Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Examples of requests for searching events in audit logs

Written by
Updated at November 12, 2025

This section contains the most common queries for searching events in audit logs for various Yandex Cloud resources. To get the events you need, run one of the queries below.

Infrastructure and network

Monitoring and resource management

Containers

Data platform

Security

Searching for errors

Searching for permission denied errors

Infrastructure and network

Yandex Compute Cloud

Any actions with a VM

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.details.instance_id") = '<VM_ID>' and (
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.DeleteInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.StartInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.StopInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.RestartInstance')

You can get the ID with the list of VMs in the folder.

Use a filter:

json_payload.details.instance_id="<VM_ID>" and (
json_payload.event_type="yandex.cloud.audit.compute.CreateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.UpdateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.DeleteInstance" or
json_payload.event_type="yandex.cloud.audit.compute.StartInstance" or
json_payload.event_type="yandex.cloud.audit.compute.StopInstance" or
json_payload.event_type="yandex.cloud.audit.compute.RestartInstance")

You can get the ID with the list of VMs in the folder.

Adding an additional interface to a VM

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.AttachInstanceNetworkInterface'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.compute.AttachInstanceNetworkInterface"

Adding access to a VM serial console

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance') and
  JSON_VALUE(data,"$.details.metadata_serial_port_enable") = '1'

Use a filter:

json_payload.event_type="yandex.cloud.audit.compute.UpdateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.CreateInstance" and
json_payload.details.metadata_serial_port_enable="1"

Creating or modifying a VM configured to get a token via AWS IMDSv1

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance') and
  JSON_VALUE(data,"$.details.metadata_options.aws_v1_http_token") = 'ENABLED'

Use a filter:

(json_payload.event_type="yandex.cloud.audit.compute.UpdateInstance" or
json_payload.event_type="yandex.cloud.audit.compute.CreateInstance") and
json_payload.details.metadata_options.aws_v1_http_token="ENABLED"

Yandex Virtual Private Cloud

Any actions from a particular IP address

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.request_metadata.remote_address") = '<IP_address>'

Use a filter:

json_payload.request_metadata.remote_address = "<IP_address>"

Adding a public IP address to a VM

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.network.AddressAttached'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.network.AddressAttached"

Creating or modifying a security group

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.CreateInstance' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance'

Use a filter:

json_payload.event_type="yandex.cloud.audit.network.CreateSecurityGroup" or
json_payload.event_type="yandex.cloud.audit.network.UpdateSecurityGroup"

Monitoring and resource management

Yandex Identity Hub

Deleting a folder

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.resourcemanager.DeleteFolder' and
  JSON_VALUE(data,"$.details.folder_name") = '<folder_name>'

You can get the folder name with the list of folders in the cloud.

Searching by ID:

json_payload.event_type="yandex.cloud.audit.resourcemanager.DeleteFolder" and json_payload.details.folder_id="<folder_ID>"

Searching by name:

json_payload.event_type="yandex.cloud.audit.resourcemanager.DeleteFolder" and json_payload.details.folder_name="<folder_name>"

You can get the folder name with the list of folders in the cloud.

Creating a federation

Run this query:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.saml.CreateFederation'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.saml.CreateFederation"

Editing a federation

Run this query:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.saml.UpdateFederation'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.saml.UpdateFederation"

Adding a certificate to a federation

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.saml.CreateCertificate'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.saml.CreateCertificate"

Detecting a publicly exposed cloud secret

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.organizationmanager.DetectLeakedCredential'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.organizationmanager.DetectLeakedCredential"

Containers

Yandex Managed Service for Kubernetes

Creating a cluster with a public IP address for the master

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' and
  JSON_EXISTS(data,"$.request_parameters.master_spec.zonal_master_spec.external_v4_address_spec.address")

Use a filter:

json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" and
json_payload.request_parameters.master_spec.zonal_master_spec.external_v4_address_spec.address exists

Creating a cluster without a security group for the master

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateCluster') and not
  JSON_EXISTS(data,"$.request_parameters.master_spec.security_group_ids")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" or 
json_payload.event_type = "yandex.cloud.audit.k8s.UpdateCluster") and not
json_payload.request_parameters.master_spec.security_group_ids exists

Creating a cluster without master autoupdate

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateCluster') and not
  JSON_EXISTS(data,"$.request_parameters.master_spec.maintenance_policy.auto_upgrade")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" or 
json_payload.event_type = "yandex.cloud.audit.k8s.UpdateCluster") and not
json_payload.request_parameters.master_spec.maintenance_policy.auto_upgrade exists

Creating a cluster without etcd encryption

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' and not
  JSON_EXISTS(data,"$.request_parameters.kms_provider.key_id")

Use a filter:

json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" and not
json_payload.request_parameters.kms_provider.key_id exists

Creating a cluster without network policies

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateCluster' and not
  JSON_EXISTS(data,"$.request_parameters.network_policy.provider")

Use a filter:

json_payload.event_type = "yandex.cloud.audit.k8s.CreateCluster" and not
json_payload.request_parameters.network_policy.provider exists

Creating a group of nodes with public IP addresses

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateNodeGroup' or 
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateNodeGroup') and 
  JSON_EXISTS(data,"$.request_parameters.node_template.v4_address_spec.one_to_one_nat_spec")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateNodeGroup" or
json_payload.event_type = "yandex.cloud.audit.k8s.CreateNodeGroup") and
json_payload.request_parameters.node_template.v4_address_spec.one_to_one_nat_spec exists

