From 4348146d71a0787017b0a346c9b4856a8aa1e080 Mon Sep 17 00:00:00 2001
From: melpike <79950145+melpike@users.noreply.github.com>
Date: Mon, 15 Jun 2026 11:11:00 -0600
Subject: [PATCH] Document ran_custom_mdm_command in audit logs

Added details about the 'ran_custom_mdm_command' event in audit logs.
---
 docs/Contributing/reference/audit-logs.md | 25 +++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/docs/Contributing/reference/audit-logs.md b/docs/Contributing/reference/audit-logs.md
index ed4526f556d..a7b69a73e04 100644
--- a/docs/Contributing/reference/audit-logs.md
+++ b/docs/Contributing/reference/audit-logs.md
@@ -2807,6 +2807,31 @@ This activity contains the following fields:
 }
 ```
 
+## ran_custom_mdm_command
+
+Generated when a user runs a custom MDM command via API or the fleetctl CLI.
+
+This activity contains the following fields:
+- "host_id": ID of the host.
+- "host_display_name": Display name of the host.
+- "host_uuid": UUID of the host.
+- "command_uuid": UUID of the MDM command used to install the app.
+- "request_type": the type of custom MDM command.
+- "platform": the platform of the host ("darwin" or "windows").
+
+#### Example
+
+```json
+{
+  "host_id": 1,
+  "host_display_name": "Anna's MacBook Pro",
+  "host_uuid": "1b3d5e7f-9a2c-4e6d-8b0a-1c3d5e7f9a2b",
+  "command_uuid": "98765432-1234-1234-1234-1234567890ab",
+  "request_type": "EraseDevice",
+  "platform": "darwin"
+}
+```
+
 
 <meta name="title" value="Audit logs">
 <meta name="pageOrderInSection" value="1400">