RunReveal

Border0 Audit Logs

Border0 is a Zero Trust network access platform that brokers and audits connections to infrastructure including SSH, databases, HTTP services, and Kubernetes. Its organization audit log records user actions across sockets, policies, connectors, and organization settings. These logs help security and compliance teams maintain audit trails, monitor administrative activity, and build detections on access to your Border0-protected resources.

Ingest Methods

Setup the ingestion of this source using one of the following guides.

API Polling

Border0 supports API polling to collect audit actions from your organization via the audit actions endpoint (GET /audit_actions).

Setup

  1. Go to Sources in RunReveal
  2. Click the Border0 source tile
  3. Give it a name
  4. Fill in your API Token
  5. Optionally set a Resource Type Filter to scope ingestion to a single resource type (e.g. socket, policy, connector). Leave it blank to ingest all resource types.
  6. Click Connect Source

API Token Configuration

Creating the API Token:

  1. Sign in to the Border0 admin portal
  2. Create an API access token with permission to read the organization audit log
  3. Copy the token — store it securely

The token is sent to Border0 as a bearer credential in the Authorization header on every request.

Organization scope: The /audit_actions endpoint returns the audit log for the organization that owns the token. Use a token issued for the organization whose activity you want to monitor.

Collected Events

Border0 audit actions describe an action performed against a resource. RunReveal stores the action type in the eventName field and the resource type and id as tags. Common resource types include:

  • socket — socket (service) create, update, and delete actions
  • policy — policy lifecycle and assignment changes
  • connector — connector registration and configuration changes
  • organization — organization settings and membership changes

Event Data Structure

Each audit action includes:

  • Action Type — The action that was performed (action_type), stored as eventName
  • Actor Information — The user who performed the action (actor_email, actor_id)
  • Timestamp — When the action occurred (performed_at)
  • Network Context — The requestor IP address (requestor_ip)
  • Resource Context — The type and id of the affected resource (resource_type, resource_id)

Data Collection

  • Collection Method: API polling every 5 minutes
  • Pagination: Page-based, walking newest records first until the previous high water mark is reached
  • Backfill: On first connection RunReveal ingests the most recent audit history (bounded per poll)
  • Event Format: JSON with normalized fields for consistent querying

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: border0_logs (43 columns)

ColumnType
workspaceIDString
sourceIDString
sourceTypeString
sourceTTLUInt32
receivedAtDateTime
idString
eventTimeDateTime
eventNameString
eventIDString
srcIPString
srcASCountryCodeString
srcASNumberUInt32
srcASOrganizationString
srcCityString
srcConnectionTypeString
srcISPString
srcLatitudeFloat64
srcLongitudeFloat64
srcUserTypeString
dstIPString
dstASCountryCodeString
dstASNumberUInt32
ColumnType
dstASOrganizationString
dstCityString
dstConnectionTypeString
dstISPString
dstLatitudeFloat64
dstLongitudeFloat64
dstUserTypeString
actorMap(String, String)
tagsMap(String, String)
resourcesArray(String)
serviceNameString
enrichmentsArray(Tuple(data Map(String, String), name String, provider String, type String, value String))
readOnlyBool
rawLogString
actionTypeString
actorEmailString
actorIDString
performedAtString
requestorIPString
resourceIDString
resourceTypeString

On this page