Audit Logging

Audit Logging allows you to record user driven and automated activity in the Insight Platform and InsightIDR. For every action, you can see the time the action occurred and for manual activity, the user who completed the action. By enabling Audit Logging, you can track activity within the Insight Platform and InsightIDR, and investigate who did what, when. Audit Logging will also help you fulfill compliance requirements if these details are requested by an external auditor.

You must have Administrator permissions to enable Audit Logging and to view Audit Log events. For instructions on how to enable Audit Logging, read the Audit Logging documentation on the Platform help site.

Audit Logging for the Insight Platform and InsightIDR is in Open Preview

During Open Preview, you will have the opportunity to test Audit Logging and provide feedback to Rapid7. This feedback will be incorporated as Rapid7 makes improvements to the feature and builds Audit Logging functionality for all Insight products.

InsightIDR Audit Log Events

This section outlines all of the Audit Log events that InsightIDR tracks. The events are sorted into the following categories:

  • Data Collection Management
  • Investigation
  • Custom Parsing
  • Automation
  • Profile Settings

Data Collection Management Events

ActionDescriptionExample
ACTIVATE_COLLECTORCollector was activatedCollector bos-uicollector-01.osdc.bos.rapid7.com activated
DELETE_COLLECTORCollector was deletedCollector bos-uicollector-01.osdc.bos.rapid7.com deleted
COPY_EVENT_SOURCESEvent sources were copied from one collector to anotherEvent sources copied from collector bos-uicollector-01.osdc.bos.rapid7.com to lax-uicollector-01.osdc.lax.rapid7.com
ACTIVATE_HONEYPOTHoneypot was activatedHoneypot LAX UI Honeypot (ui-sap-db-01 - 10.4.7.188) activated
DELETE_HONEYPOTHoneypot was deletedHoneypot LAX UI Honeypot (ui-sap-db-01 - 10.4.7.188) deleted
ACTIVATE_ORCHESTRATOROrchestrator was activatedOrchestrator bos-InsightConnect-01 activated
DELETE_ORCHESTRATOROrchestrator was deletedOrchestrator bos-InsightConnect-01 deleted
ADD_EVENT_SOURCENew event source added to a collectorCisco ASA VPN event source Ocelot (vASA) added to collector bos-uicollector-01.osdc.bos.rapid7.com
EDIT_EVENT_SOURCEEvent source edited on a collectorCisco ASA VPN event source Ocelot (vASA) edited on collector bos-uicollector-01.osdc.bos.rapid7.com
DELETE_EVENT_SOURCEEvent source deleted from a collectorCisco ASA VPN event source Ocelot (vASA) deleted from collector bos-uicollector-01.osdc.bos.rapid7.com
START_EVENT_SOURCEEvent source started on a collectorCisco ASA VPN event source Ocelot (vASA) started on collector bos-uicollector-01.osdc.bos.rapid7.com
STOP_EVENT_SOURCEEvent source stopped on a collectorCisco ASA VPN event source Ocelot (vASA) stopped on collector bos-uicollector-01.osdc.bos.rapid7.com
ADD_DATA_EXPORTERData exporter added on a collectorUniversal Webhook data exporter IDR Alert Komand Workflow added on collector Los Angeles Collector
EDIT_DATA_EXPORTERData exporter edited on a collectorUniversal Webhook data exporter IDR Alert Komand Workflow edited on collector Los Angeles Collector
DELETE_DATA_EXPORTERData exporter deleted from a collectorUniversal Webhook data exporter IDR Alert Komand Workflow deleted on collector Los Angeles Collector
START_DATA_EXPORTERData exporter started on a collectorUniversal Webhook data exporter IDR Alert Komand Workflow started on collector Los Angeles Collector
STOP_DATA_EXPORTERData exporter stopped on a collectorUniversal Webhook data exporter IDR Alert Komand Workflow stopped on collector Los Angeles Collector
ADD_CREDENTIALCredential was addedPassword credential AWS PlatformProd added
EDIT_CREDENTIALCredential was editedPassword credential AWS PlatformProd edited
DELETE_CREDENTIALCredential was deletedPassword credential AWS PlatformProd deleted

Investigation Events

ActionDescriptionExample
INVESTIGATION_CREATED (manual)Investigation created by a userInvestigation "Investigate some stuff" created
INVESTIGATION_ASSIGNEDInvestigation assigned to a userInvestigation Third Party Alert "Azure Security Center: [Preview] Traffic from unrecommended IP addresses was detected" assigned to Joan Smith
INVESTIGATION_UNASSIGNEDInvestigation unassignedInvestigation Third Party Alert "Azure Security Center: [Preview] Traffic from unrecommended IP addresses was detected" unassigned
INVESTIGATION_NOTE_ADDEDNote added to an investigationNote added to investigation Wireless Multiple Country Authentications "Account ckilkelly@rapid7.com authenticated with wireless devices from 2 countries in 7 seconds"
INVESTIGATION_ACTION_TAKENAction taken on an investigation"Quarantine" action taken on investigation Wireless Multiple Country Authentications "Account ckilkelly@rapid7.com authenticated with wireless devices from 2 countries in 7 seconds"
INVESTIGATION_DATA_ADDEDData added to an investigationEndpoint job data added to investigation Wireless Multiple Country Authentications "Account ckilkelly@rapid7.com authenticated with wireless devices from 2 countries in 7 seconds"
INVESTIGATION_CLOSEDInvestigation was closedInvestigation Wireless Multiple Country Authentications "Account ckilkelly@rapid7.com authenticated with wireless devices from 2 countries in 7 seconds" closed
INVESTIGTION_REOPENEDInvestigation was reopenedInvestigation Wireless Multiple Country Authentications "Account ckilkelly@rapid7.com authenticated with wireless devices from 2 countries in 7 seconds" reopened
ALERT_MODIFICATION_CREATEDAlert modification was createdAlert modification "Allow access from new source" created: Allow Phishing Reports to authenticate from source asset cam-mbp-3455v.tor.rapid7.com
ALERT_MODIFICATION_REMOVEDAlert modification was removedAlert modification "Allow account enabler" removed: Allow Dennis Nahas (Admin) to re-enable accounts

Custom Parsing

ActionDescriptionExample
PARSING_RULE_CREATEDCustom parsing rule was createdCustom parsing rule "TEST" created
PARSING_RULE_REMOVEDCustomer parsing rule was removedCustom parsing rule "TEST" removed

Automation Events

ActionDescriptionExample
ALERT_TRIGGER_CREATEDAlert trigger was created for a workflowAlert Trigger created for "Look Up IPs with RecordedFuture" as alert type: Network Access for Threat
ALERT_TRIGGER_REMOVEDAlert trigger was removed from a workflowAlert Trigger removed for "Look Up IPs with RecordedFuture" as alert type: Network Access for Threat
ALERT_TRIGGER_DISABLEDAlert trigger was disabled on a workflowAlert Type "Ingress from Threat" from workflow "Enrich Alert Data with Open Source Plugins" has been disabled
ALERT_TRIGGER_ENABLEDAlert trigger was enabled on a workflowAlert Type "Ingress from Threat" from workflow "Enrich Alert Data with Open Source Plugins" has been enabled

Profile Settings Events

ActionDescriptionExample
EMAIL_ALERT_ENABLEDEmail alert settings have been enabledEmail alert settings have been enabled
EMAIL_ALERT_DISABLEDEmail alert settings have been disabledEmail alert settings have been disabled