Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Audit Trails
  • Getting started
    • All tutorials
    • Searching for Yandex Cloud events in Object Storage
    • Searching for Yandex Cloud events in Cloud Logging
      • Overview
      • Tools for working with audit logs
      • Sample requests for searching events
      • Configuring Yandex Query
    • Alert settings in Monitoring
    • Configuring a response in Cloud Functions
    • Processing Audit Trails events
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Management event reference
  • Data event reference
  • Release notes

In this article:

  • Infrastructure and network
  • Yandex Compute Cloud
  • Yandex Virtual Private Cloud
  • Monitoring and resource management
  • Yandex Cloud Organization
  • Containers
  • Yandex Managed Service for Kubernetes
  • Yandex Container Registry
  • Data platform
  • Yandex Object Storage
  • Managed databases (MDB)
  • Security
  • Yandex Key Management Service
  • Yandex Identity and Access Management
  • Yandex Lockbox
  1. Tutorials
  2. Searching for events in audit logs
  3. Sample requests for searching events

Examples of requests for searching events in audit logs

Written by
Yandex Cloud
Updated at March 31, 2025
  • Infrastructure and network
    • Yandex Compute Cloud
    • Yandex Virtual Private Cloud
  • Monitoring and resource management
    • Yandex Cloud Organization
  • Containers
    • Yandex Managed Service for Kubernetes
    • Yandex Container Registry
  • Data platform
    • Yandex Object Storage
    • Managed databases (MDB)
  • Security
    • Yandex Key Management Service
    • Yandex Identity and Access Management
    • Yandex Lockbox

This section contains the most common requests for searching events in audit logs for various Yandex Cloud resources. To get the events you need, run the request from the examples provided.

Infrastructure and network

  • Yandex Compute Cloud
    • Any actions with a VM
    • Adding an additional interface to a VM
    • Adding access to a VM serial console
    • Creating or modifying a VM configured to get a token via AWS IMDSv1
  • Yandex Virtual Private Cloud
    • Any actions from a particular IP address
    • Adding a public IP address to a VM
    • Creating or modifying a security group

Monitoring and resource management

  • Yandex Cloud Organization
    • Deleting a folder
    • Creating a federation
    • Editing a federation
    • Adding a certificate to a federation
    • Discovering a cloud secret in the public domain

Containers

  • Yandex Managed Service for Kubernetes
    • Creating a cluster with a public IP address of the master
    • Creating a cluster without a security group for the master
    • Creating a cluster without master autoupdate
    • Creating a cluster without etcd encryption
    • Creating a cluster without network policies
    • Creating a group of nodes with public IP addresses
    • Creating a cluster without node group autoupdate
  • Yandex Container Registry
    • Detecting critical vulnerabilities during image scanning

Data platform

  • Yandex Object Storage
    • Updating bucket access policy
    • Opening public access when creating or modifying a bucket
  • Managed databases (MDB)
    • Creating or changing a user for MDB

Security

  • Yandex Key Management Service
    • Updating roles for KMS keys
  • Yandex Identity and Access Management
    • Actions of a given user over a period of time
    • Creating any keys for service accounts
    • Assigning primitive privileged roles for resources
  • Yandex Lockbox
    • Updating roles for secrets
    • Reading a secret

Infrastructure and networkInfrastructure and network

Yandex Compute CloudYandex Compute Cloud

Any actions with a VMAny actions with a VM

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.details.instance_id") = '<VM_ID>' and (
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.DeleteInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.StartInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.StopInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.RestartInstance')

You can request the ID with the list of VMs in the folder.

Use a filter:

json_payload.details.instance_id="<VM_ID>" and (
json_payload.event_type="yandex.cloud.audit.compute.CreateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.UpdateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.DeleteInstance" or
json_payload.event_type="yandex.cloud.audit.compute.StartInstance" or
json_payload.event_type="yandex.cloud.audit.compute.StopInstance" or
json_payload.event_type="yandex.cloud.audit.compute.RestartInstance")

You can request the ID with the list of VMs in the folder.

