CircleCI Audit Logs
CircleCI audit logs provide a detailed record of actions and events within your CircleCI organization. These logs capture information such as user activities, build events, project changes, and security events. They help administrators track user activity, ensure security compliance, and audit changes for troubleshooting and incident investigation.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
- AWS S3
- AWS S3 Bucket with Custom SQS
- Azure Storage Account
- Google Cloud Storage
- Cloudflare R2 Bucket
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_circleci_auditSNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.
Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.
Setup
For detailed setup instructions, see the CircleCI documentation to configure audit log streaming to your chosen storage solution.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: circleci_audit_logs (53 columns)
circleci_audit_logs (53 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
| Column | Type |
|---|---|
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
auditLogId | String |
version | UInt32 |
occurredAt | DateTime |
action | String |
actorId | String |
actorType | String |
actorName | String |
targetId | String |
targetType | String |
targetName | String |
scopeId | String |
scopeType | String |
scopeName | String |
success | Bool |
requestId | String |
payload | String |
metadata | Map(String, String) |