Audit Logging allows you to record both user driven and automated activity relating to your Insight solutions. For every auditable action, you can see what the action was, the time that the action occurred, and who completed the action. By enabling Audit Logging, you have the ability track activity for investigative purposes. Audit Logging will also help you fulfill compliance requirements if these details are requested by an external auditor.
You must have Administrator permissions to enable Audit Logging and to view Audit Log events.
Audit Logging is in Open Preview and currently supports audit events from Insight Platform Services, InsightIDR, and InsightVM's Custom Policy Builder
During Open Preview, you will have the opportunity to test Audit Logging and provide feedback to Rapid7. This feedback will be incorporated as Rapid7 makes improvements to the feature and builds Audit Logging functionality for all Insight products.
To use the Audit Logging feature in the Insight Platform:
Enable Audit Logging
To enable Audit Logging:
- From the Platform home, click Settings > Company Settings > Audit Log.
- Set the toggle to Enabled.
- Select the region where you want to store your Audit Log data.
You enabled Audit Logging!
Once you turn on Audit Logging, the Insight Platform will immediately begin collecting all Platform and InsightIDR events.
View your Audit Log Events
You can view your Audit Log events in the Insight Platform by going to the top navigation menu and clicking Settings > Audit Log.
To view your events, you can use the Audit Source log selector drop down to filter the table to show specific Audit Logs. You can also choose to view All Audit Logs. For each event on the table, you can see the time that the action occurred, details (Name and Email) of who completed the action and the product that the action occurred within.
You can filter to view actions taken by a specific user by searching for their username in the search bar. You also have the ability to search for any string within this search bar, such as an email or action.
You can also confine your search to specific date ranges using the date selector component as part of the search bar. You can either type in the date range manually using the date/time box provided or you can click on the calendar to select the date range.
You can export your log search results to a CSV file directly from the Audit Table using the Export to CSV function beside the search bar. Once the CSV file has been exported, a green bar will appear and you will have the option to download it.
To view more details about an Audit Log Event, click View More in the More Details column. A window with additional details about the specific Audit Log event will appear.
More Details Modal limitations during Open Preview
Description fields are not available in the More Details modal during Open Preivew, but will be provided when Audit Logging moves to General Availability. The More Details modal currently provides contextual information to help you better understand the result of the audit event action.
InsightIDR Audit Log Events
To see the InsightIDR Audit Log messages, read the Audit Logging documentation on the InsightIDR help site.
Custom Policy Builder
Within InsightVM's Custom Policy Builder, you can use Audit Logging to capture every policy update implemented by users. Audit Logs record who, when, and what changes were made to a policy so a user or an auditor can view the change history of any policy at a later date. For more information, see the Audit Logs topic of the Custom Policy Builder InsightVM documentation.
Platform Audit Log Events
This section outlines Audit Log events currently generated by Insight Platform Services. The events are sorted into the following categories:
- API Key
- External Identity Provider (IDP)
- Key Contacts
- Multi-Factor Authentication (MFA)
- Password Policy
- Organization Product
- User Role
- User Access
- Role Based Access Control (RBAC)
- Audit Log
API Key Events
|API_KEY_CREATED||New API key was created|
|API_KEY_DELETED||API key was deleted|
|API_KEY_MOVED||API key was moved to a new customer account due to a customer account merge|
External Identity Provider (IDP) Events
|EIDP_ENABLED||User Authentication using an External IDP was enabled|
|EIDP_DISABLED||User Authentication using an External IDP was disabled|
|EIDP_X509_CERT_UPLOADED||An X509 security certificate was uploaded for the External IDP|
|EIDP_UPDATED||The configuration profile for the External IDP used for user authentication was updated|
|EIDP_DELETED||The configuration profile for the External IDP used for user authentication was deleted|
|JIT_PROFILE_UPDATED||The Just In Time provisioning profile applied to users accessing the Insight Platform from an External IDP was updated|
Key Contacts Events
|KEY_CONTACT_ADDED||New Key Contact was added|
|KEY_CONTACT_REMOVED||Key Contact was removed|
Multi-Factor Authentication (MFA) Events
|MFA_UPDATED||MFA configuration data was changed|
|ORG_NAME_UPDATED||Organization Display Name was changed|
|ORGANIZATION_MOVED||The organization was moved from one customer account to another due to a customer account merge|
Password Policy Events
|PASSWORD_POLICY_UPDATED||Password policy was modified|
Organization Product Events
|ORG_PRODUCT_CREATED||A new Insight Product License was added to the Customer’s organization|
|PRODUCT_TRIAL_EVENT||A new product free trial was started|
|USER_ACCOUNT_RESET||User account was reset|
|USER_CREATED||New user was created|
|USER_DELETED||User account was deleted|
|USER_MFA_RESET||User MFA was reset|
|USER_SUCCESS_LOGIN||User logged in|
|USER_UPDATED||User profile was updated|
|USER_ACTIVATED||User account was activated|
|USER_CHANGED_PASSWORD||User changed their password|
|USER_CHANGED_SECURITY_QUESTION||User changed their security question|
|USER_ACTIVATION_RESENT||User account activation email resent|
|USER_FORGOTTEN_PASSWORD||User forgot their password|
|USER_MOVED||User account was moved to another customer account due to a customer account merge|
|USER_LOGOUT||User logged out|
User Role Events
|USER_ROLE_SET||User role was set or updated|
User Access Events
|USER_TO_ORG_PRODUCT_CREATED||A user was assigned access to a product|
|USER_TO_ORG_PRODUCT_DELETED||A user was unassigned access to a product|
|USER_TO_PRODUCT_NAVIGATION||A user navigated to access a specified product|
|USER_SWITCHED_CUSTOMER||A user with multi customer account access navigated from their primary customer account to access another customer account|
|USER_CUSTOMER_MOVED||A user account was moved from one customer account to another due to a customer account merge|
|CUSTOMER_NAME_UPDATED||The Customer Account Name was updated|
|CUSTOMER_MERGED||The Customer account was merged with another customer account|
Audit Log Events
|AUDIT_LOG_OPT_IN||Audit Logging was turned on|
|AUDIT_LOG_OPT_OUT||Audit Logging was turned off|
Query your Audit Logs
Retrieve Platform Audit Logs using the API
If you have an organization-level API key or a Platform Admin user key, you can query audit logs using the REST API. For further information, see the InsightIDR Audit Log documentation.