Contact UsGet started

Examples of requests for searching events in audit logs

Written by
Updated at March 31, 2025

This section contains the most common requests for searching events in audit logs for various Yandex Cloud resources. To get the events you need, run the request from the examples provided.

Infrastructure and network

Monitoring and resource management

Containers

Data platform

Security

Infrastructure and network

Yandex Compute Cloud

Any actions with a VM

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.details.instance_id") = '<VM_ID>' and (
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.DeleteInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.StartInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.StopInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.RestartInstance')

You can request the ID with the list of VMs in the folder.

Use a filter:

json_payload.details.instance_id="<VM_ID>" and (
json_payload.event_type="yandex.cloud.audit.compute.CreateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.UpdateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.DeleteInstance" or
json_payload.event_type="yandex.cloud.audit.compute.StartInstance" or
json_payload.event_type="yandex.cloud.audit.compute.StopInstance" or
json_payload.event_type="yandex.cloud.audit.compute.RestartInstance")

You can request the ID with the list of VMs in the folder.

Adding an additional interface to a VM

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.AttachInstanceNetworkInterface'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.compute.AttachInstanceNetworkInterface"

Adding access to a VM serial console

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance') and
  JSON_VALUE(data,"$.details.metadata_serial_port_enable") = '1'

Use a filter:

json_payload.event_type="yandex.cloud.audit.compute.UpdateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.CreateInstance" and
json_payload.details.metadata_serial_port_enable="1"

Creating or modifying a VM configured to get a token via AWS IMDSv1

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance') and
  JSON_VALUE(data,"$.details.metadata_options.aws_v1_http_token") = 'ENABLED'

Use a filter:

(json_payload.event_type="yandex.cloud.audit.compute.UpdateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.CreateInstance") and
json_payload.details.metadata_options.aws_v1_http_token="ENABLED"

Yandex Virtual Private Cloud

Any actions from a particular IP address

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.request_metadata.remote_address") = '<IP_address>'

Use a filter:

json_payload.request_metadata.remote_address = "<IP_address>"

Adding a public IP address to a VM

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.network.AddressAttached'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.network.AddressAttached"

Creating or modifying a security group

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance'

Use a filter:

json_payload.event_type="yandex.cloud.audit.network.CreateSecurityGroup" or
json_payload.event_type="yandex.cloud.audit.network.UpdateSecurityGroup"

Monitoring and resource management

Yandex Cloud Organization

Deleting a folder

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.resourcemanager.DeleteFolder' and
  JSON_VALUE(data,"$.details.folder_name") = '<folder_name>'

You can request the folder name with the list of folders in the cloud.

Use a filter:

json_payload.event_type="yandex.cloud.audit.resourcemanager.DeleteFolder" and json_payload.details.folder_name="<folder_name>"

You can request the folder name with the list of folders in the cloud.

Creating a federation

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.saml.CreateFederation'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.saml.CreateFederation"

Editing a federation

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.saml.UpdateFederation'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.saml.UpdateFederation"

Adding a certificate to a federation

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.saml.CreateCertificate'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.saml.CreateCertificate"

Discovering a cloud secret in the public domain

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.DetectLeakedCredential'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.DetectLeakedCredential"

Containers

Yandex Managed Service for Kubernetes

Creating a cluster with a public IP address of the master

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' and
  JSON_EXISTS(data,"$.request_parameters.master_spec.zonal_master_spec.external_v4_address_spec.address")

Use a filter:

json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" and
json_payload.request_parameters.master_spec.zonal_master_spec.external_v4_address_spec.address exists

Creating a cluster without a security group for the master

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateCluster') and not
  JSON_EXISTS(data,"$.request_parameters.master_spec.security_group_ids")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" or 
json_payload.event_type = "yandex.cloud.audit.k8s.UpdateCluster") and not
json_payload.request_parameters.master_spec.security_group_ids exists

Creating a cluster without master autoupdate

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateCluster') and not
  JSON_EXISTS(data,"$.request_parameters.master_spec.maintenance_policy.auto_upgrade")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" or 
json_payload.event_type = "yandex.cloud.audit.k8s.UpdateCluster") and not
json_payload.request_parameters.master_spec.maintenance_policy.auto_upgrade exists

Creating a cluster without etcd encryption

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' and not
  JSON_EXISTS(data,"$.request_parameters.kms_provider.key_id")

Use a filter:

json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" and not
json_payload.request_parameters.kms_provider.key_id exists

Creating a cluster without network policies

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' and not
  JSON_EXISTS(data,"$.request_parameters.network_policy.provider")

Use a filter:

json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" and not
json_payload.request_parameters.network_policy.provider exists

