# Audit Log

This document provides details of the **Audit** **Log** functionality and how it can be used as an analytical tool to assist in your security efforts.

Auditability and accountability are crucial aspects of a cyber security solution. The **Audit** **Log** records all of the activities of **system users** and **services**. This valuable information indicating access to the system and operations performed can also be integrated with SIEM solutions via API or Web Interface.

{% hint style="warning" %}
No record on the platform can be changed or deleted by any user, regardless of role or authority.
{% endhint %}

## Audit Log Components

Go to the **Company > Audit Log** section on the left sidebar menu of the platform dashboard to view the components described below.

The components of the **Audit** **Log** page are:

<table><thead><tr><th width="150"></th><th width="584.1428571428571"></th></tr></thead><tbody><tr><td>Log Date</td><td>Date the activity occurred</td></tr><tr><td>User Name</td><td>Name of the system user or service performed the activity</td></tr><tr><td>Entity Name</td><td>The product or component where the activity occurred</td></tr><tr><td>Operation</td><td>Type of activity performed (create, delete, update, etc.)</td></tr><tr><td>Changed Set</td><td>Indication of the previous state of a deleted or updated record</td></tr><tr><td>New Value</td><td>Detailed information of a newly created record</td></tr><tr><td>IP</td><td>IP address of the user performing the activity</td></tr><tr><td>Browser User Agent</td><td>Browser information of the user performing the activity</td></tr></tbody></table>

## How to Get Audit Logs via REST API

Audit Logs can be easily obtained using API endpoints. [REST API ](/next-generation-product/platform/company/company-settings/rest-api.md)keys must be created prior to use with the platform.

* Log into the [Swagger](https://api.keepnetlabs.com/docs/index.html) interface
* Authenticate User ID in the Swagger interface with the Client ID and Client Secret Keys you created on the platform.
* You can now obtain Audit Logs on the platform using the endpoint below.

<mark style="color:green;">**POST**</mark> **​/api/audit-logs/search**

{% hint style="warning" %}
The most up-to-date version of the body content that should be sent during the API request is available in the Swagger interface.
{% endhint %}

Audit logs can also be transferred to your SIEM products. The API documentation used during the log transfer to some SIEM products is given below.

* [HTTP Event Collector REST API endpoints](https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/HECRESTendpoints) (Splunk)
* [QRadar API Reference Guide](ftp://public.dhe.ibm.com/software/security/products/qradar/documents/7.3.0/en/b_qradar_api.pdf)

{% hint style="warning" %}
If the SIEM product you are using does not support event log transfer via API, you can download/transfer the logs through the platform's API to a file and then read the event logs from that file with your SIEM product or use the Web Interface to integrate it if the platform supports your SIEM product.
{% endhint %}

## How to Get Audit Logs via SIEM Web Integration

Audit Logs can be easily transferred in real-time by integrating your SIEM product with the platform. You can see which SIEM products are currently supported by the platform while setting up the SIEM integration.

Please see the [SIEM Integration](/next-generation-product/platform/company/company-settings/siem-integrations.md) document for more information.

## Audit Log Use Cases

### Use Case 1: Keeping a record of all actions taken on the platform

Some organizations bound by legislation or internal policies may be required to keep a record of every action on the platform in a separate environment.

The procedures below will allow you to record and preserve these activity entries.

* Go to the Swagger interface.
* Select a REST API from under the **AuditLog** header.
* All actions performed on the platform can be listed using a REST API and can be transferred to a different environment, if needed. (For example, the data could be downloaded to a file, which could then be saved or transferred to another platform and hosted there.)

### Use Case 2: Tracking the actions of [Incident Responder ](https://keepnetlabs.com/products/incident-responder)analysts

You can review all actions taken by analysts on the Incident Responder by following the steps below.

For example, to review the actions taken by a user named Harold Finch:

* You must first have a valid access token in order to perform an API request.
* Under the AuditLog header, use the REST API address /api/audit-log/search.
  * Use the filter in the username column to search for Harold Finch.

{% hint style="warning" %}
These values ​​may change as new parameters are added. Please always check the latest API values ​​on the Swagger documentation.
{% endhint %}

## Video Tutorial

This tutorial provides details of the **Audit** **Log** functionality and how it can be used as an analytical tool to assist in your security efforts.

{% embed url="<https://youtu.be/rUTkkHBck7Y>" %}

## FAQ

### Q: Can I delete or edit Audit Log records?

A: No. Audit Log records on the platform cannot be changed or deleted.

### Q: Which actions on the platform can I review in the Audit Log section?

A: You can review all **create**, **delete** and **update** entries.

### Q: What information can I obtain from the Audit Log records?

A: The Audit Log entries contain all of the information listed in the Audit Log Components table above.

### Q: What does the service user mean?

A: An entry identified as a service user indicates actions taken by a service application of the platform. For example, notifications made through the Phishing Reporter plug-in.

### Q: Are Audit Log records deleted periodically?

A: No. Audit Log records are never deleted.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.keepnetlabs.com/next-generation-product/platform/company/audit-log.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.