Skip to main content
Audit Logs allows you to view and filter events for your tenant. This article helps you understand which filters to set when you investigate specific situations, such as:
  1. When you suspect a security incident.
  2. When resource changes lead to unexpected spending.

Potential security incidents

If you suspect a security incident in your tenant, Audit Logs can help you track down the events that occurred at the time and investigate possible causes.

Who made changes to resources, and when?

If you encounter a suspicious change in resources of a given type, review the events that involve resource changes:
  • Enter CREATE, UPDATE or DELETE in the Action field to see all resource changes.
  • Fill in the Resource type field to see the changes that concern a specific resource type.
For example, enter DELETE in the Action field and computeinstance in the Resource type field to find out which Compute virtual machines were deleted.See the Subject column to find out who made the change.

What happened at the time of the incident?

To gain more context when investigating an incident, create granular filters to review the events:
To combine the filters, use the following instruments:
  • AND logical operator.
  • Comparison operators: = (equals), != (not equals), : (contains).
  • Regular expressions (for example, regex(resource.name, '^.*prod.*$') to show resources with prod in their names).
  • Limit the number of entries you receive, by using the --page-size parameter.
For example, to view 10 events where the user example@nebius.com deleted virtual machines between April 1 and April 5, run:
nebius audit v2 audit-event list \
   --parent-id <tenant_ID> \
   --start 2025-04-01T00:00:00Z --end 2025-04-06T00:00:00Z \
   --filter "authentication.subject.name='example@nebius.com' \
      AND action='DELETE' \
      AND resource.metadata.type='computeinstance'" \
   --page-size=10
If there are more than 10 events, get the next_page_token value from the response and run the same command again with an additional --page-token=<next_page_token> parameter to get the next batch.

Unexpected spending

If you see a sudden increase in spending, Audit Logs can help you find out more about the resources that are used in your tenant.

What happened with a specific resource?

A particular resource may cause more spending than you expected. Get the events that are associated with this resource:
Enter the resource ID in the Resource ID field.

Who created a new resource?

Unexpected spending may be caused by creating more resources than necessary. To investigate who created them, get the resource creation events:
Fill in the Resource type field and enter CREATE in the Action field to see when resources of a specific type were created.For example, enter computeinstance in the Resource type field and CREATE in the Action field to see all events where a Compute virtual machine was created.See the Subject column to find out who made the change.