RunReveal
SourcesSource Types

Serval Audit Logs

Serval tracks the provisioning and deprovisioning of entitlements and resources across your organization. Its audit log records all access-related actions — access requests, entitlement grants, deprovisionings, policy and role changes, and API key activity. These logs help security and compliance teams maintain audit trails, monitor privileged access, and build detections on identity and entitlement changes.

Ingest Methods

Setup the ingestion of this source using one of the following guides.

API Polling

Serval supports API polling to collect audit log events from your organization via the audit log endpoint (GET /v2/audit-logs).

Setup

  1. Go to Sources in RunReveal
  2. Click the Serval source tile
  3. Give it a name
  4. Fill in your Bearer Token
  5. Click Connect Source

Bearer Token Configuration

Serval uses bearer token authentication. Requests are sent to https://public.api.serval.com with an Authorization: Bearer <token> header.

  1. Sign in to the Serval platform
  2. Create an API token with access to the audit log API
  3. Copy the token and paste it into RunReveal

Keep your token secret: The bearer token grants read access to your organization's audit log. RunReveal stores it encrypted and never returns it once saved.

Collected Events

Serval events carry a nested eventType object whose key identifies the action. RunReveal stores that key in the eventName field. Event types include:

  • Access lifecycle — access requests, provisioning, and deprovisioning (e.g. accessProvisioned, accessDeprovisioned)
  • Policy and role — access policy and custom role creation, updates, and deletion (e.g. accessPolicyCreated, customRoleGrantsSet)
  • Entitlements and entities — entitlement and entity lifecycle changes (e.g. entitlementCreated, entityDeleted)
  • API keys — API key creation and revocation (e.g. apiKeyCreated, apiKeyRevoked)
  • Identity — user creation, invitation, deactivation, login, and impersonation (e.g. userLogin, impersonationSessionStarted)
  • Configuration — org settings, SSO, and team changes (e.g. orgSettingsChanged, ssoConfigChanged)

Event Data Structure

Each audit event includes:

  • Event ID and Type — Unique identifier (id) and the nested eventType key
  • Timestamp — When the action occurred (timestamp, RFC 3339)
  • Actor Information — Actor ID plus the actor variant (user, API key, system, worker, or impersonated user) and its display details
  • Network Context — Source IP address and user agent
  • Outcome — Result of the attempted action (status, reasonCode) and the actor's justification when supplied

Data Collection

  • Collection Method: API polling every 5 minutes
  • Backfill: On first connection RunReveal ingests the last 24 hours of audit history
  • Event Format: JSON with normalized fields for consistent querying

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: serval_logs (50 columns)

ColumnType
workspaceIDString
sourceIDString
sourceTypeString
sourceTTLUInt32
receivedAtDateTime
idString
eventTimeDateTime
eventNameString
eventIDString
srcIPString
srcASCountryCodeString
srcASNumberUInt32
srcASOrganizationString
srcCityString
srcConnectionTypeString
srcISPString
srcLatitudeFloat64
srcLongitudeFloat64
srcUserTypeString
dstIPString
dstASCountryCodeString
dstASNumberUInt32
dstASOrganizationString
dstCityString
dstConnectionTypeString
ColumnType
dstISPString
dstLatitudeFloat64
dstLongitudeFloat64
dstUserTypeString
actorMap(String, String)
tagsMap(String, String)
resourcesArray(String)
serviceNameString
enrichmentsArray(Tuple(data Map(String, String), name String, provider String, type String, value String))
readOnlyBool
rawLogString
auditIDString
teamIDString
eventTypeString
actorIDString
actorTypeString
actorApiKeyDisplayNameString
actorUserEmailString
actorUserNameString
ipAddressString
userAgentString
outcomeStatusString
outcomeReasonCodeString
outcomeReasonDetailString
justificationString

On this page