LogoLogo
Get Demo
  • πŸ’«NEXT-GENERATION PRODUCT
    • Introduction
    • Getting Started
      • 1. Invite System Users
      • 2. Add Target Users
        • Add Users via CSV
        • Add users via SCIM
          • SCIM Setup in Azure AD
          • SCIM Setup in Okta
          • SCIM Setup in Onelogin
          • SCIM Setup in Jumpcloud
        • Add users via LDAP
        • Add Users via API
      • 3. Email Deliverability
        • Microsoft 365
          • M365: Direct Email Creation
          • M365: Whitelisting
        • Google Workspace
          • Google: Direct Email Creation
          • Google: Whitelisting
        • Exchange 2013 and 2016
      • 4. Track Opened Emails
      • 5. Allow Phishing URLs
        • Whitelist for Office 365
        • Whitelist for Google Workspace
        • Whitelist for Exchange 2013/2016
        • Whitelist in Security Solutions
      • 6. Setup Phishing Reporter
        • Step 1. Download Phishing Reporter
        • Step 2. Deploy Phishing Reporter
          • How to Deploy Add-In in Microsoft 365
          • How to Deploy Add-In in Exchange Admin Center
          • How to Deploy Add-In in Google Workspace
          • How to Deploy Add-In in Outlook
            • Troubleshooting Phishing Reporter Add-In on Outlook Desktop
      • 7. Incident Responder Setup
        • Step 1. Integrate Threat Intel Partners
        • Step 2. Mail Configurations
          • Microsoft 365
          • Google Workspace (Gsuite)
          • Exchange (EWS)
    • Platform
      • Dashboard
        • Dashboard Widgets
        • Incident Responder Widgets
        • Threat Sharing Widgets
        • Phishing Simulator Widgets
      • Threat Intelligence
      • Email Threat Simulator
        • Start Scan
        • View Scan Report
        • Create Trusted Account on Exchange
        • Start Scan on O365 Email Account
        • Start Scan on Google Workspace Email Account
      • Threat Sharing
        • Communities
        • Incidents
      • Phishing Simulator
        • Manage Phishing Scenarios
          • Phishing Scenarios
          • Email Templates
          • Landing Pages
        • Phishing Campaign Manager
        • Phishing Campaign Reports
        • Settings
          • DNS Services and Domains
          • Exclude IP Address
      • Callback Simulator
        • Manage Callback Scenarios
          • Callback Scenarios
          • Callback Email Templates
          • Callback Templates
        • Callback Campaign Manager
        • Callback Campaign Reports
        • Settings
          • Callback Phone Numbers
      • Vishing Simulator
        • Vishing Templates
        • Vishing Campaign Manager
        • Vishing Campaign Reports
      • Smishing Simulator
        • Manage Smishing Scenarios
          • Smishing Scenarios
          • Text Message Templates
          • Landing Page Templates
        • Smishing Campaign Manager
        • Smishing Campaign Reports
        • Settings
          • Manage DNS and Domains
          • Exclude IP Addresses
      • Quishing Simulator
        • Manage Quishing Scenarios
          • Quishing Scenarios
          • Quishing Templates
          • Quishing Landing Page Templates
        • Quishing Campaign Manager
        • Quishing Campaign Reports
        • Settings
          • DNS and Domains
          • Excluding IP Address
      • Awareness Educator
        • Training Library
        • Enrollments
        • Certificates
        • Training Reports
        • Training Completion Queries
      • Incident Responder
        • Incident Responder Dashboard
        • Investigations
        • Integrations
        • Playbook
        • Mail Configurations
          • Microsoft 365
          • Exchange
          • Google Workspace
        • Cross Company Integration