Creating a cluster without node group autoupdate

Run this request:

select * from 
  bindings.`binding`
where
  (JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.CreateNodeGroup' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.k8s.UpdateNodeGroup') and not
  JSON_EXISTS(data,"$.request_parameters.maintenance_policy.auto_upgrade")

Use a filter:

(json_payload.event_type = "yandex.cloud.audit.k8s.CreateNodeGroup" or 
json_payload.event_type = "yandex.cloud.audit.k8s.UpdateNodeGroup") and not
json_payload.request_parameters.maintenance_policy.auto_upgrade exists

Yandex Container Registry

Detecting critical vulnerabilities during image scanning

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.containerregistry.ScanImage' and
  JSON_VALUE(data,"$.details.vulnerability_stats.critical") > 0

Use a filter:

json_payload.event_type = "yandex.cloud.audit.containerregistry.ScanImage" and
json_payload.details.vulnerability_stats.critical > 0

Data platform

Yandex Object Storage

Updating a bucket access policy

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.storage.BucketPolicyUpdate'

Use a filter:

json_payload.event_type="yandex.cloud.audit.storage.BucketPolicyUpdate"

Enabling public access when creating or updating a bucket

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.storage.BucketUpdate' and
  (JSON_VALUE(data,"$.details.objects_access") = 'true' or
  JSON_VALUE(data,"$.details.settings_read_access") = 'true' or
  JSON_VALUE(data,"$.details.list_access") = 'true')

Use a filter:

json_payload.event_type="yandex.cloud.audit.storage.BucketUpdate" and
(json_payload.details.objects_access: "true" or
json_payload.details.settings_read_access: "true" or
json_payload.details.list_access: "true")

Managed databases (MDB)

Creating or changing a user for MDB

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.postgresql.CreateUser' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.postgresql.UpdateUser' or 
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.mysql.UpdateUser' or 
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.mdb.mysql.CreateUser'

Use a filter:

json_payload.event_type = "yandex.cloud.audit.mdb.postgresql.CreateUser" or 
json_payload.event_type = "yandex.cloud.audit.mdb.postgresql.UpdateUser" or 
json_payload.event_type = "yandex.cloud.audit.mdb.mysql.UpdateUser" or
json_payload.event_type = "yandex.cloud.audit.mdb.mysql.CreateUser"

Security

Yandex Key Management Service

Updating roles for KMS keys

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.UpdateSymmetricKeyAccessBindings' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.SetSymmetricKeyAccessBindings' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.UpdateAsymmetricEncryptionKeyAccessBindings' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.kms.SetAsymmetricEncryptionKeyAccessBindings'

Use a filter:

json_payload.event_type="yandex.cloud.audit.kms.UpdateSymmetricKeyAccessBindings" or
json_payload.event_type="yandex.cloud.audit.kms.SetSymmetricKeyAccessBindings" or
json_payload.event_type="yandex.cloud.audit.kms.UpdateAsymmetricEncryptionKeyAccessBindings" or
json_payload.event_type="yandex.cloud.audit.kms.SetAsymmetricEncryptionKeyAccessBindings"

Yandex Identity and Access Management

Actions of a given user over a period of time

Run this request:

select * from
  bindings.`binding`
where
  JSON_VALUE(data,"$.authentication.subject_name") = '<username>' and
  cast(JSON_VALUE(data, "$.event_time") as Timestamp) > Date("<period_start_date>")
limit 10

Specify the date in YYYY-MM-DD format.

Use a filter:

json_payload.authentication.subject_name="<username>" and
json_payload.event_time>"<period_start_date>" and
json_payload.event_time<"<period_end_date>"

Specify the date in YYYY-MM-DD format.

Creating any keys for service accounts

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.iam.CreateAccessKey' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.iam.CreateKey' or
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.iam.CreateApiKey'

Use a filter:

json_payload.event_type="yandex.cloud.audit.iam.CreateAccessKey" or
json_payload.event_type="yandex.cloud.audit.iam.CreateKey" or
json_payload.event_type="yandex.cloud.audit.iam.CreateApiKey"

Assigning primitive privileged roles for resources

Run this request:

select * from
  bindings.`binding`
where
  JSON_VALUE(data,"$.details.access_binding_deltas.access_binding.role_id") = '<primitive_role>'

Use a filter:

json_payload.details.access_binding_deltas.access_binding.role_id="<primitive_role>"

Yandex Lockbox

Updating roles for secrets

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.lockbox.UpdateSecretAccessBindings'

Use a filter:

json_payload.event_type="yandex.cloud.audit.lockbox.UpdateSecretAccessBindings"

Reading a secret

Run this request:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_type") = 'yandex.cloud.audit.lockbox.GetPayload'

Use a filter:

json_payload.event_type="yandex.cloud.audit.lockbox.GetPayload"

Searching for errors

Searching for permission denied errors

Searching for permission denied errors:

select * from 
  bindings.`binding`
where
  JSON_VALUE(data,"$.event_status") = 'ERROR' and
  JSON_VALUE(data,"$.error.code") = 7

json_payload.event_status = ERROR and json_payload.error.code = 7
Previous
Audit log management tools
Next
Configuring Yandex Query