Adding an additional interface to a VMAdding an additional interface to a VM

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.AttachInstanceNetworkInterface'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.compute.AttachInstanceNetworkInterface"

Adding access to a VM serial consoleAdding access to a VM serial console

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance') and
  JSON_VALUE(data,"$.details.metadata_serial_port_enable") = '1'

Use a filter:

json_payload.event_type="yandex.cloud.audit.compute.UpdateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.CreateInstance" and
json_payload.details.metadata_serial_port_enable="1"

Creating or modifying a VM configured to get a token via AWS IMDSv1Creating or modifying a VM configured to get a token via AWS IMDSv1

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance') and
  JSON_VALUE(data,"$.details.metadata_options.aws_v1_http_token") = 'ENABLED'

Use a filter:

(json_payload.event_type="yandex.cloud.audit.compute.UpdateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.CreateInstance") and
json_payload.details.metadata_options.aws_v1_http_token="ENABLED"

Yandex Virtual Private CloudYandex Virtual Private Cloud

Any actions from a particular IP addressAny actions from a particular IP address

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.request_metadata.remote_address") = '<IP_address>' 

Use a filter:

json_payload.request_metadata.remote_address = "<IP_address>"

Adding a public IP address to a VMAdding a public IP address to a VM

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.network.AddressAttached'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.network.AddressAttached"

Creating or modifying a security groupCreating or modifying a security group

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance'

Use a filter:

json_payload.event_type="yandex.cloud.audit.network.CreateSecurityGroup" or
json_payload.event_type="yandex.cloud.audit.network.UpdateSecurityGroup"

Monitoring and resource managementMonitoring and resource management

Yandex Cloud OrganizationYandex Cloud Organization

Deleting a folderDeleting a folder

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.resourcemanager.DeleteFolder' and
  JSON_VALUE(data,"$.details.folder_name") = '<folder_name>'

You can request the folder name with the list of folders in the cloud.

Use a filter:

json_payload.event_type="yandex.cloud.audit.resourcemanager.DeleteFolder" and json_payload.details.folder_name="<folder_name>"

You can request the folder name with the list of folders in the cloud.

Creating a federationCreating a federation

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.saml.CreateFederation'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.saml.CreateFederation"

Editing a federationEditing a federation

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.saml.UpdateFederation'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.saml.UpdateFederation"

Adding a certificate to a federationAdding a certificate to a federation

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.saml.CreateCertificate'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.saml.CreateCertificate"

Discovering a cloud secret in the public domainDiscovering a cloud secret in the public domain

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.DetectLeakedCredential'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.DetectLeakedCredential"

ContainersContainers

Yandex Managed Service for KubernetesYandex Managed Service for Kubernetes

Creating a cluster with a public IP address of the masterCreating a cluster with a public IP address of the master

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' and
  JSON_EXISTS(data,"$.request_parameters.master_spec.zonal_master_spec.external_v4_address_spec.address")

Use a filter:

json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" and
json_payload.request_parameters.master_spec.zonal_master_spec.external_v4_address_spec.address exists

Creating a cluster without a security group for the masterCreating a cluster without a security group for the master

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateCluster') and not
  JSON_EXISTS(data,"$.request_parameters.master_spec.security_group_ids")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" or 
json_payload.event_type = "yandex.cloud.audit.k8s.UpdateCluster") and not
json_payload.request_parameters.master_spec.security_group_ids exists

Creating a cluster without master autoupdateCreating a cluster without master autoupdate

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateCluster') and not
  JSON_EXISTS(data,"$.request_parameters.master_spec.maintenance_policy.auto_upgrade")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" or 
json_payload.event_type = "yandex.cloud.audit.k8s.UpdateCluster") and not
json_payload.request_parameters.master_spec.maintenance_policy.auto_upgrade exists

Creating a cluster without etcd encryptionCreating a cluster without etcd encryption

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' and not
  JSON_EXISTS(data,"$.request_parameters.kms_provider.key_id")

Use a filter:

json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" and not
json_payload.request_parameters.kms_provider.key_id exists

Creating a cluster without network policiesCreating a cluster without network policies

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' and not
  JSON_EXISTS(data,"$.request_parameters.network_policy.provider")

Use a filter:

json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" and not
json_payload.request_parameters.network_policy.provider exists

Creating a group of nodes with public IP addressesCreating a group of nodes with public IP addresses

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateNodeGroup' or 
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateNodeGroup') and 
  JSON_EXISTS(data,"$.request_parameters.node_template.v4_address_spec.one_to_one_nat_spec")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateNodeGroup" or
json_payload.event_type = "yandex.cloud.audit.k8s.CreateNodeGroup") and
json_payload.request_parameters.node_template.v4_address_spec.one_to_one_nat_spec exists 

Creating a cluster without node group autoupdateCreating a cluster without node group autoupdate

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateNodeGroup' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateNodeGroup') and not
  JSON_EXISTS(data,"$.request_parameters.maintenance_policy.auto_upgrade")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateNodeGroup" or 
json_payload.event_type = "yandex.cloud.audit.k8s.UpdateNodeGroup") and not
json_payload.request_parameters.maintenance_policy.auto_upgrade exists

Yandex Container RegistryYandex Container Registry

Detecting critical vulnerabilities during image scanningDetecting critical vulnerabilities during image scanning

