Audit Logging

Audit Logging allows you to record user driven and automated activity in the Insight Platform and InsightIDR. For every action, you can see the time the action occurred and for manual activity, the user who completed the action. By enabling Audit Logging, you can track activity within the Insight Platform and InsightIDR, and investigate who did what, when. Audit Logging will also help you fulfill compliance requirements if these details are requested by an external auditor.

You must have Administrator permissions to enable Audit Logging and to view Audit Log events. For instructions on how to enable Audit Logging, read the Audit Logging documentation on the Platform help site.

Audit Logging for the Insight Platform and InsightIDR is in Open Preview

During Open Preview, you will have the opportunity to test Audit Logging and provide feedback to Rapid7. This feedback will be incorporated as Rapid7 makes improvements to the feature and builds Audit Logging functionality for all Insight products.

InsightIDR Audit Log Events

This section outlines all of the Audit Log events that InsightIDR tracks. The events are sorted into the following categories:

  • Log Search
  • Data Collection Management
  • Investigation
  • Custom Parsing
  • Automation
  • Profile Settings

Log Search Events

ActionDescriptionExample
LOG_CREATEDLog was createdLog “newnet” was created
LOG_UPDATEDLog was updatedLog “newnet” was updated
LOG_DELETEDLog was deletedLog “newnet” was deleted

Data Collection Management Events

ActionDescriptionExample
ACTIVATE_COLLECTORCollector was activatedCollector tulsa.collector.razor.com activated
DELETE_COLLECTORCollector was deletedCollector tulsa.collector.razor.com deleted
COPY_EVENT_SOURCESEvent sources were copied from one collector to anotherEvent sources copied from collector tulsa.collector.razor.com to orlando.collector.razor.com
ACTIVATE_HONEYPOTHoneypot was activatedTulsa Honeypot (finance-db-1 - 10.4.2.111) activated
DELETE_HONEYPOTHoneypot was deletedTulsa Honeypot (finance-db-1 - 10.4.2.111) deleted
ACTIVATE_ORCHESTRATOROrchestrator was activatedOrchestrator tls-orchestrator activated
DELETE_ORCHESTRATOROrchestrator was deletedOrchestrator tls-orchestrator deleted
ADD_EVENT_SOURCENew event source added to a collectorCisco ASA VPN event source Cobra (vASA) added to collector tulsa.collector.razor.com
EDIT_EVENT_SOURCEEvent source edited on a collectorCisco ASA VPN event source Cobra (vASA) edited on collector tulsa.collector.razor.com
DELETE_EVENT_SOURCEEvent source deleted from a collectorCisco ASA VPN event source Cobra (vASA) deleted from collector tulsa.collector.razor.com
START_EVENT_SOURCEEvent source started on a collectorCisco ASA VPN event source Cobra (vASA) started on collector tulsa.collector.razor.com
STOP_EVENT_SOURCEEvent source stopped on a collectorCisco ASA VPN event source Cobra (vASA) stopped on collector tulsa.collector.razor.com
ADD_DATA_EXPORTERData exporter added on a collectorUniversal Webhook data exporter IDR Alert Komand Workflow added on collector tulsa.collector.razor.com
EDIT_DATA_EXPORTERData exporter edited on a collectorUniversal Webhook data exporter IDR Alert Komand Workflow edited on collector tulsa.collector.razor.com
DELETE_DATA_EXPORTERData exporter deleted from a collectorUniversal Webhook data exporter IDR Alert Komand Workflow deleted on collector tulsa.collector.razor.com
START_DATA_EXPORTERData exporter started on a collectorUniversal Webhook data exporter IDR Alert Komand Workflow started on collector tulsa.collector.razor.com
STOP_DATA_EXPORTERData exporter stopped on a collectorUniversal Webhook data exporter IDR Alert Komand Workflow stopped on collector tulsa.collector.razor.com
ADD_CREDENTIALCredential was addedPassword credential AWS PlatformProd added
EDIT_CREDENTIALCredential was editedPassword credential AWS PlatformProd edited
DELETE_CREDENTIALCredential was deletedPassword credential AWS PlatformProd deleted

Investigation Events

ActionDescriptionExample
INVESTIGATION_CREATED (manual)Investigation created by a userInvestigation "Investigate some stuff" created
INVESTIGATION_ASSIGNEDInvestigation assigned to a userInvestigation Third Party Alert "Azure Security Center: [Preview] Traffic from unrecommended IP addresses was detected" assigned to John Smith
INVESTIGATION_UNASSIGNEDInvestigation unassignedInvestigation Third Party Alert "Azure Security Center: [Preview] Traffic from unrecommended IP addresses was detected" unassigned
INVESTIGATION_NOTE_ADDEDNote added to an investigationNote added to investigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds"
INVESTIGATION_ACTION_TAKENAction taken on an investigation"Quarantine" action taken on investigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds"
INVESTIGATION_DATA_ADDEDData added to an investigationEndpoint job data added to investigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds"
INVESTIGATION_CLOSEDInvestigation was closedInvestigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds" closed
INVESTIGTION_REOPENEDInvestigation was reopenedInvestigation Wireless Multiple Country Authentications "Account jsmith@razor.com authenticated with wireless devices from 2 countries in 7 seconds" reopened
ALERT_MODIFICATION_CREATEDDetection rule modification was createdDetection rule modification "Allow access from new source" created: Allow Phishing Reports to authenticate from source asset test.tor.razor.com
ALERT_MODIFICATION_REMOVEDDetection rule modification was removedDetection rule modification "Allow account enabler" removed: Allow Jane Brown (Admin) to re-enable accounts

Custom Parsing

ActionDescriptionExample
PARSING_RULE_CREATEDCustom parsing rule was createdCustom parsing rule "TEST" created
PARSING_RULE_REMOVEDCustomer parsing rule was removedCustom parsing rule "TEST" removed

Automation Events

ActionDescriptionExample
ALERT_TRIGGER_CREATEDTrigger was created for a workflowTrigger created for "Look Up IPs with RecordedFuture" as detection rule type: Network Access for Threat
ALERT_TRIGGER_REMOVEDTrigger was removed from a workflowTrigger removed for "Look Up IPs with RecordedFuture" as detection rule type: Network Access for Threat
ALERT_TRIGGER_DISABLEDTrigger was disabled on a workflowDetection rule type "Ingress from Threat" from workflow "Enrich Alert Data with Open Source Plugins" has been disabled
ALERT_TRIGGER_ENABLEDTrigger was enabled on a workflowDetection rule type "Ingress from Threat" from workflow "Enrich Alert Data with Open Source Plugins" has been enabled

Profile Settings Events

ActionDescriptionExample
EMAIL_ALERT_ENABLEDEmail notifications have been enabledEmail notifications have been enabled
EMAIL_ALERT_DISABLEDEmail notifications have been disabledEmail notifications have been disabled