      • Phishing Reporter
        • Phishing Reporter Customization
        • Phishing Reporter Deployment
          • How to Deploy the Add-in in Microsoft 365
          • Phishing Reporter Page View Failure Due to Deprecated Exchange Online Tokens
          • Microsoft Ribbon Phishing Reporter
          • How to Deploy the Add-in in Exchange Admin Center
          • How to Deploy the Add-in in Google Workspace
          • Phishing Reporter Announcement Email Template
        • Diagnostic Tool
        • Integrating Microsoft Phishing Reporting Button with Keepnet
        • Troubleshooting Phishing Reporter on Outlook Desktop
      • Reports
        • Advanced Reports
        • Executive Reports
        • Scheduled Reports
        • Gamification Report
      • Company
        • Target Users
        • Companies
          • Company Groups
        • Company Settings
          • Privacy
            • Account Privacy
            • Data Privacy
          • AI Ally Settings
          • SMTP Settings
          • Direct Email Creation
            • Direct Email Creation for Google Workspace
            • Direct Email Creation for Microsoft 365
          • Notification Templates
          • Google User Provisioning
          • REST API
          • White Labeling
          • Proxy Settings
          • SAML Settings
            • How to Configure SAML on ADFS
            • How to Configure SAML on Google Workspace
            • How to Configure SAML on Azure AD
            • How to Configure SAML on CyberArk
            • How to Configure SAML on Okta
          • SCIM Settings
            • Getting Started with SCIM
            • Azure AD SCIM Integration
            • Okta SCIM Integration
            • Onelogin SCIM Integration
            • Jumpcloud SCIM Integration
          • SIEM Integrations
            • Splunk Integration
            • Syslog Integration
          • LDAP
          • Allowed Domains
        • System Users
          • People
          • Roles
        • Audit Log
        • Job Log
      • Free Phishing Email Analysis Service
    • Miscellaneous
      • Whitelisting
        • How to Whitelist an IP Address in Office 365
        • How to Whitelist an IP Address in Exchange 2013 and 2016
        • How to Whitelist an IP Address in Google Workspace
        • How to Whitelist in Mimecast
        • Whitelisting in Other Security Solutions
        • Whitelisting the Pictures on Microsoft Outlook Apps
        • Keepnet Tools Whitelisting Guidelines
        • Understanding Email Delivery Errors
        • Tracking Email Opens in Phishing Simulations
      • User Profile
      • Multi-Factor Authentication (MFA) Settings
      • On-Premise Requirement Checker
      • Platform Requirements
        • Portal UI Requirements
        • Phishing Reporter Requirements
        • Diagnostic Tool Requirements
      • Maintenance Tool
      • Understanding the Preferred Language Setting
  • πŸ“šRESOURCES
    • Platform Security
    • Volume & Performance
    • Customer Help Desk
    • Product Update/Maintenance
    • Research Methodology
    • Release Notes
      • 2025
      • 2024
      • 2023
      • 2022
      • 2021
      • 2020
  • βš–οΈLegal Hub
    • For Customers
      • Customer Terms of Service
      • Product Specific Terms
      • Jurisdiction Specific Terms
      • Data Processing Agreement
      • Regional Data Hosting Policy
      • Product and Services Catalog
      • Acceptable Use Policy
      • Keepnet Security Program
      • Microsoft CoPilot Usage Policy
    • For Everyone
      • Website
        • Terms of Use
        • Privacy Policy
        • Cookie Policy
      • Free Phishing Email Analysis
        • Terms of Service
        • Privacy Policy
      • Transparency Report
Powered by GitBook

