Audit Logging
Audit Logging allows you to record user driven and automated activity in the Insight Platform and InsightIDR. For every action, you can see the time the action occurred and for manual activity, the user who completed the action. By enabling Audit Logging, you can track activity within the Insight Platform and InsightIDR, and investigate who did what, when. Audit Logging will also help you fulfill compliance requirements if these details are requested by an external auditor.
You must have Administrator permissions to enable Audit Logging and to view Audit Log events. For instructions on how to enable Audit Logging, read the Audit Logging documentation on the Platform help site.
InsightIDR Audit Log Events
This section outlines all of the Audit Log events that InsightIDR tracks. The events are sorted into the following categories:
- Log Search
- Data Collection Management
- Investigation
- Custom Parsing
- Automation
- Profile Settings
Log Search Events
| Action | Description | Example |
|---|---|---|
| LOG_CREATED | Log was created | Log “newnet” was created |
| LOG_UPDATED | Log was updated | Log “newnet” was updated |
| LOG_DELETED | Log was deleted | Log “newnet” was deleted |
Data Collection Management Events
| Action | Description | Example |
|---|---|---|
| ACTIVATE_COLLECTOR | Collector was activated | Collector tulsa.collector.razor.com activated |
| DELETE_COLLECTOR | Collector was deleted | Collector tulsa.collector.razor.com deleted |
| COPY_EVENT_SOURCES | Event sources were copied from one collector to another | Event sources copied from collector tulsa.collector.razor.com to orlando.collector.razor.com |
| ACTIVATE_HONEYPOT | Honeypot was activated | Tulsa Honeypot (finance-db-1 - 10.4.2.111) activated |
| DELETE_HONEYPOT | Honeypot was deleted | Tulsa Honeypot (finance-db-1 - 10.4.2.111) deleted |
| ACTIVATE_ORCHESTRATOR | Orchestrator was activated | Orchestrator tls-orchestrator activated |
| DELETE_ORCHESTRATOR | Orchestrator was deleted | Orchestrator tls-orchestrator deleted |
| ADD_EVENT_SOURCE | New event source added to a collector | Cisco ASA VPN event source Cobra (vASA) added to collector tulsa.collector.razor.com |
| EDIT_EVENT_SOURCE | Event source edited on a collector | Cisco ASA VPN event source Cobra (vASA) edited on collector tulsa.collector.razor.com |
| DELETE_EVENT_SOURCE | Event source deleted from a collector | Cisco ASA VPN event source Cobra (vASA) deleted from collector tulsa.collector.razor.com |
| START_EVENT_SOURCE | Event source started on a collector | Cisco ASA VPN event source Cobra (vASA) started on collector tulsa.collector.razor.com |
| STOP_EVENT_SOURCE | Event source stopped on a collector | Cisco ASA VPN event source Cobra (vASA) stopped on collector tulsa.collector.razor.com |
| ADD_DATA_EXPORTER | Data exporter added on a collector | Universal Webhook data exporter IDR Alert Komand Workflow added on collector tulsa.collector.razor.com |
| EDIT_DATA_EXPORTER | Data exporter edited on a collector | Universal Webhook data exporter IDR Alert Komand Workflow edited on collector tulsa.collector.razor.com |
| DELETE_DATA_EXPORTER | Data exporter deleted from a collector | Universal Webhook data exporter IDR Alert Komand Workflow deleted on collector tulsa.collector.razor.com |
| START_DATA_EXPORTER | Data exporter started on a collector | Universal Webhook data exporter IDR Alert Komand Workflow started on collector tulsa.collector.razor.com |
| STOP_DATA_EXPORTER | Data exporter stopped on a collector | Universal Webhook data exporter IDR Alert Komand Workflow stopped on collector tulsa.collector.razor.com |
| ADD_CREDENTIAL | Credential was added | Password credential AWS PlatformProd added |
| EDIT_CREDENTIAL | Credential was edited | Password credential AWS PlatformProd edited |
| DELETE_CREDENTIAL | Credential was deleted | Password credential AWS PlatformProd deleted |
Investigation Events
| Action | Description | Example |
|---|---|---|
| INVESTIGATION_CREATED (manual) | Investigation created by a user | Investigation "Investigate some stuff" created |
| INVESTIGATION_ASSIGNED | Investigation assigned to a user | Investigation Third Party Alert "Azure Security Center: [Preview] Traffic from unrecommended IP addresses was detected" assigned to John Smith |
| INVESTIGATION_UNASSIGNED | Investigation unassigned | Investigation Third Party Alert "Azure Security Center: [Preview] Traffic from unrecommended IP addresses was detected" unassigned |
| INVESTIGATION_NOTE_ADDED | Note added to an investigation | Note added to investigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds" |
| INVESTIGATION_ACTION_TAKEN | Action taken on an investigation | "Quarantine" action taken on investigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds" |
| INVESTIGATION_DATA_ADDED | Data added to an investigation | Endpoint job data added to investigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds" |
| INVESTIGATION_CLOSED | Investigation was closed | Investigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds" closed |
| INVESTIGTION_REOPENED | Investigation was reopened | Investigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds" reopened |
| ALERT_MODIFICATION_CREATED | Detection rule modification was created | Detection rule modification "Allow access from new source" created: Allow Phishing Reports to authenticate from source asset test.tor.razor.com |
| ALERT_MODIFICATION_REMOVED | Detection rule modification was removed | Detection rule modification "Allow account enabler" removed: Allow Jane Brown (Admin) to re-enable accounts |
Custom Parsing
| Action | Description | Example |
|---|---|---|
| PARSING_RULE_CREATED | Custom parsing rule was created | Custom parsing rule "TEST" created |
| PARSING_RULE_REMOVED | Customer parsing rule was removed | Custom parsing rule "TEST" removed |
Automation Events
| Action | Description | Example |
|---|---|---|
| ALERT_TRIGGER_CREATED | Trigger was created for a workflow | Trigger created for "Look Up IPs with RecordedFuture" as detection rule type: Network Access for Threat |
| ALERT_TRIGGER_REMOVED | Trigger was removed from a workflow | Trigger removed for "Look Up IPs with RecordedFuture" as detection rule type: Network Access for Threat |
| ALERT_TRIGGER_DISABLED | Trigger was disabled on a workflow | Detection rule type "Ingress from Threat" from workflow "Enrich Alert Data with Open Source Plugins" has been disabled |
| ALERT_TRIGGER_ENABLED | Trigger was enabled on a workflow | Detection rule type "Ingress from Threat" from workflow "Enrich Alert Data with Open Source Plugins" has been enabled |
Profile Settings Events
| Action | Description | Example |
|---|---|---|
| EMAIL_ALERT_ENABLED | Email notifications have been enabled | Email notifications have been enabled |
| EMAIL_ALERT_DISABLED | Email notifications have been disabled | Email notifications have been disabled |
Did this page help you?