Skip to content

hardis:org:diagnose:audittrail

Description

Export Audit trail into a CSV file with selected criteria, and highlight suspect actions

Also detects updates of Custom Settings values (disable by defining SKIP_AUDIT_TRAIL_CUSTOM_SETTINGS=true)

Regular setup actions performed in major orgs are filtered.

  • ""
    • createScratchOrg
    • changedsenderemail
    • deleteScratchOrg
    • loginasgrantedtopartnerbt
  • Certificate and Key Management
    • insertCertificate
  • Custom App Licenses
    • addeduserpackagelicense
    • granteduserpackagelicense
    • revokeduserpackagelicense
  • Customer Portal
    • createdcustomersuccessuser
    • CSPUserDisabled
  • Currency
    • updateddatedexchrate
  • Data Management
    • queueMembership
  • Email Administration
    • dkimRotationPreparationSuccessful
    • dkimRotationSuccessful
  • External Objects
    • xdsEncryptedFieldChange
  • Groups
    • groupMembership
  • Holidays
    • holiday_insert
  • Inbox mobile and legacy desktop apps
    • enableSIQUserNonEAC
    • siqUserAcceptedTOS
  • Manage Users
    • activateduser
    • createduser
    • changedcommunitynickname
    • changedemail
    • changedfederationid
    • changedpassword
    • changedinteractionuseroffon
    • changedinteractionuseronoff
    • changedmarketinguseroffon
    • changedmarketinguseronoff
    • changedofflineuseroffon
    • changedprofileforuserstdtostd
    • changedprofileforuser
    • changedprofileforusercusttostd
    • changedprofileforuserstdtocust
    • changedroleforusertonone
    • changedroleforuser
    • changedroleforuserfromnone
    • changedUserAdminVerifiedStatusVerified
    • changedUserEmailVerifiedStatusUnverified
    • changedUserEmailVerifiedStatusVerified
    • changedknowledgeuseroffon
    • changedsfcontentuseroffon
    • changedsupportuseroffon
    • changedusername
    • changedUserPhoneNumber
    • changedUserPhoneVerifiedStatusUnverified
    • changedUserPhoneVerifiedStatusVerified
    • deactivateduser
    • deleteAuthenticatorPairing
    • deleteTwoFactorInfo2
    • deleteTwoFactorTempCode
    • frozeuser
    • insertAuthenticatorPairing
    • insertTwoFactorInfo2
    • insertTwoFactorTempCode
    • lightningloginenroll
    • PermSetAssign
    • PermSetGroupAssign
    • PermSetGroupUnassign
    • PermSetLicenseAssign
    • PermSetUnassign
    • PermSetLicenseUnassign
    • registeredUserPhoneNumber
    • resetpassword
    • suNetworkAdminLogin
    • suNetworkAdminLogout
    • suOrgAdminLogin
    • suOrgAdminLogout
    • unfrozeuser
    • useremailchangesent
  • Mobile Administration
    • assigneduserstomobileconfig
  • Reporting Snapshots
    • createdReportJob
    • deletedReportJob
  • Sandboxes
    • DeleteSandbox

By default, deployment user defined in .sfdx-hardis.yml targetUsername property will be excluded.

You can define additional users to exclude in .sfdx-hardis.yml monitoringExcludeUsernames property.

You can also add more sections / actions considered as not suspect using property monitoringAllowedSectionsActions

Example:

monitoringExcludeUsernames:
  - deploymentuser@cloudity.com
  - marketingcloud@cloudity.com
  - integration-user@cloudity.com

monitoringAllowedSectionsActions:
  "Some section": [] // Will ignore all actions from such section
  "Some other section": ["actionType1","actionType2","actionType3"] // Will ignore only those 3 actions from section "Some other section". Other actions in the same section will be considered as suspect.

Excel output example

Local output example

This command is part of sfdx-hardis Monitoring and can output Grafana, Slack and MsTeams Notifications.

Agent Mode

Supports non-interactive execution with --agent:

sf hardis:org:diagnose:audittrail --agent --target-org myorg@example.com

In agent mode, the audit trail report is generated without interactive prompts, using the default number of days.

Parameters

Name Type Description Default Required Options
agent boolean Run in non-interactive mode for agents and automation
debug
-d		 boolean Activate debug mode (more logs)
excludeusers
-e		 option Comma-separated list of usernames to exclude
flags-dir option undefined
json boolean Format output as json.
lastndays
-t		 option Number of days to extract from today (included)
outputfile
-f		 option Force the path and name of output report file. Must end with .csv
skipauth boolean Skip authentication check when a default username is required
target-org
-o		 option undefined
websocket option Websocket host:port for VsCode SFDX Hardis UI integration

Examples

$ sf hardis:org:diagnose:audittrail

$ sf hardis:org:diagnose:audittrail --excludeusers baptiste@titi.com

$ sf hardis:org:diagnose:audittrail --excludeusers baptiste@titi.com,bertrand@titi.com

$ sf hardis:org:diagnose:audittrail --lastndays 5

$ sf hardis:org:diagnose:audittrail --agent