Audit Logging

Audit Logging allows you to record user driven and automated activity in the Insight Platform and InsightIDR. For every action, you can see the time the action occurred and for manual activity, the user who completed the action. By enabling Audit Logging, you can track activity within the Insight Platform and InsightIDR, and investigate who did what, when. Audit Logging will also help you fulfill compliance requirements if these details are requested by an external auditor.

You must have Administrator permissions to enable Audit Logging and to view Audit Log events.

Audit Logging for the Insight Platform and InsightIDR is in Open Preview

During Open Preview, you will have the opportunity to test Audit Logging and provide feedback to Rapid7. This feedback will be incorporated as Rapid7 makes improvements to the feature and builds Audit Logging functionality for all Insight products.

To use the Audit Logging feature in the Insight Platform:

  1. Enable Audit Logging
  2. View your Audit Log Events
  3. Query your Audit Logs

Enable Audit Logging

To enable Audit Logging:

  1. From the Platform home, click Settings > Company Settings > Audit Log.
  2. Set the toggle as Enabled.
  3. Select the region where you want to store your Audit Log data.

Platform Audit Logging Toggle

You enabled Audit Logging!

Once you turn on Audit Logging, the Insight Platform will immediately begin collecting all Platform and InsightIDR events.

To disable Audit Logging, follow the same procedure that you did to enable it, except set the toggle as Disabled.

View your Audit Log Events

You can view your Audit Log events in the Insight Platform by going to the top navigation menu and clicking Settings > Audit Log.

To view your events, filter the table for either events in InsightIDR or the Insight Platform using the Log Selector option in top left of table. For each event on the table, you can see the time that the action occurred and for manual actions, the user who completed the action, and the email address of the user who completed the action. InsightIDR events also include a description of the action.

Platform Audit Logging Home Screen

You can filter to view actions taken by a specific user by searching for their username in the search bar.

auditlog_filter.png

You can also search on any string within this search bar.

auditlog_stringsearch.png

To view more details about an Audit Log Event, click on the event. A modal with additional details will appear.

More Details Modal limitations during Open Preview

Description fields are not available in the More Details modal during Open Preivew, but will be provided when Audit Logging moves to General Availability. The More Details modal currently provides contextual information to help you better understand the result of the audit event action.

InsightIDR Audit Log Events

To see the InsightIDR Audit Log messages, read the Audit Logging documentation on the InsightIDR help site.

Platform Audit Log Events

This section outlines all of the Audit Log events that the Insight Platform tracks. The events are sorted into the following categories:

  • API Key
  • External Identity Provider (IDP)
  • Key Contacts
  • Multi-Factor Authentication (MFA)
  • Organization
  • Password Policy
  • Organization Product
  • User
  • User Role
  • User Access
  • Customer
  • Role Based Access Control (RBAC)
  • Audit Log

API Key Events

ActionDescription
API_KEY_CREATEDNew API key was created
API_KEY_DELETEDAPI key was deleted
API_KEY_MOVEDAPI key was moved to a new customer account due to a customer account merge

External Identity Provider (IDP) Events

ActionDescription
EIDP_ENABLEDUser Authentication using an External IDP was enabled
EIDP_DISABLEDUser Authentication using an External IDP was disabled
EIDP_X509_CERT_UPLOADEDAn X509 security certificate was uploaded for the External IDP
EIDP_UPDATEDThe configuration profile for the External IDP used for user authentication was updated
EIDP_DELETEDThe configuration profile for the External IDP used for user authentication was deleted
JIT_PROFILE_UPDATEDThe Just In Time provisioning profile applied to users accessing the Insight Platform from an External IDP was updated

Key Contacts Events

ActionDescription
KEY_CONTACT_ADDEDNew Key Contact was added
KEY_CONTACT_REMOVEDKey Contact was removed

Multi-Factor Authentication (MFA) Events

ActionDescription
MFA_UPDATEDMFA configuration data was changed

Organization Events

ActionDescription
ORG_NAME_UPDATEDOrganization Display Name was changed
ORGANIZATION_MOVEDThe organization was moved from one customer account to another due to a customer account merge

Password Policy Events

ActionDescription
PASSWORD_POLICY_UPDATEDPassword policy was modified

Organization Product Events

ActionDescription
ORG_PRODUCT_CREATEDA new Insight Product License was added to the Customer’s organization
PRODUCT_TRIAL_EVENTA new product free trial was started

User Events

ActionDescription
USER_ACCOUNT_RESETUser account was reset
USER_CREATEDNew user was created
USER_DELETEDUser account was deleted
USER_MFA_RESETUser MFA was reset
USER_SUCCESS_LOGINUser logged in
USER_UPDATEDUser profile was updated
USER_ACTIVATEDUser account was activated
USER_CHANGED_PASSWORDUser changed their password
USER_CHANGED_SECURITY_QUESTIONUser changed their security question
USER_ACTIVATION_RESENTUser account activation email resent
USER_FORGOTTEN_PASSWORDUser forgot their password
USER_MOVEDUser account was moved to another customer account due to a customer account merge
USER_LOGOUTUser logged out

User Role Events

ActionDescription
USER_ROLE_SETUser role was set or updated

User Access Events

ActionDescription
USER_TO_ORG_PRODUCT_CREATEDA user was assigned access to a product
USER_TO_ORG_PRODUCT_DELETEDA user was unassigned access to a product
USER_TO_PRODUCT_NAVIGATIONA user navigated to access a specified product
USER_SWITCHED_CUSTOMERA user with multi customer account access navigated from their primary customer account to access another customer account
USER_CUSTOMER_MOVEDA user account was moved from one customer account to another due to a customer account merge

Customer Events

ActionAction
CUSTOMER_NAME_UPDATEDThe Customer Account Name was updated
CUSTOMER_MERGEDThe Customer account was merged with another customer account

Audit Log Events

ActionDescription
AUDIT_LOG_OPT_INAudit Logging was turned on
AUDIT_LOG_OPT_OUTAudit Logging was turned off

Query your Audit Logs

You can also query your audit logs by adding the log ID to the specified URL or filter audit logs by adding Log Entry Query Language to the URL.