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.containerregistry.ScanImage' and
  JSON_VALUE(data,"$.details.vulnerability_stats.critical") > 0

Use a filter:

json_payload.event_type = "yandex.cloud.audit.containerregistry.ScanImage" and
json_payload.details.vulnerability_stats.critical > 0

Data platformData platform

Yandex Object StorageYandex Object Storage

Updating bucket access policyUpdating bucket access policy

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.storage.BucketPolicyUpdate'

Use a filter:

json_payload.event_type="yandex.cloud.audit.storage.BucketPolicyUpdate"

Opening public access when creating or modifying a bucketOpening public access when creating or modifying a bucket

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.storage.BucketUpdate' and
  (JSON_VALUE(data,"$.details.objects_access") = 'true' or
  JSON_VALUE(data,"$.details.settings_read_access") = 'true' or
  JSON_VALUE(data,"$.details.list_access") = 'true')

Use a filter:

json_payload.event_type="yandex.cloud.audit.storage.BucketUpdate" and
(json_payload.details.objects_access: "true" or
json_payload.details.settings_read_access: "true" or
json_payload.details.list_access: "true")

Managed databases (MDB)Managed databases (MDB)

Creating or changing a user for MDBCreating or changing a user for MDB

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.postgresql.CreateUser' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.postgresql.UpdateUser' or 
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.mysql.UpdateUser' or 
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.mysql.CreateUser'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.mdb.postgresql.CreateUser" or 
json_payload.event_type = "yandex.cloud.audit.mdb.postgresql.UpdateUser" or 
json_payload.event_type = "yandex.cloud.audit.mdb.mysql.UpdateUser" or
json_payload.event_type = "yandex.cloud.audit.mdb.mysql.CreateUser"

SecuritySecurity

Yandex Key Management ServiceYandex Key Management Service

Updating roles for KMS keysUpdating roles for KMS keys

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.UpdateSymmetricKeyAccessBindings' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.SetSymmetricKeyAccessBindings' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.UpdateAsymmetricEncryptionKeyAccessBindings' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.SetAsymmetricEncryptionKeyAccessBindings'

Use a filter:

json_payload.event_type="yandex.cloud.audit.kms.UpdateSymmetricKeyAccessBindings" or
json_payload.event_type="yandex.cloud.audit.kms.SetSymmetricKeyAccessBindings" or
json_payload.event_type="yandex.cloud.audit.kms.UpdateAsymmetricEncryptionKeyAccessBindings" or
json_payload.event_type="yandex.cloud.audit.kms.SetAsymmetricEncryptionKeyAccessBindings"

Yandex Identity and Access ManagementYandex Identity and Access Management

Actions of a given user over a period of timeActions of a given user over a period of time

Yandex Query
Yandex Cloud Logging

Run this request:

select * from
  bindings.`binding`
where
  JSON_VALUE(data,"$.authentication.subject_name") = '<username>' and
  cast(JSON_VALUE(data, "$.event_time") as Timestamp) > Date("<period_start_date>")
limit 10

Specify the date in YYYY-MM-DD format.

Use a filter:

json_payload.authentication.subject_name="<username>" and
json_payload.event_time>"<period_start_date>" and
json_payload.event_time<"<period_end_date>"

Specify the date in YYYY-MM-DD format.

Creating any keys for service accountsCreating any keys for service accounts

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.iam.CreateAccessKey' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.iam.CreateKey' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.iam.CreateApiKey'

Use a filter:

json_payload.event_type="yandex.cloud.audit.iam.CreateAccessKey" or
json_payload.event_type="yandex.cloud.audit.iam.CreateKey" or
json_payload.event_type="yandex.cloud.audit.iam.CreateApiKey"

Assigning primitive privileged roles for resourcesAssigning primitive privileged roles for resources

Yandex Query
Yandex Cloud Logging

Run this request:

select * from
  bindings.`binding`
where
  JSON_VALUE(data,"$.details.access_binding_deltas.access_binding.role_id") = '<primitive_role>'

Use a filter:

json_payload.details.access_binding_deltas.access_binding.role_id="<primitive_role>"

Yandex LockboxYandex Lockbox

Updating roles for secretsUpdating roles for secrets

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.lockbox.UpdateSecretAccessBindings' 

Use a filter:

json_payload.event_type="yandex.cloud.audit.lockbox.UpdateSecretAccessBindings"

Reading a secretReading a secret

Yandex Query
Yandex Cloud Logging

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.lockbox.GetPayload'

Use a filter:

json_payload.event_type="yandex.cloud.audit.lockbox.GetPayload"

Was the article helpful?

Previous
Tools for working with audit logs
Next
Configuring Yandex Query
Yandex project
© 2025 Yandex.Cloud LLC