Skip to main content
You can filter audit events when viewing or exporting them to narrow down the results. The filter syntax is the same for both operations, with one exception: the authentication.subject.name field is not available in exports because it can contain email addresses that are Personally Identifiable Information (PII).

Filter operators

Supported operators include:
  • = equals
  • != not equals
  • : contains
  • regex regular expression match

How to filter events in the web console

To narrow down the events, you can use the following filters:
  • Event JSONs: Search in JSON field values, but not a full-text search for a substring in the JSON event description. For example, if the JSON contains a name field with the value Test User, this filter finds Test User but cannot find "name": "Test User".
  • Action: Standard actions are CREATE, UPDATE or DELETE. Actions can differ by service. For example, for Compute resources, you can also specify STOP and START.
  • Ancestor ID: ID of the resource ancestor, starting from the tenant.
  • Ancestor name: Name of the resource ancestor, starting from the tenant.
  • Masked token: Access token that was used to authorize the event. You can enter a part of the token here.
  • Region: Nebius AI Cloud region in which the event occurred.
  • Resource ID: ID of the resource on which actions were performed. For example, a Compute disk (computedisk-***), a service account (serviceaccount-***), etc.
  • Resource name: Name of the resource on which actions were performed.
  • Resource type: Type of the resource on which actions were performed. For example, computedisk or mk8scluster.
  • Service: Service in which the actions were performed.
  • Event class: A string in the ai.nebius.<service_name>.<resource_type>.<action> format. It includes the ai.nebius prefix and refers to a Nebius AI Cloud service, type of resource in it and the action performed on this resource, for example, ai.nebius.compute.computeinstance.delete.
  • Static key ID: ID of the static key that was used to authorize the event.
  • Status: Status of the operation associated with the event.
  • Subject ID: ID of a user account or a service account that performed actions. The formats of user account IDs and service account IDs are tenantuseraccount-*** and serviceaccount-***.
  • Subject name: Name of a user account or a service account that performed actions. This filter is not available for exports.
Click the equals sign = in a filter to choose if the events should contain or exclude the values you enter.

How to filter events by using the CLI

To narrow down the events, you can use one or more of the following filters:
  • Resource ID or type The type or ID of the resource on which actions were performed. ID formats include, for example, a computeinstance-*** for a Compute virtual machine, computedisk-*** for a Compute disk, serviceaccount-*** for a service account. 
    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "resource.metadata.type='computeinstance'"

    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "resource.metadata.id='computeinstance-***'"
  • Resource ancestor ID or name The ID or name of the resource ancestor, starting from the tenant. For example, you can check all the actions performed on virtual machines in one of your projects by specifying the project ID or name. 
    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "resource.hierarchy.id:'<ancestor_ID>'"

    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "resource.hierarchy.name:'<ancestor_name>'"
  • Event action Specify the action: CREATE, UPDATE or DELETE. Actions can differ by service. For example, for Compute resources, you can also specify STOP and START. 
    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "action='DELETE'"
  • Region in which the event occurred. See the list of Nebius AI Cloud regions. 
    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "project_region.name='<region_ID>'"
  • Service in which the event occurred. See the list of services. 
    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "service.name='COMPUTE'"
  • Event class A string in the ai.nebius.<service_name>.<resource_type>.<action> format. It includes the ai.nebius prefix and refers to a Nebius AI Cloud service, type of resource in it and the action performed on this resource, for example, ai.nebius.compute.computeinstance.delete. 
    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "type='ai.nebius.compute.computeinstance.delete'"
  • Subject name or ID The name or ID of a user account or a service account that performed actions. The formats of user account IDs and service account IDs are tenantuseraccount-*** and serviceaccount-***. The authentication.subject.name filter is not available for exports. 
    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "authentication.subject.name='<user_email>'"

    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "authentication.subject.tenant_user_id='tenantuseraccount-***'"

    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "authentication.subject.service_account_id='serviceaccount-***'"
  • Subject credentials For access tokens, use authentication.token_credential.masked_token without a signature. For AWS-compatible access keys, use authentication.static_key_credential.id. 
    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "authentication.token_credential.masked_token='<token_without_signature>'"

    nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "authentication.static_key_credential.id='<access_key_ID>'"

How to combine filters

To combine filters, use the following instruments:
  • AND logical operator.
  • Comparison operators: = (equals), != (not equals), : (contains).
  • Regular expressions (for example, regex(resource.name, '^.*prod.*$') to show resources with prod in their names).

Examples

For example, to view all events where the user example@nebius.com deleted virtual machines between April 1 and April 5, run:
nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
   --filter "authentication.subject.tenant_user_id='example@nebius.com' \
      AND action='DELETE' \
      AND resource.metadata.type='computeinstance'"
For more details about the fields, see Structure and fields of events in Audit Logs.