Issue Summary

For Confluence Cloud Enterprise, the available audit / activity events related to content deletion (for example events surfaced as confluence_<content>_deleted in enterprise audit, streaming, or data lake) do not clearly distinguish between:

• (a) deleting a page and moving it to the trash (soft delete), and

• (b) permanently deleting (purging) a page from the trash (hard delete).

As a result, administrators and auditors cannot reliably tell from the audit trail whether a given delete event represents a soft delete or a permanent purge of a specific content item.

Steps to Reproduce

1 In a Confluence Cloud Enterprise site, create a test page in any space (e.g. Audit Log Test Page).

2 Delete the page so that it is moved to the space trash.

3 In the enterprise-level audit / activity log (e.g. Org audit, Audit log streaming destination, or data lake table for Confluence activity), locate the event corresponding to this delete operation.

• Note the event key / action type (e.g. confluence_<content>_deleted) and other attributes.

4 From the Confluence space trash, perform a permanent delete (purge) for the same page only (not “empty entire trash”).

5 Again, check the enterprise audit / activity log for the event recorded for this permanent delete operation.

6 Compare the event types and payloads from steps 3 and 5.

Expected Results

• The enterprise audit / activity events should clearly distinguish between:
  • “Delete to trash” (soft delete, content still recoverable from trash), and
  • “Purge from trash” (hard delete, content permanently removed).

• This could be achieved by, for example:
  • Using separate event keys for soft delete vs purge, or
  • Adding a dedicated attribute/field in the event payload that explicitly indicates whether the operation is a soft delete or a purge.
• With this distinction, administrators should be able to answer questions such as:
  • “Who moved this page to the trash, and when?”
  • “Who permanently purged this page from the trash, and when?”

Actual Results

• Both operations:
  • deleting a page (moving it to the trash), and
  • permanently deleting that page from the trash (purging it),are recorded using the same generic delete event type (for example confluence_<content>_deleted) in the enterprise audit / activity logs.

• At the event level, it is not possible to reliably determine whether a particular delete event represents a soft delete or a hard delete of the content.

• Only “empty/purge entire trash” is recorded as a distinct event; individual item purges share the same event type as normal page deletions.

Workaround

Currently there is no clean, officially supported way in the enterprise audit / activity logs to distinguish soft delete vs purge for individual content items.

From the customer’s perspective, there is effectively no robust or user-friendly workaround to distinguish soft delete vs purge in enterprise audit / activity events.
Currently there is no known direct workaround for this behavior. A clearer audit distinction will be added here when available.