Creating a group of nodes with public IP addresses

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateNodeGroup' or 
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateNodeGroup') and 
  JSON_EXISTS(data,"$.request_parameters.node_template.v4_address_spec.one_to_one_nat_spec")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateNodeGroup" or
json_payload.event_type = "yandex.cloud.audit.k8s.CreateNodeGroup") and
json_payload.request_parameters.node_template.v4_address_spec.one_to_one_nat_spec exists

Creating a cluster without node group autoupdate

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateNodeGroup' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateNodeGroup') and not
  JSON_EXISTS(data,"$.request_parameters.maintenance_policy.auto_upgrade")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateNodeGroup" or 
json_payload.event_type = "yandex.cloud.audit.k8s.UpdateNodeGroup") and not
json_payload.request_parameters.maintenance_policy.auto_upgrade exists

Yandex Container Registry

Detecting critical vulnerabilities during image scanning

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.containerregistry.ScanImage' and
  JSON_VALUE(data,"$.details.vulnerability_stats.critical") > 0

Use a filter:

json_payload.event_type = "yandex.cloud.audit.containerregistry.ScanImage" and
json_payload.details.vulnerability_stats.critical > 0

Data platform

Yandex Object Storage

Updating bucket access policy

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.storage.BucketPolicyUpdate'

Use a filter:

json_payload.event_type="yandex.cloud.audit.storage.BucketPolicyUpdate"

Opening public access when creating or modifying a bucket

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.storage.BucketUpdate' and
  (JSON_VALUE(data,"$.details.objects_access") = 'true' or
  JSON_VALUE(data,"$.details.settings_read_access") = 'true' or
  JSON_VALUE(data,"$.details.list_access") = 'true')

Use a filter:

json_payload.event_type="yandex.cloud.audit.storage.BucketUpdate" and
(json_payload.details.objects_access: "true" or
json_payload.details.settings_read_access: "true" or
json_payload.details.list_access: "true")

Managed databases (MDB)

Creating or changing a user for MDB

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.postgresql.CreateUser' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.postgresql.UpdateUser' or 
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.mysql.UpdateUser' or 
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.mysql.CreateUser'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.mdb.postgresql.CreateUser" or 
json_payload.event_type = "yandex.cloud.audit.mdb.postgresql.UpdateUser" or 
json_payload.event_type = "yandex.cloud.audit.mdb.mysql.UpdateUser" or
json_payload.event_type = "yandex.cloud.audit.mdb.mysql.CreateUser"

Security

Yandex Key Management Service

Updating roles for KMS keys

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.UpdateSymmetricKeyAccessBindings' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.SetSymmetricKeyAccessBindings' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.UpdateAsymmetricEncryptionKeyAccessBindings' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.SetAsymmetricEncryptionKeyAccessBindings'

Use a filter:

json_payload.event_type="yandex.cloud.audit.kms.UpdateSymmetricKeyAccessBindings" or
json_payload.event_type="yandex.cloud.audit.kms.SetSymmetricKeyAccessBindings" or
json_payload.event_type="yandex.cloud.audit.kms.UpdateAsymmetricEncryptionKeyAccessBindings" or
json_payload.event_type="yandex.cloud.audit.kms.SetAsymmetricEncryptionKeyAccessBindings"

Yandex Identity and Access Management

Actions of a given user over a period of time

Run this request:

select * from
  bindings.`binding`
where
  JSON_VALUE(data,"$.authentication.subject_name") = '<username>' and
  cast(JSON_VALUE(data, "$.event_time") as Timestamp) > Date("<period_start_date>")
limit 10

Specify the date in YYYY-MM-DD format.

Use a filter:

json_payload.authentication.subject_name="<username>" and
json_payload.event_time>"<period_start_date>" and
json_payload.event_time<"<period_end_date>"

Specify the date in YYYY-MM-DD format.

Creating any keys for service accounts

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.iam.CreateAccessKey' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.iam.CreateKey' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.iam.CreateApiKey'

Use a filter:

json_payload.event_type="yandex.cloud.audit.iam.CreateAccessKey" or
json_payload.event_type="yandex.cloud.audit.iam.CreateKey" or
json_payload.event_type="yandex.cloud.audit.iam.CreateApiKey"

Assigning primitive privileged roles for resources

Run this request:

select * from
  bindings.`binding`
where
  JSON_VALUE(data,"$.details.access_binding_deltas.access_binding.role_id") = '<primitive_role>'

Use a filter:

json_payload.details.access_binding_deltas.access_binding.role_id="<primitive_role>"

Yandex Lockbox

Updating roles for secrets

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.lockbox.UpdateSecretAccessBindings'

Use a filter:

json_payload.event_type="yandex.cloud.audit.lockbox.UpdateSecretAccessBindings"

Reading a secret

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.lockbox.GetPayload'

Use a filter:

json_payload.event_type="yandex.cloud.audit.lockbox.GetPayload"
Previous
Tools for working with audit logs
Next
Configuring Yandex Query