Audit Log

This document provides details of the Audit Log functionality and how it can be used as an analytical tool to assist in your security efforts.

Auditability and accountability are crucial aspects of a cyber security solution. The Audit Log records all of the activities of system users and services. This valuable information indicating access to the system and operations performed can also be integrated with SIEM solutions via API or Web Interface.

No record on the platform can be changed or deleted by any user, regardless of role or authority.

Audit Log Components

Go to the Company > Audit Log section on the left sidebar menu of the platform dashboard to view the components described below.

The components of the Audit Log page are:

Log Date

Date the activity occurred

User Name

Name of the system user or service performed the activity

Entity Name

The product or component where the activity occurred

Operation

Type of activity performed (create, delete, update, etc.)

Changed Set

Indication of the previous state of a deleted or updated record

New Value

Detailed information of a newly created record

IP

IP address of the user performing the activity

Browser User Agent

Browser information of the user performing the activity

How to Get Audit Logs via REST API

Audit Logs can be easily obtained using API endpoints. REST API keys must be created prior to use with the platform.

  • Log into the Swagger interface

  • Authenticate User ID in the Swagger interface with the Client ID and Client Secret Keys you created on the platform.

  • You can now obtain Audit Logs on the platform using the endpoint below.

POST ​/api/audit-logs/search

The most up-to-date version of the body content that should be sent during the API request is available in the Swagger interface.

Audit logs can also be transferred to your SIEM products. The API documentation used during the log transfer to some SIEM products is given below.

If the SIEM product you are using does not support event log transfer via API, you can download/transfer the logs through the platform's API to a file and then read the event logs from that file with your SIEM product or use the Web Interface to integrate it if the platform supports your SIEM product.

How to Get Audit Logs via SIEM Web Integration

Audit Logs can be easily transferred in real-time by integrating your SIEM product with the platform. You can see which SIEM products are currently supported by the platform while setting up the SIEM integration.

Please see the SIEM Integration document for more information.

Audit Log Use Cases

Use Case 1: Keeping a record of all actions taken on the platform

Some organizations bound by legislation or internal policies may be required to keep a record of every action on the platform in a separate environment.

The procedures below will allow you to record and preserve these activity entries.

  • Go to the Swagger interface.

  • Select a REST API from under the AuditLog header.

  • All actions performed on the platform can be listed using a REST API and can be transferred to a different environment, if needed. (For example, the data could be downloaded to a file, which could then be saved or transferred to another platform and hosted there.)

Use Case 2: Tracking the actions of Incident Responder analysts

You can review all actions taken by analysts on the Incident Responder by following the steps below.

For example, to review the actions taken by a user named Harold Finch:

  • You must first have a valid access token in order to perform an API request.

  • Under the AuditLog header, use the REST API address /api/audit-log/search.

    • Use the filter in the username column to search for Harold Finch.

These values ​​may change as new parameters are added. Please always check the latest API values ​​on the Swagger documentation.

Video Tutorial

This tutorial provides details of the Audit Log functionality and how it can be used as an analytical tool to assist in your security efforts.

FAQ

Q: Can I delete or edit Audit Log records?

A: No. Audit Log records on the platform cannot be changed or deleted.

Q: Which actions on the platform can I review in the Audit Log section?

A: You can review all create, delete and update entries.

Q: What information can I obtain from the Audit Log records?

A: The Audit Log entries contain all of the information listed in the Audit Log Components table above.

Q: What does the service user mean?

A: An entry identified as a service user indicates actions taken by a service application of the platform. For example, notifications made through the Phishing Reporter plug-in.

Q: Are Audit Log records deleted periodically?

A: No. Audit Log records are never deleted.

Last updated

Copyright © Keepnet Labs LTD. All rights reserved.