Audit logging

Audit logging allows you to record both user driven and automated activity relating to your Insight solutions. For every auditable action, you can see what the action was, the time that the action occurred, and who completed the action. By enabling audit logging, you have the ability track activity for investigative purposes. Audit logging will also help you fulfill compliance requirements if these details are requested by an external auditor.

You must have Administrator permissions to enable audit logging and to view audit log events.

To use the audit logging feature in the Insight Platform:

  1. Enable audit logging
  2. View your audit log events
  3. Query your audit logs

Enable audit logging

To enable audit logging:

  1. From the Platform home, click Settings > Company Settings > Audit Log.
  2. Set the toggle to Enabled.
  3. Select the region where you want to store your audit log data.

Company Settings enabled

You enabled audit logging!

Once you turn on audit logging, the Insight Platform will immediately begin collecting all Platform and InsightIDR events.

View your audit log events

You can view your audit Log events in the Insight Platform by going to the top navigation menu and clicking Settings > Audit Log.

To view your events, you can use the Audit Source log selector drop down to filter the table to show specific audit logs. You can also choose to view All Audit Logs. For each event on the table, you can see the time that the action occurred, details (Name and Email) of who completed the action and the product that the action occurred within.

You can filter to view actions taken by a specific user by searching for their username in the search bar. You also have the ability to search for any string within this search bar, such as an email or action.

View all logs

You can also confine your search to specific date ranges using the date selector component as part of the search bar. You can either type in the date range manually using the date/time box provided or you can click on the calendar to select the date range.

Date selector component

You can export your log search results to a CSV file directly from the Audit Table using the Export to CSV function beside the search bar. Once the CSV file has been exported, a green bar will appear and you will have the option to download it.

CSV export

To view more details about an audit log Event, click View More in the More Details column. A window with additional details about the specific audit log event will appear.

InsightIDR audit log events

To see the InsightIDR audit log messages, read the audit logging documentation on the InsightIDR documentation site.

InsightAppSec audit log events

For information about InsightAppSec audit log messages, see audit logging in the InsightAppSec documentation site.

Custom Policy Builder

Within InsightVM's Custom Policy Builder, you can use audit logging to capture every policy update implemented by users. Audit logs record who, when, and what changes were made to a policy so a user or an auditor can view the change history of any policy at a later date. For more information, see the audit logs topic of the Custom Policy Builder InsightVM documentation.

Platform audit log events

This section outlines audit log events currently generated by Insight Platform Services. The events are sorted into the following categories:

  • API Key
  • External Identity Provider (IDP)
  • Key Contacts
  • Multi-Factor Authentication (MFA)
  • Organization
  • Password Policy
  • Organization Product
  • User
  • User Role
  • User Access
  • Customer
  • Role Based Access Control (RBAC)
  • Audit Log

API key events

ActionDescription
API_KEY_CREATEDNew API key was created
API_KEY_DELETEDAPI key was deleted
API_KEY_MOVEDAPI key was moved to a new customer account due to a customer account merge

When scheduled reports generate, they automatically create and delete API keys. These API key events (specifically the Create and Delete events) appear in your audit log. This is expected behavior and indicates that the reports have generated correctly.

Manual report generation uses temporary API keys

When you manually create a report, or generate one from a dashboard, Rapid7 creates a temporary API key in your customer account. This temporary key is created so that when the report runs, it is associated with the specific user who created it. The temporary key is used to create the report, then it is automatically deleted when the report has generated. This means the creation and deletion of the temporary API key is visible in your audit log.

External identity provider (IDP) events

ActionDescription
EIDP_ENABLEDUser Authentication using an External IDP was enabled
EIDP_DISABLEDUser Authentication using an External IDP was disabled
EIDP_X509_CERT_UPLOADEDAn X509 security certificate was uploaded for the External IDP
EIDP_UPDATEDThe configuration profile for the External IDP used for user authentication was updated
EIDP_DELETEDThe configuration profile for the External IDP used for user authentication was deleted
JIT_PROFILE_UPDATEDThe Just In Time provisioning profile applied to users accessing the Insight Platform from an External IDP was updated

Key contact events

ActionDescription
KEY_CONTACT_ADDEDNew Key Contact was added
KEY_CONTACT_REMOVEDKey Contact was removed

Multi-factor authentication (MFA) events

ActionDescription
MFA_UPDATEDMFA configuration data was changed

Organization events

ActionDescription
ORG_NAME_UPDATEDOrganization Display Name was changed
ORGANIZATION_MOVEDThe organization was moved from one customer account to another due to a customer account merge

Password policy events

ActionDescription
PASSWORD_POLICY_UPDATEDPassword policy was modified

Organization product events

ActionDescription
ORG_PRODUCT_CREATEDA new Insight Product License was added to the Customer’s organization
PRODUCT_TRIAL_EVENTA new product free trial was started

User events

ActionDescription
USER_ACCOUNT_RESETUser account was reset
USER_CREATEDNew user was created
USER_DELETEDUser account was deleted
USER_MFA_RESETUser MFA was reset
USER_SUCCESS_LOGINUser logged in
USER_UPDATEDUser profile was updated
USER_ACTIVATEDUser account was activated
USER_CHANGED_PASSWORDUser changed their password
USER_CHANGED_SECURITY_QUESTIONUser changed their security question
USER_ACTIVATION_RESENTUser account activation email resent
USER_FORGOTTEN_PASSWORDUser forgot their password
USER_MOVEDUser account was moved to another customer account due to a customer account merge
USER_LOGOUTUser logged out

User role events

ActionDescription
USER_ROLE_SETUser role was set or updated

User access events

ActionDescription
USER_TO_ORG_PRODUCT_CREATEDA user was assigned access to a product
USER_TO_ORG_PRODUCT_DELETEDA user was unassigned access to a product
USER_TO_PRODUCT_NAVIGATIONA user navigated to access a specified product
USER_SWITCHED_CUSTOMERA user with multi customer account access navigated from their primary customer account to access another customer account
USER_CUSTOMER_MOVEDA user account was moved from one customer account to another due to a customer account merge

Customer events

ActionAction
CUSTOMER_NAME_UPDATEDThe Customer Account Name was updated
CUSTOMER_MERGEDThe Customer account was merged with another customer account

Audit log events

ActionDescription
AUDIT_LOG_OPT_INAudit Logging was turned on
AUDIT_LOG_OPT_OUTAudit Logging was turned off