hardis:org:diagnose:audittrail

Description

Export Audit trail into a CSV file with selected criteria, and highlight suspect actions

Also detects updates of Custom Settings values (disable by defining SKIP_AUDIT_TRAIL_CUSTOM_SETTINGS=true)

Regular setup actions performed in major orgs are filtered.

""
- createScratchOrg
- changedsenderemail
- deleteScratchOrg
- loginasgrantedtopartnerbt
Certificate and Key Management
- insertCertificate
Custom App Licenses
- addeduserpackagelicense
- granteduserpackagelicense
- revokeduserpackagelicense
Customer Portal
- createdcustomersuccessuser
- CSPUserDisabled
Currency
- updateddatedexchrate
Data Management
- queueMembership
Email Administration
- dkimRotationPreparationSuccessful
- dkimRotationSuccessful
External Objects
- xdsEncryptedFieldChange
Groups
- groupMembership
Holidays
- holiday_insert
Inbox mobile and legacy desktop apps
- enableSIQUserNonEAC
- siqUserAcceptedTOS
Manage Users
- activateduser
- createduser
- changedcommunitynickname
- changedemail
- changedfederationid
- changedpassword
- changedinteractionuseroffon
- changedinteractionuseronoff
- changedmarketinguseroffon
- changedmarketinguseronoff
- changedofflineuseroffon
- changedprofileforuserstdtostd
- changedprofileforuser
- changedprofileforusercusttostd
- changedprofileforuserstdtocust
- changedroleforusertonone
- changedroleforuser
- changedroleforuserfromnone
- changedUserAdminVerifiedStatusVerified
- changedUserEmailVerifiedStatusUnverified
- changedUserEmailVerifiedStatusVerified
- changedknowledgeuseroffon
- changedsfcontentuseroffon
- changedsupportuseroffon
- changedusername
- changedUserPhoneNumber
- changedUserPhoneVerifiedStatusUnverified
- changedUserPhoneVerifiedStatusVerified
- deactivateduser
- deleteAuthenticatorPairing
- deleteTwoFactorInfo2
- deleteTwoFactorTempCode
- frozeuser
- insertAuthenticatorPairing
- insertTwoFactorInfo2
- insertTwoFactorTempCode
- lightningloginenroll
- PermSetAssign
- PermSetGroupAssign
- PermSetGroupUnassign
- PermSetLicenseAssign
- PermSetUnassign
- PermSetLicenseUnassign
- registeredUserPhoneNumber
- resetpassword
- suNetworkAdminLogin
- suNetworkAdminLogout
- suOrgAdminLogin
- suOrgAdminLogout
- unfrozeuser
- useremailchangesent
Mobile Administration
- assigneduserstomobileconfig
Reporting Snapshots
- createdReportJob
- deletedReportJob
Sandboxes
- DeleteSandbox

By default, deployment user defined in .sfdx-hardis.yml targetUsername property will be excluded.

You can define additional users to exclude in .sfdx-hardis.yml monitoringExcludeUsernames property.

You can also add more sections / actions considered as not suspect using property monitoringAllowedSectionsActions

Example:

monitoringExcludeUsernames:
  - deploymentuser@cloudity.com
  - marketingcloud@cloudity.com
  - integration-user@cloudity.com

monitoringAllowedSectionsActions:
  "Some section": [] // Will ignore all actions from such section
  "Some other section": ["actionType1","actionType2","actionType3"] // Will ignore only those 3 actions from section "Some other section". Other actions in the same section will be considered as suspect.

Excel output example

Local output example

This command is part of sfdx-hardis Monitoring and can output Grafana, Slack and MsTeams Notifications.

Parameters

Name	Type	Description
debug -d	boolean	Activate debug mode (more logs)
excludeusers -e	option	Comma-separated list of usernames to exclude
flags-dir	option	undefined
json	boolean	Format output as json.
lastndays -t	option	Number of days to extract from today (included)
outputfile -f	option	Force the path and name of output report file. Must end with .csv
skipauth	boolean	Skip authentication check when a default username is required
target-org -o	option	undefined
websocket	option	Websocket host:port for VsCode SFDX Hardis UI integration

Examples

$ sf hardis:org:diagnose:audittrail

$ sf hardis:org:diagnose:audittrail --excludeusers baptiste@titi.com

$ sf hardis:org:diagnose:audittrail --excludeusers baptiste@titi.com,bertrand@titi.com

$ sf hardis:org:diagnose:audittrail --lastndays 5