Audit Log
Last updated
Was this helpful?
Last updated
Was this helpful?
This document provides details of the Audit Log functionality and how it can be used as an analytical tool to assist in your security efforts.
Auditability and accountability are crucial aspects of a cyber security solution. The Audit Log records all of the activities of system users and services. This valuable information indicating access to the system and operations performed can also be integrated with SIEM solutions via API or Web Interface.
No record on the platform can be changed or deleted by any user, regardless of role or authority.
Go to the Company > Audit Log section on the left sidebar menu of the platform dashboard to view the components described below.
The components of the Audit Log page are:
Log Date
Date the activity occurred
User Name
Name of the system user or service performed the activity
Entity Name
The product or component where the activity occurred
Operation
Type of activity performed (create, delete, update, etc.)
Changed Set
Indication of the previous state of a deleted or updated record
New Value
Detailed information of a newly created record
IP
IP address of the user performing the activity
Browser User Agent
Browser information of the user performing the activity
Audit Logs can be easily obtained using API endpoints. keys must be created prior to use with the platform.
Log into the interface
Authenticate User ID in the Swagger interface with the Client ID and Client Secret Keys you created on the platform.
You can now obtain Audit Logs on the platform using the endpoint below.
POST β/api/audit-logs/search
The most up-to-date version of the body content that should be sent during the API request is available in the Swagger interface.
Audit logs can also be transferred to your SIEM products. The API documentation used during the log transfer to some SIEM products is given below.
If the SIEM product you are using does not support event log transfer via API, you can download/transfer the logs through the platform's API to a file and then read the event logs from that file with your SIEM product or use the Web Interface to integrate it if the platform supports your SIEM product.
Audit Logs can be easily transferred in real-time by integrating your SIEM product with the platform. You can see which SIEM products are currently supported by the platform while setting up the SIEM integration.
Some organizations bound by legislation or internal policies may be required to keep a record of every action on the platform in a separate environment.
The procedures below will allow you to record and preserve these activity entries.
Go to the Swagger interface.
Select a REST API from under the AuditLog header.
All actions performed on the platform can be listed using a REST API and can be transferred to a different environment, if needed. (For example, the data could be downloaded to a file, which could then be saved or transferred to another platform and hosted there.)
You can review all actions taken by analysts on the Incident Responder by following the steps below.
For example, to review the actions taken by a user named Harold Finch:
You must first have a valid access token in order to perform an API request.
Under the AuditLog header, use the REST API address /api/audit-log/search.
Use the filter in the username column to search for Harold Finch.
These values ββmay change as new parameters are added. Please always check the latest API values ββon the Swagger documentation.
This tutorial provides details of the Audit Log functionality and how it can be used as an analytical tool to assist in your security efforts.
A: No. Audit Log records on the platform cannot be changed or deleted.
A: You can review all create, delete and update entries.
A: The Audit Log entries contain all of the information listed in the Audit Log Components table above.
A: An entry identified as a service user indicates actions taken by a service application of the platform. For example, notifications made through the Phishing Reporter plug-in.
A: No. Audit Log records are never deleted.
(Splunk)
Please see the document for more information.