Cursor Audit Logs

RunReveal ingests Cursor audit logs from object storage where Cursor exports them. These logs capture security events and administrative actions including logins, user management, team settings, and API key operations.

Ingest Methods

Set up ingestion using one of the following object storage guides:

If using an AWS S3 bucket, use the following SNS topic ARN to send your bucket notifications:

arn:aws:sns:<REGION>:253602268883:runreveal_cursor_audit_logs

Setup

Step 1: Configure Cursor Audit Log Export

Configure your Cursor workspace to export audit logs to object storage. Refer to the Cursor documentation for instructions on enabling exports and configuring your storage destination.

Step 2: Configure RunReveal Source

In the RunReveal dashboard, navigate to Sources → Add Source
Select Cursor Audit Logs
Enter a Name for your source
Select your Ingest Type and configure storage settings (bucket name, region, authentication)

For AWS S3, RunReveal can use cross-account IAM roles for secure access without storing credentials. See the S3 setup guide for details.

Verify It’s Working

Once added, logs should begin flowing after Cursor exports new logs to your storage. Verify ingestion in the Log Explorer:

SELECT * FROM cursor_audit_logs LIMIT 10

Query Examples

SELECT
  eventTime,
  actor['username'] as user_email,
  srcIP,
  success,
  eventData
FROM cursor_audit_logs
WHERE eventName = 'login'
ORDER BY eventTime DESC
LIMIT 100

API key operations

SELECT
  eventTime,
  actor['username'] as user_email,
  action,
  eventName,
  srcIP
FROM cursor_audit_logs
WHERE eventName IN ('team_api_key', 'user_api_key', 'api_key')
  AND action != ''
ORDER BY eventTime DESC
LIMIT 100

User management changes

SELECT
  eventTime,
  actor['username'] as actor,
  eventName,
  eventData
FROM cursor_audit_logs
WHERE eventName IN ('add_user', 'remove_user', 'update_user_role')
ORDER BY eventTime DESC
LIMIT 100

Event Streams Cyberhaven