> ## Documentation Index > Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Search > Search returns audit events filtered by finding, actor, type, or app. Authorized as VIEWER -- the same role required to read the finding itself. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples post /api/v1/search/finding_audits openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/search/finding_audits: post: tags: - Findings summary: Search description: |- Search returns audit events filtered by finding, actor, type, or app. Authorized as VIEWER -- the same role required to read the finding itself. operationId: c1.api.finding.v1.FindingAuditService.Search requestBody: content: application/json: schema: $ref: >- #/components/schemas/c1.api.finding.v1.FindingAuditServiceSearchRequest responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.finding.v1.FindingAuditServiceSearchResponse description: Successful response x-codeSamples: - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.findingAudit.search(); console.log(result); } run(); components: schemas: c1.api.finding.v1.FindingAuditServiceSearchRequest: description: The FindingAuditServiceSearchRequest message. properties: actorPrincipalId: description: The actorPrincipalId field. type: - string - 'null' actorSubject: description: |- Partial match via full-text search over the denormalized actor email / display name column. type: - string - 'null' appId: description: Empty skips the filter; non-empty must be a 27-char alphanumeric id. type: - string - 'null' eventTypes: description: Filter by one or more event types. Empty means any. items: enum: - FINDING_AUDIT_EVENT_TYPE_UNSPECIFIED - FINDING_AUDIT_EVENT_TYPE_CREATED - FINDING_AUDIT_EVENT_TYPE_STATE_CHANGED - FINDING_AUDIT_EVENT_TYPE_SNOOZED - FINDING_AUDIT_EVENT_TYPE_SNOOZE_EXPIRED - FINDING_AUDIT_EVENT_TYPE_RISK_ACCEPTED - FINDING_AUDIT_EVENT_TYPE_RISK_ACCEPTANCE_EXPIRED - FINDING_AUDIT_EVENT_TYPE_SUPPRESSED - FINDING_AUDIT_EVENT_TYPE_UNSUPPRESSED - FINDING_AUDIT_EVENT_TYPE_RESOLVED - FINDING_AUDIT_EVENT_TYPE_REOPENED - FINDING_AUDIT_EVENT_TYPE_OWNER_CHANGED - FINDING_AUDIT_EVENT_TYPE_SEVERITY_OVERRIDDEN - FINDING_AUDIT_EVENT_TYPE_COMMENT - FINDING_AUDIT_EVENT_TYPE_TASK_CREATED - FINDING_AUDIT_EVENT_TYPE_TASK_CANCELLED - FINDING_AUDIT_EVENT_TYPE_EVIDENCE_UPDATED - FINDING_AUDIT_EVENT_TYPE_ROUTING_EVALUATED type: string x-speakeasy-unknown-values: allow type: - array - 'null' findingId: description: |- Filter to a single finding. The detail-page timeline uses this. Empty skips the filter; non-empty must be a 27-char alphanumeric id. type: - string - 'null' pageSize: description: The pageSize field. format: int32 type: - integer - 'null' pageToken: description: The pageToken field. type: - string - 'null' since: format: date-time type: - string - 'null' until: format: date-time type: - string - 'null' title: Finding Audit Service Search Request type: object x-speakeasy-name-override: FindingAuditServiceSearchRequest c1.api.finding.v1.FindingAuditServiceSearchResponse: description: The FindingAuditServiceSearchResponse message. properties: list: description: The list field. items: $ref: '#/components/schemas/c1.api.finding.v1.FindingAuditEvent' type: - array - 'null' nextPageToken: description: The nextPageToken field. type: - string - 'null' title: Finding Audit Service Search Response type: object x-speakeasy-name-override: FindingAuditServiceSearchResponse c1.api.finding.v1.FindingAuditEvent: description: |- FindingAuditEvent is one row in a finding's audit stream. The metadata columns are denormalized from the side-index so the list view renders without hydrating the full OCSF payload for every row; ocsf is set to the parsed OCSF event JSON for callers that want the per-event detail. properties: actorPrincipalId: description: |- Principal id of the actor that performed the action. Empty for system-driven events (snooze expiry, risk-acceptance expiry). type: - string - 'null' actorSubject: description: |- Display string for the actor (email for human users, "system" for cron sweeps). type: - string - 'null' appId: description: The appId field. type: - string - 'null' bulkOperationId: description: Stable id grouping events from the same bulk operation. type: - string - 'null' createdAt: format: date-time type: - string - 'null' eventId: description: The eventId field. type: - string - 'null' eventType: description: The eventType field. enum: - FINDING_AUDIT_EVENT_TYPE_UNSPECIFIED - FINDING_AUDIT_EVENT_TYPE_CREATED - FINDING_AUDIT_EVENT_TYPE_STATE_CHANGED - FINDING_AUDIT_EVENT_TYPE_SNOOZED - FINDING_AUDIT_EVENT_TYPE_SNOOZE_EXPIRED - FINDING_AUDIT_EVENT_TYPE_RISK_ACCEPTED - FINDING_AUDIT_EVENT_TYPE_RISK_ACCEPTANCE_EXPIRED - FINDING_AUDIT_EVENT_TYPE_SUPPRESSED - FINDING_AUDIT_EVENT_TYPE_UNSUPPRESSED - FINDING_AUDIT_EVENT_TYPE_RESOLVED - FINDING_AUDIT_EVENT_TYPE_REOPENED - FINDING_AUDIT_EVENT_TYPE_OWNER_CHANGED - FINDING_AUDIT_EVENT_TYPE_SEVERITY_OVERRIDDEN - FINDING_AUDIT_EVENT_TYPE_COMMENT - FINDING_AUDIT_EVENT_TYPE_TASK_CREATED - FINDING_AUDIT_EVENT_TYPE_TASK_CANCELLED - FINDING_AUDIT_EVENT_TYPE_EVIDENCE_UPDATED - FINDING_AUDIT_EVENT_TYPE_ROUTING_EVALUATED type: - string - 'null' x-speakeasy-unknown-values: allow findingId: description: The findingId field. type: - string - 'null' ocsf: additionalProperties: true type: - object - 'null' severityAtEvent: description: The severityAtEvent field. enum: - FINDING_SEVERITY_UNSPECIFIED - FINDING_SEVERITY_INFO - FINDING_SEVERITY_LOW - FINDING_SEVERITY_MEDIUM - FINDING_SEVERITY_HIGH - FINDING_SEVERITY_CRITICAL type: - string - 'null' x-speakeasy-unknown-values: allow stateAtEvent: description: The stateAtEvent field. enum: - FINDING_STATE_UNSPECIFIED - FINDING_STATE_OPEN - FINDING_STATE_IN_PROGRESS - FINDING_STATE_RESOLVED - FINDING_STATE_SNOOZED - FINDING_STATE_RISK_ACCEPTED - FINDING_STATE_SUPPRESSED type: - string - 'null' x-speakeasy-unknown-values: allow ticketId: description: Ticket id when the event involved one; empty otherwise. type: - string - 'null' title: Finding Audit Event type: object x-speakeasy-name-override: FindingAuditEvent securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````