> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to filter audit events

You can filter audit events when [viewing](./view) or [exporting](./export) them to narrow down the results. The filter syntax is the same for both operations, with one exception: the `authentication.subject.name` field is not available in exports because it can contain email addresses that are [Personally Identifiable Information (PII)](https://en.wikipedia.org/wiki/Personal_data).

## Filter operators

Supported operators include:

* `=` equals
* `!=` not equals
* `:` contains
* `regex` regular expression match

## How to filter events in the web console

To narrow down the events, you can use the following filters:

* **Event JSONs**: Search in JSON field values, but not a full-text search for a substring in the JSON event description. For example, if the JSON contains a `name` field with the value `Test User`, this filter finds `Test User` but cannot find `"name": "Test User"`.
* **Action**: Standard actions are `CREATE`, `UPDATE` or `DELETE`. Actions can differ by service. For example, for Compute resources, you can also specify `STOP` and `START`.
* **Ancestor ID**: ID of the resource ancestor, starting from the tenant.
* **Ancestor name**: Name of the resource ancestor, starting from the tenant.
* **Masked token**: [Access token](/iam/authorization/access-tokens) that was used to authorize the event. You can enter a part of the token here.
* **Region**: [Nebius AI Cloud region](/overview/regions) in which the event occurred.
* **Resource ID**: ID of the resource on which actions were performed. For example, a Compute disk (`computedisk-***`), a service account (`serviceaccount-***`), etc.
* **Resource name**: Name of the resource on which actions were performed.
* **Resource type**: Type of the resource on which actions were performed. For example, `computedisk` or `mk8scluster`.
* **Service**: [Service](../services) in which the actions were performed.
* **Event class**: A string in the `ai.nebius.<service_name>.<resource_type>.<action>` format. It includes the `ai.nebius` prefix and refers to a Nebius AI Cloud service, type of resource in it and the action performed on this resource, for example, `ai.nebius.compute.computeinstance.delete`.
* **Static key ID**: ID of the [static key](/iam/authorization/static-keys) that was used to authorize the event.
* **Status**: Status of the operation associated with the event.
* **Subject ID**: ID of a user account or a service account that performed actions. The formats of user account IDs and service account IDs are `tenantuseraccount-***` and `serviceaccount-***`.
* **Subject name**: Name of a user account or a service account that performed actions. This filter is not available for exports.

Click the equals sign `=` in a filter to choose if the events should contain or exclude the values you enter.

## How to filter events by using the CLI

To narrow down the events, you can use one or more of the following filters:

* **Resource ID or type**

  The type or ID of the resource on which actions were performed. ID formats include, for example, a `computeinstance-***` for a Compute virtual machine, `computedisk-***` for a Compute disk, `serviceaccount-***` for a service account.

  <Tabs>
    <Tab title="View">
      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "resource.metadata.type='computeinstance'"
      ```

      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "resource.metadata.id='computeinstance-***'"
      ```
    </Tab>

    <Tab title="Export">
      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "resource.metadata.type='computeinstance'"
      ```

      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "resource.metadata.id='computeinstance-***'"
      ```
    </Tab>
  </Tabs>

* **Resource ancestor ID or name**

  The ID or name of the resource ancestor, starting from the tenant. For example, you can check all the actions performed on virtual machines in one of your projects by specifying the project ID or name.

  <Tabs>
    <Tab title="View">
      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "resource.hierarchy.id:'<ancestor_ID>'"
      ```

      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "resource.hierarchy.name:'<ancestor_name>'"
      ```
    </Tab>

    <Tab title="Export">
      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "resource.hierarchy.id:'<ancestor_ID>'"
      ```

      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "resource.hierarchy.name:'<ancestor_name>'"
      ```
    </Tab>
  </Tabs>

* **Event action**

  Specify the action: `CREATE`, `UPDATE` or `DELETE`. Actions can differ by service. For example, for Compute resources, you can also specify `STOP` and `START`.

  <Tabs>
    <Tab title="View">
      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "action='DELETE'"
      ```
    </Tab>

    <Tab title="Export">
      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "action='DELETE'"
      ```
    </Tab>
  </Tabs>

* **Region** in which the event occurred.

  See the [list of Nebius AI Cloud regions](/overview/regions).

  <Tabs>
    <Tab title="View">
      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "project_region.name='<region_ID>'"
      ```
    </Tab>

    <Tab title="Export">
      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "project_region.name='<region_ID>'"
      ```
    </Tab>
  </Tabs>

* **Service** in which the event occurred.

