | UUID | Identifier of the object involved in the event | The object identifier is represented by tdf_id in Audit 1.0 and object_id in Audit 2.0, with the latter using a UUID data type. |
object_name | TEXT (tdf_name) | TEXT | Name or identifier of the object | The object name is represented by tdf_name in Audit 1.0 and object_name in Audit 2.0. |
object_type | ✗ | ENUM | Type of object involved (data_object, entity_object, rule_object, etc.) (New to 2.0) | Audit 2.0 introduces an object_type column to specify the type of object involved in the event, which is not present in Audit 1.0. |
owner_id | TEXT | TEXT | Identifier of the owner of the object | The owner_id and owner_org_id columns remain the same in both schemas. |
owner_org_id | UUID | UUID | Unique identifier of the organization to which the owner belongs | none noted |
action_type | ENUM | ENUM | Type of action performed (create, update, delete, read) | The action_type column is present in both schemas, but Audit 2.0 uses a different set of enumerated values. |
action_result | ✗ | ENUM | Result of the action (success, failure, error). (New to 2.0) | Audit 2.0 introduces an action_result column to indicate the result of the action, which is not present in Audit 1.0. |
transaction_type | ENUM | ✗ | Type of transaction (update, create, update_error, create_error) (Audit 1.0 only) | Audit 1.0 includes a transaction_type column to specify the type of transaction, which is not present in Audit 2.0. |
transaction_timestamp |
TIMESTAMP | TIMESTAMP | Timestamp of when the event or transaction occurred | The transaction_timestamp, user_agent, request_id, and platform columns remain the same in both schemas. |
user_agent | TEXT | TEXT | User agent string of the client that triggered the event | none noted |
request_id | TEXT | TEXT | Identifier of the request that triggered the event | none noted |
platform | TEXT | TEXT | Platform from which the event originated | none noted |
ip_address | ✗ | TEXT | IP address from which the event originated (New to 2.0) | Audit 2.0 introduces an ip_address column to capture the IP address from which the event originated. |
actor_id | ✗ | TEXT | Identifier of the actor performing the action (New to 2.0) | Audit 2.0 includes an actor_id column to identify the actor performing the action, which is not present in Audit 1.0. |
actor_attributes | JSONB | JSONB | JSON object containing attributes of the actor | The actor_attributes column remains the same in both schemas. |
event_metadata | JSONB (access_event_ meta_data) | JSONB | JSON object containing additional metadata related to the event | The event_metadata column in Audit 2.0 is equivalent to the access_event_meta_data column in Audit 1.0. |
object_attributes | JSONB (tdf_attributes) | JSONB | JSON object containing attributes of the object involved in the event | The object_attributes column in Audit 2.0 is equivalent to the tdf_attributes column in Audit 1.0. |
diff | JSONB | JSONB | JSON object containing the changes made to the object (for update events) | The diff column remains the same in both schemas. |
Schema Summary:
Overall, the Audit 2.0 schema introduces several new columns and modifies some existing ones to provide a more comprehensive and flexible structure for capturing a wider range of events beyond policy-related transactions.
- The id column remains the same in both schemas, serving as a unique identifier for each event or transaction.
- Audit 1.0 includes a transaction_id column to associate related transactions, which is not present in Audit 2.0.
- The object identifier is represented by tdf_id in Audit 1.0 and object_id in Audit 2.0, with the latter using a UUID data type.
- The object name is represented by tdf_name in Audit 1.0 and object_name in Audit 2.0.
- Audit 2.0 introduces an object_type column to specify the type of object involved in the event, which is not present in Audit 1.0.
- The owner_id and owner_org_id columns remain the same in both schemas.
- The action_type column is present in both schemas, but Audit 2.0 uses a different set of enumerated values.
- Audit 2.0 introduces an action_result column to indicate the result of the action, which is not present in Audit 1.0.
- Audit 1.0 includes a transaction_type column to specify the type of transaction, which is not present in Audit 2.0.
- The transaction_timestamp, user_agent, request_id, and platform columns remain the same in both schemas.
- Audit 2.0 introduces an ip_address column to capture the IP address from which the event originated.
- Audit 2.0 includes an actor_id column to identify the actor performing the action, which is not present in Audit 1.0.
- The actor_attributes column remains the same in both schemas.
- The event_metadata column in Audit 2.0 is equivalent to the access_event_meta_data column in Audit 1.0.
- The object_attributes column in Audit 2.0 is equivalent to the tdf_attributes column in Audit 1.0.
- The diff column remains the same in both schemas.
Event Comparison
Event Type | Audit 1.0 | Audit 2.0 | Description |
Policy Creation | ✓ | ✓ | Creation of a new policy |
Policy Update | ✓ | ✓ | Modification of an existing policy |
Policy Deletion | ✓ | ✓ | Deletion of a policy |
Data Object Access | ✓ | ✓ | Access to a data object (e.g., file, email) |
Data Object Encryption | ✓ | ✓ | Encryption of a data object |
Data Object Decryption | ✓ | ✓ | Decryption of a data object |
Access Denied | ✓ | ✓ | Denial of access to a data object |
Access Modified | ✓ | ✓ | Modification of access rights to a data object |
State Changed | ✓ | ✓ | Change in the state of a data object |
Error | ✓ | ✓ | Error occurred during an event |
User Creation | ✗ | ✓ | Creation of a new user |
User Update | ✗ | ✓ | Modification of user attributes or settings |
User Deletion | ✗ | ✓ | Deletion of a user |
DLP Rule Creation | ✗ | ✓ | Creation of a new Security Rule |
DLP Rule Update | ✗ | ✓ | Modification of an existing Security Rule |
DLP Rule Deletion | ✗ | ✓ | Deletion of a Security Rule |
DLP Rule Triggered | ✗ | ✓ | Triggering of a Security Rule based on content or user action |
Entity Object Creation | ✗ | ✓ | Creation of a new entity object |
Entity Object Update | ✗ | ✓ | Modification of an entity object |
Entity Object Deletion | ✗ | ✓ | Deletion of an entity object |
Attribute Object Creation | ✗ | ✓ | Creation of a new attribute object |
Attribute Object Update | ✗ | ✓ | Modification of an attribute object |
Attribute Object Deletion | ✗ | ✓ | Deletion of an attribute object |
Organization Creation | ✗ | ✓ | Creation of a new organization |
Organization Update | ✗ | ✓ | Modification of organization attributes or settings |
Organization Deletion | ✗ | ✓ | Deletion of an organization |
User Group Creation | ✗ | ✓ | Creation of a new user group |
User Group Update | ✗ | ✓ | Modification of user group attributes or settings |
User Group Deletion | ✗ | ✓ | Deletion of a user group |
Event Summary
Audit 1.0 primarily focuses on policy-related events and data object interactions, such as policy creation, update, deletion, data object access, encryption, decryption, and access modifications.
On the other hand, Audit 2.0 schema expands the scope of audited events to include user management (creation, update, deletion), Security Rule management (creation, update, deletion, triggering), entity object management (creation, update, deletion), attribute object management (creation, update, deletion), organization management (creation, update, deletion), and user group management (creation, update, deletion).
The Audit 2.0 schema provides a more comprehensive coverage of events across various aspects of the system, enabling a broader range of auditing and analysis capabilities compared to Audit 1.0.