From edfc14d1966cbe784628026e2f38469911d76a2f Mon Sep 17 00:00:00 2001
From: misraved <ved@turbot.com>
Date: Thu, 30 Jan 2025 17:16:33 +0530
Subject: [PATCH] docs: update tables documentation for token creations and
 workspace deletions

---
 docs/tables/index.md   |  4 +--
 docs/tables/queries.md | 74 +++++++++++++++++++++++++++++++++++++-----
 2 files changed, 68 insertions(+), 10 deletions(-)

diff --git a/docs/tables/index.md b/docs/tables/index.md
index 7143209..30f568e 100644
--- a/docs/tables/index.md
+++ b/docs/tables/index.md
@@ -46,7 +46,7 @@ tailpipe collect pipes_audit_log.my_logs
 
 **[Explore 40+ example queries for this table →](https://hub.tailpipe.io/plugins/turbot/pipes/queries/pipes_audit_log)**
 
-### Role assigments
+### Token creations
 
 List role assignments to check for unexpected or suspicious role changes.
 
@@ -60,7 +60,7 @@ select
 from
   pipes_audit_log
 where
-  action_type = 'role_assignment'
+  action_type = 'token.create'
 order by
   created_at desc;
 ```
diff --git a/docs/tables/queries.md b/docs/tables/queries.md
index 578c861..10100b9 100644
--- a/docs/tables/queries.md
+++ b/docs/tables/queries.md
@@ -53,9 +53,9 @@ order by
 
 ## Detection Examples
 
-### High privilege role assignments
+### Unusual Workspace Deletions
 
-Detect when high-privilege roles were assigned.
+Detect when multiple workspaces are deleted in a short period.
 
 ```sql
 select
@@ -66,25 +66,83 @@ select
 from
   pipes_audit_log
 where
-  action_type = 'role_assignment'
+  action_type = 'workspace.delete'
+group by
+  created_at, actor_handle, target_handle, action_type
+having
+  count(*) > 2
 order by
   created_at desc;
 ```
 
-### Unusual login attempts
+### High Privilege Role Changes
 
-Identify failed login attempts and unusual authentication failures.
+Identify when members of an organization or tenant are updated or removed.
 
 ```sql
 select
   created_at,
   actor_handle,
-  action_type,
-  actor_ip
+  target_handle,
+  action_type
+from
+  pipes_audit_log
+where
+  action_type in ('org.member.update', 'org.member.delete', 'tenant.member.update', 'tenant.member.delete')
+order by
+  created_at desc;
+```
+
+### Unauthorized Token Activity
+
+Detect unusual token creation, updates, or deletions.
+
+```sql
+select
+  created_at,
+  actor_handle,
+  target_handle,
+  action_type
+from
+  pipes_audit_log
+where
+  action_type in ('token.create', 'token.update', 'token.delete')
+order by
+  created_at desc;
+```
+
+### Organization Subscription Cancellations
+
+Monitor if organization or user subscriptions are being canceled.
+
+```sql
+select
+  created_at,
+  actor_handle,
+  target_handle,
+  action_type
+from
+  pipes_audit_log
+where
+  action_type in ('org.subscription.canceled', 'user.subscription.canceled')
+order by
+  created_at desc;
+```
+
+### Workspace Schema Changes
+
+Track modifications in workspace schemas.
+
+```sql
+select
+  created_at,
+  actor_handle,
+  target_handle,
+  action_type
 from
   pipes_audit_log
 where
-  action_type in ('login_failed', 'unauthorized_access')
+  action_type in ('workspace.schema.create', 'workspace.schema.update', 'workspace.schema.delete', 'workspace.schema.attach', 'workspace.schema.detach')
 order by
   created_at desc;
 ```