  See the [list of services](../services).

  <Tabs>
    <Tab title="View">
      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "service.name='COMPUTE'"
      ```
    </Tab>

    <Tab title="Export">
      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "service.name='COMPUTE'"
      ```
    </Tab>
  </Tabs>

* **Event class**

  A string in the `ai.nebius.<service_name>.<resource_type>.<action>` format. It includes the `ai.nebius` prefix and refers to a Nebius AI Cloud service, type of resource in it and the action performed on this resource, for example, `ai.nebius.compute.computeinstance.delete`.

  <Tabs>
    <Tab title="View">
      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "type='ai.nebius.compute.computeinstance.delete'"
      ```
    </Tab>

    <Tab title="Export">
      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "type='ai.nebius.compute.computeinstance.delete'"
      ```
    </Tab>
  </Tabs>

* **Subject name or ID**

  The name or ID of a user account or a service account that performed actions. The formats of user account IDs and service account IDs are `tenantuseraccount-***` and `serviceaccount-***`. The `authentication.subject.name` filter is not available for exports.

  <Tabs>
    <Tab title="View">
      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "authentication.subject.name='<user_email>'"
      ```

      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "authentication.subject.tenant_user_id='tenantuseraccount-***'"
      ```

      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "authentication.subject.service_account_id='serviceaccount-***'"
      ```
    </Tab>

    <Tab title="Export">
      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "authentication.subject.tenant_user_id='tenantuseraccount-***'"
      ```

      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "authentication.subject.service_account_id='serviceaccount-***'"
      ```
    </Tab>
  </Tabs>

* **Subject credentials**

  For [access tokens](/iam/authorization/access-tokens), use `authentication.token_credential.masked_token` without a signature. For AWS-compatible [access keys](/iam/service-accounts/access-keys), use `authentication.static_key_credential.id`.

  <Tabs>
    <Tab title="View">
      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "authentication.token_credential.masked_token='<token_without_signature>'"
      ```

      ```bash theme={null}
      nebius audit v2 audit-event list \
         --parent-id <tenant_ID> \
         --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
         --filter "authentication.static_key_credential.id='<access_key_ID>'"
      ```
    </Tab>

    <Tab title="Export">
      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "authentication.token_credential.masked_token='<token_without_signature>'"
      ```

      ```bash theme={null}
      nebius audit v2 audit-event-export start \
         --parent-id <tenant_ID> \
         --params-from <time_in_ISO_8601> --params-to <time_in_ISO_8601> \
         --params-event-type <control_plane|data_plane> \
         --nebius-object-storage-bucket-by-id-id <bucket_ID> \
         --nebius-object-storage-object-prefix <prefix> \
         --params-filter "authentication.static_key_credential.id='<access_key_ID>'"
      ```
    </Tab>
  </Tabs>

## How to combine filters

To combine filters, use the following instruments:

* `AND` logical operator.
* Comparison operators: `=` (equals), `!=` (not equals), `:` (contains).
* [Regular expressions](https://en.wikipedia.org/wiki/Regular_expression#Syntax) (for example, `regex(resource.name, '^.*prod.*$')` to show resources with `prod` in their names).

## Examples

<Tabs>
  <Tab title="View">
    For example, to view all events where the user `example@nebius.com` deleted virtual machines between April 1 and April 5, run:

    ```bash theme={null}
    nebius audit v2 audit-event list \
       --parent-id <tenant_ID> \
       --start <time_in_ISO_8601> --end <time_in_ISO_8601> \
       --filter "authentication.subject.tenant_user_id='example@nebius.com' \
          AND action='DELETE' \
          AND resource.metadata.type='computeinstance'"
    ```
  </Tab>

  <Tab title="Export">
    For example, to export all events where a specific user deleted virtual machines between April 1 and April 5, run:

    ```bash theme={null}
    nebius audit v2 audit-event-export start \
       --parent-id <tenant_ID> \
       --params-from 2025-04-01T00:00:00Z --params-to 2025-04-06T00:00:00Z \
       --params-event-type <control_plane|data_plane> \
       --nebius-object-storage-bucket-by-id-id <bucket_ID> \
       --nebius-object-storage-object-prefix <prefix> \
       --params-filter "authentication.subject.tenant_user_id='<tenant_user_ID>' \
          AND action='DELETE' \
          AND resource.metadata.type='computeinstance'"
    ```
  </Tab>
</Tabs>

For more details about the fields, see [Structure and fields of events in Audit Logs](./reference).