Active list item was successfully deleted or operation was unsuccessful

Audit events for active lists are created only for actions performed by users. Audit events are not generated when the active lists are modified using correlation rules. If you need to track such changes, you can do so using alerts.

The event can be assigned the succeeded or failed status.

Since the request to delete an active list item is made over a remote connection, a data transfer error may occur at any moment: both before and after deletion.

This means that the active list item may be deleted successfully, but the event is assigned the failed status, because EventOutcome returns the TCP/IP connection status of the request, but not the succeeded or failed status of the active list item deletion.

Event field name

Field value

DeviceAction

active list item deleted

EventOutcome

succeeded or failed

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User login that was used to delete the item from the active list.

SourceUserID

User ID that was used to delete the item from the active list.

DeviceExternalID

Service ID whose active list was cleared.

ExternalID

Active list ID.

Name

Active list name.

DeviceCustomString1

Key name.

DeviceCustomString1Label

key

Message

If EventOutcome = failed, an error message can be found here.

DeviceCustomString5

Service tenant ID. Some errors prevent adding tenant information to the event.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top