Serval Audit Logs
Serval tracks the provisioning and deprovisioning of entitlements and resources across your organization. Its audit log records all access-related actions — access requests, entitlement grants, deprovisionings, policy and role changes, and API key activity. These logs help security and compliance teams maintain audit trails, monitor privileged access, and build detections on identity and entitlement changes.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
API Polling
Serval supports API polling to collect audit log events from your organization via the audit log endpoint (GET /v2/audit-logs).
Setup
- Go to Sources in RunReveal
- Click the Serval source tile
- Give it a name
- Fill in your Bearer Token
- Click Connect Source
Bearer Token Configuration
Serval uses bearer token authentication. Requests are sent to https://public.api.serval.com with an Authorization: Bearer <token> header.
- Sign in to the Serval platform
- Create an API token with access to the audit log API
- Copy the token and paste it into RunReveal
Keep your token secret: The bearer token grants read access to your organization's audit log. RunReveal stores it encrypted and never returns it once saved.
Collected Events
Serval events carry a nested eventType object whose key identifies the action. RunReveal stores that key in the eventName field. Event types include:
- Access lifecycle — access requests, provisioning, and deprovisioning (e.g.
accessProvisioned,accessDeprovisioned) - Policy and role — access policy and custom role creation, updates, and deletion (e.g.
accessPolicyCreated,customRoleGrantsSet) - Entitlements and entities — entitlement and entity lifecycle changes (e.g.
entitlementCreated,entityDeleted) - API keys — API key creation and revocation (e.g.
apiKeyCreated,apiKeyRevoked) - Identity — user creation, invitation, deactivation, login, and impersonation (e.g.
userLogin,impersonationSessionStarted) - Configuration — org settings, SSO, and team changes (e.g.
orgSettingsChanged,ssoConfigChanged)
Event Data Structure
Each audit event includes:
- Event ID and Type — Unique identifier (
id) and the nestedeventTypekey - Timestamp — When the action occurred (
timestamp, RFC 3339) - Actor Information — Actor ID plus the actor variant (user, API key, system, worker, or impersonated user) and its display details
- Network Context — Source IP address and user agent
- Outcome — Result of the attempted action (
status,reasonCode) and the actor'sjustificationwhen supplied
Data Collection
- Collection Method: API polling every 5 minutes
- Backfill: On first connection RunReveal ingests the last 24 hours of audit history
- Event Format: JSON with normalized fields for consistent querying
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: serval_logs (50 columns)
serval_logs (50 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
| Column | Type |
|---|---|
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
auditID | String |
teamID | String |
eventType | String |
actorID | String |
actorType | String |
actorApiKeyDisplayName | String |
actorUserEmail | String |
actorUserName | String |
ipAddress | String |
userAgent | String |
outcomeStatus | String |
outcomeReasonCode | String |
outcomeReasonDetail | String |
justification | String |
Helpful Links
- Serval Audit Log API - Reference for the audit log endpoint
- Serval API Reference - Public API overview