| Members and permissions | One or more people were invited to join the organization. |
| Members and permissions | A user became an organization member, such as through invitation acceptance, SCIM provisioning, SSO just-in-time joining, project invite, or team transfer. |
| Members and permissions | A member's organization-level role was changed. |
| Members and permissions | A member was removed from the organization, including manual removal or SCIM deprovisioning. |
| Members and permissions | An organization member was added to a team. |
| Members and permissions | A member's role within an organization team was changed. |
| Members and permissions | A member was removed from an organization team. |
| Members and permissions | Team membership was updated by SAML group mapping or directory sync. |
| Organization boundary | An existing team was moved into the organization. |
| Members and permissions | A custom organization project role was created. |
| Members and permissions | A custom organization project role was changed, such as its name or permissions. |
| Members and permissions | A custom organization project role was deleted. |
| Access tokens | An access token was created. Token values are not exposed. |
| Access tokens | Access token settings were changed. Token values are not exposed. |
| Access tokens | An access token was regenerated or rotated. Old and new token values are not exposed. |
| Access tokens | An access token was deleted or revoked. |
| Authentication and sessions | A user signed in successfully. |
| Authentication and sessions | A sign-in attempt failed. |
| Authentication and sessions | A SAML SSO sign-in failed. |
| Authentication and sessions | A user signed out. |
| SSO and SCIM | The organization's SSO configuration was created or changed. |
| SSO and SCIM | The SCIM provisioning token was reset or regenerated. The token value is not exposed. |
| SSO and SCIM | A user was provisioned through SCIM. |
| SSO and SCIM | A user was deprovisioned through SCIM. |
| Data export | A data export request or export job was created. |
| Audit log activity | Audit logs were exported, such as through a CSV export. |
| Public access governance | A Docs Site's visibility or access settings changed. |
| Public access governance | A Docs Site domain setting changed, including custom domain changes. |
| Public access governance | A shared document's visibility or access settings changed. |
| Public access governance | Password protection for a shared document changed. Password values are not exposed. |
| Vault and secrets | A vault provider configuration was created, changed, or deleted. Secret configuration values are not exposed. |
| Vault and secrets | Vault secret entries were changed. Secret values are not exposed. |
| Authentication and sessions | A user completed a password reset. |
| Authorization | Access to a protected resource or action was denied. |
| Audit log activity | Audit logs were queried through the Audit Logs API. |