Audit Logging allows you to record user driven and automated activity in the Insight Platform and InsightIDR. For every action, you can see the time the action occurred and for manual activity, the user who completed the action. By enabling Audit Logging, you can track activity within the Insight Platform and InsightIDR, and investigate who did what, when. Audit Logging will also help you fulfill compliance requirements if these details are requested by an external auditor.
You must have Administrator permissions to enable Audit Logging and to view Audit Log events.
Audit Logging for the Insight Platform and InsightIDR is in Open Preview
During Open Preview, you will have the opportunity to test Audit Logging and provide feedback to Rapid7. This feedback will be incorporated as Rapid7 makes improvements to the feature and builds Audit Logging functionality for all Insight products.
To use the Audit Logging feature in the Insight Platform:
Enable Audit Logging
To enable Audit Logging:
- From the Platform home, click Settings > Company Settings > Audit Log.
- Set the toggle as Enabled.
- Select the region where you want to store your Audit Log data.
You enabled Audit Logging!
Once you turn on Audit Logging, the Insight Platform will immediately begin collecting all Platform and InsightIDR events.
To disable Audit Logging, follow the same procedure that you did to enable it, except set the toggle as Disabled.
View your Audit Log Events
You can view your Audit Log events in the Insight Platform by going to the top navigation menu and clicking Settings > Audit Log.
To view your events, filter the table for either events in InsightIDR or the Insight Platform using the Log Selector option in top left of table. For each event on the table, you can see the time that the action occurred and for manual actions, the user who completed the action, and the email address of the user who completed the action. InsightIDR events also include a description of the action.
You can filter to view actions taken by a specific user by searching for their username in the search bar.
You can also search on any string within this search bar.
To view more details about an Audit Log Event, click on the event. A modal with additional details will appear.
More Details Modal limitations during Open Preview
Description fields are not available in the More Details modal during Open Preivew, but will be provided when Audit Logging moves to General Availability. The More Details modal currently provides contextual information to help you better understand the result of the audit event action.
InsightIDR Audit Log Events
To see the InsightIDR Audit Log messages, read the Audit Logging documentation on the InsightIDR help site.
Platform Audit Log Events
This section outlines all of the Audit Log events that the Insight Platform tracks. The events are sorted into the following categories:
- API Key
- External Identity Provider (IDP)
- Key Contacts
- Multi-Factor Authentication (MFA)
- Password Policy
- Organization Product
- User Role
- User Access
- Role Based Access Control (RBAC)
- Audit Log
API Key Events
|API_KEY_CREATED||New API key was created|
|API_KEY_DELETED||API key was deleted|
|API_KEY_MOVED||API key was moved to a new customer account due to a customer account merge|
External Identity Provider (IDP) Events
|EIDP_ENABLED||User Authentication using an External IDP was enabled|
|EIDP_DISABLED||User Authentication using an External IDP was disabled|
|EIDP_X509_CERT_UPLOADED||An X509 security certificate was uploaded for the External IDP|
|EIDP_UPDATED||The configuration profile for the External IDP used for user authentication was updated|
|EIDP_DELETED||The configuration profile for the External IDP used for user authentication was deleted|
|JIT_PROFILE_UPDATED||The Just In Time provisioning profile applied to users accessing the Insight Platform from an External IDP was updated|
Key Contacts Events
|KEY_CONTACT_ADDED||New Key Contact was added|
|KEY_CONTACT_REMOVED||Key Contact was removed|
Multi-Factor Authentication (MFA) Events
|MFA_UPDATED||MFA configuration data was changed|
|ORG_NAME_UPDATED||Organization Display Name was changed|
|ORGANIZATION_MOVED||The organization was moved from one customer account to another due to a customer account merge|
Password Policy Events
|PASSWORD_POLICY_UPDATED||Password policy was modified|
Organization Product Events
|ORG_PRODUCT_CREATED||A new Insight Product License was added to the Customer’s organization|
|PRODUCT_TRIAL_EVENT||A new product free trial was started|
|USER_ACCOUNT_RESET||User account was reset|
|USER_CREATED||New user was created|
|USER_DELETED||User account was deleted|
|USER_MFA_RESET||User MFA was reset|
|USER_SUCCESS_LOGIN||User logged in|
|USER_UPDATED||User profile was updated|
|USER_ACTIVATED||User account was activated|
|USER_CHANGED_PASSWORD||User changed their password|
|USER_CHANGED_SECURITY_QUESTION||User changed their security question|
|USER_ACTIVATION_RESENT||User account activation email resent|
|USER_FORGOTTEN_PASSWORD||User forgot their password|
|USER_MOVED||User account was moved to another customer account due to a customer account merge|
|USER_LOGOUT||User logged out|
User Role Events
|USER_ROLE_SET||User role was set or updated|
User Access Events
|USER_TO_ORG_PRODUCT_CREATED||A user was assigned access to a product|
|USER_TO_ORG_PRODUCT_DELETED||A user was unassigned access to a product|
|USER_TO_PRODUCT_NAVIGATION||A user navigated to access a specified product|
|USER_SWITCHED_CUSTOMER||A user with multi customer account access navigated from their primary customer account to access another customer account|
|USER_CUSTOMER_MOVED||A user account was moved from one customer account to another due to a customer account merge|
|CUSTOMER_NAME_UPDATED||The Customer Account Name was updated|
|CUSTOMER_MERGED||The Customer account was merged with another customer account|
Audit Log Events
|AUDIT_LOG_OPT_IN||Audit Logging was turned on|
|AUDIT_LOG_OPT_OUT||Audit Logging was turned off|