Genesys Cloud - Main

 View Only

Sign Up

  Thread closed by the administrator, not accepting new replies.

  • 1.  Audit user deleted

    Posted 07-08-2025 06:01
    No replies, thread closed.

    Hi community,

    I'm analysing why/how/who one of the users was deleted and by the audit API i see this:

    {
      "id": "b45f023b-8eff-4cec-b94b-7ea7XXXXXXX",
      "pageSize": 25,
      "entities": [
        {
          "id": "05c3e872-8655-48ae-9cbb-5XXXXX",
          "user": {
            "id": "SYSTEM",
            "selfUri": "/api/v2/users/SYSTEM"
          },
          "client": {
            "id": ""
          },
          "remoteIp": [
            "85.241.X.Y"
          ],
          "serviceName": "Directory",
          "level": "USER",
          "eventDate": "2025-06-25T14:59:07Z",
          "action": "Delete",
          "entity": {
            "id": "50b7c434-f7ff-4b13-8369-9e3XXXXXX"
          },
          "entityType": "User",
          "status": "SUCCESS",
          "application": "",
          "initiatingAction": {},
          "transactionInitiator": false,
          "propertyChanges": [
            {
              "property": "state",
              "oldValues": [
                "active"
              ],
              "newValues": [
                "deleted"
              ]
            },
            {
              "property": "addresses",
              "oldValues": [],
              "newValues": [
                "{\"email_main\": [{\"value\": \"user@domain.com\", \"_id\": \"2PaRQlQFDxKgannyXXXX\", \"labelKey\": \"email_main\"}], \"chat\": [{\"_id\": \"2BXC3w9PdzJh73XXXXXX\", \"value\": {\"jid\": \"64f833fba57f191a3XXXXX@orgname.orgspan.com\"}, \"labelKey\": \"chat\"}]}"
              ]
            },
            {
              "property": "divisionId",
              "oldValues": [
                "59898733-c838-4a0d-84f5-ae495XXXXXX"
              ],
              "newValues": [
                "6373c08e-d61c-4ca0-a638-e0d2fXXXXXX"
              ]
            }
          ],
          "context": {},
          "entityChanges": []
        }
      ]
    }

    I suspect that can be from a OAuth with client credentials, but without that information i cannot be sure. Any idea if that information is here and i didn't see or if i can found that information can be where else?

    thanks in advanced


    #API/Integrations

    ------------------------------
    Nuno Paulo
    ------------------------------


  • 2.  RE: Audit user deleted

    Posted 07-08-2025 09:31
    No replies, thread closed.

    Hello Nuno,

    The empty client.id suggests this might not have been a direct OAuth client credentials flow, as those typically leave a client ID signature. This could be a system level automation, a cascading delete from another operation or an internal system process. 

    I recommend for further investigation check the audit for related upstream or downstream events around the same timestamp, look for other audit events from the same RemoteIP address, check OAuth client activity logs around the same time and review the asynchronous audit queries via API for additional context. 

    Hope this helps!



    ------------------------------
    Cameron
    Online Community Manager/Moderator
    ------------------------------

    Original Message


Related Content