Copyright Β© Keepnet Labs LTD. All rights reserved.

On this page
  • Audit Log Components
  • How to Get Audit Logs via REST API
  • How to Get Audit Logs via SIEM Web Integration
  • Audit Log Use Cases
  • Use Case 1: Keeping a record of all actions taken on the platform
  • Use Case 2: Tracking the actions of Incident Responder analysts
  • Video Tutorial
  • FAQ
  • Q: Can I delete or edit Audit Log records?
  • Q: Which actions on the platform can I review in the Audit Log section?
  • Q: What information can I obtain from the Audit Log records?
  • Q: What does the service user mean?
  • Q: Are Audit Log records deleted periodically?

Was this helpful?

Export as PDF
  1. NEXT-GENERATION PRODUCT
  2. Platform
  3. Company

Audit Log

PreviousRolesNextJob Log

Last updated 1 year ago

Was this helpful?

This document provides details of the Audit Log functionality and how it can be used as an analytical tool to assist in your security efforts.

Auditability and accountability are crucial aspects of a cyber security solution. The Audit Log records all of the activities of system users and services. This valuable information indicating access to the system and operations performed can also be integrated with SIEM solutions via API or Web Interface.

No record on the platform can be changed or deleted by any user, regardless of role or authority.

Audit Log Components

Go to the Company > Audit Log section on the left sidebar menu of the platform dashboard to view the components described below.

The components of the Audit Log page are:

Log Date

Date the activity occurred

User Name

Name of the system user or service performed the activity

Entity Name

The product or component where the activity occurred

Operation

Type of activity performed (create, delete, update, etc.)

Changed Set

Indication of the previous state of a deleted or updated record

New Value

Detailed information of a newly created record

IP

IP address of the user performing the activity

Browser User Agent

Browser information of the user performing the activity

How to Get Audit Logs via REST API

Audit Logs can be easily obtained using API endpoints. keys must be created prior to use with the platform.

  • Log into the interface

  • Authenticate User ID in the Swagger interface with the Client ID and Client Secret Keys you created on the platform.

  • You can now obtain Audit Logs on the platform using the endpoint below.

POST ​/api/audit-logs/search

The most up-to-date version of the body content that should be sent during the API request is available in the Swagger interface.

Audit logs can also be transferred to your SIEM products. The API documentation used during the log transfer to some SIEM products is given below.

If the SIEM product you are using does not support event log transfer via API, you can download/transfer the logs through the platform's API to a file and then read the event logs from that file with your SIEM product or use the Web Interface to integrate it if the platform supports your SIEM product.

How to Get Audit Logs via SIEM Web Integration

Audit Logs can be easily transferred in real-time by integrating your SIEM product with the platform. You can see which SIEM products are currently supported by the platform while setting up the SIEM integration.

Audit Log Use Cases

Use Case 1: Keeping a record of all actions taken on the platform

Some organizations bound by legislation or internal policies may be required to keep a record of every action on the platform in a separate environment.

The procedures below will allow you to record and preserve these activity entries.

  • Go to the Swagger interface.

  • Select a REST API from under the AuditLog header.

  • All actions performed on the platform can be listed using a REST API and can be transferred to a different environment, if needed. (For example, the data could be downloaded to a file, which could then be saved or transferred to another platform and hosted there.)

You can review all actions taken by analysts on the Incident Responder by following the steps below.

For example, to review the actions taken by a user named Harold Finch:

  • You must first have a valid access token in order to perform an API request.

  • Under the AuditLog header, use the REST API address /api/audit-log/search.

    • Use the filter in the username column to search for Harold Finch.

These values ​​may change as new parameters are added. Please always check the latest API values ​​on the Swagger documentation.

Video Tutorial

This tutorial provides details of the Audit Log functionality and how it can be used as an analytical tool to assist in your security efforts.

FAQ

Q: Can I delete or edit Audit Log records?

A: No. Audit Log records on the platform cannot be changed or deleted.

Q: Which actions on the platform can I review in the Audit Log section?

A: You can review all create, delete and update entries.

Q: What information can I obtain from the Audit Log records?

A: The Audit Log entries contain all of the information listed in the Audit Log Components table above.

Q: What does the service user mean?

A: An entry identified as a service user indicates actions taken by a service application of the platform. For example, notifications made through the Phishing Reporter plug-in.

Q: Are Audit Log records deleted periodically?

A: No. Audit Log records are never deleted.

(Splunk)

Please see the document for more information.

Use Case 2: Tracking the actions of analysts

πŸ’«
REST API
Swagger
HTTP Event Collector REST API endpoints
QRadar API Reference Guide
SIEM Integration
Incident Responder