Audit Logs

In Custom Policy Builder, Audit Logs captures every policy update implemented by users. Audit Logs records who, when, and what changes were made to a policy, so a user or an auditor can view the change history of any policy at a later date.

You must be an Insight Platform administrator

In order to enable and view Audit Logs, confirm that you are an Insight Platform administrator.

Enable Audit Logging

To enable Audit Logging:

  1. From the Platform home, click Settings > Company Settings > Audit Log.
  2. Set the toggle as Enabled.
  3. Select the region where you want to store your Audit Log data.

Platform Audit Logging Toggle

You enabled Audit Logging!

Once you turn on Audit Logging, the Insight Platform will immediately begin collecting all Platform and InsightIDR events.

To disable Audit Logging, follow the same procedure that you did to enable it, except set the toggle as Disabled.

Access Custom Policy Builder Audit Logs

After you have enabled Audit Logging, view your audit logs:

  1. In the security console, open InsightVM.
  2. In Custom Policy Builder, clone or edit the policy for which you want to see the audit logs.
  3. In the More dropdown menu, click View Audit Logs.
  4. At the bottom of the page, view the most recent edits that were made to that policy.
  5. Click View More to see more granular details about the policy edit.

Recent edits are listed at the bottom

Edits are listed in chronological order. To see the most recent edits, scroll to the bottom of the page.

Audit events are reported in UTC timestamp.

Custom Policy Edit Actions

Custom Policy Builder sends logs to Insight Platform audit logging. The logs are categorized into different action types based on the changes performed by the user:

  • SAVE_POLICY
  • UPDATE_POLICY_DESCRIPTION
  • UPDATE_POLICY_CPE_INFO
  • UPDATE_POLICY_RULE_INFO
  • CREATE_NEW_RULE
  • REORDER_RULES
  • DELETE_RULES
  • DISABLE_RULES
  • ENABLE_RULES
  • IMPORT_RULES
  • UPDATE_POLICY_TITLE
  • UPDATE_POLICY_CPE_CHECK
  • UPDATE_POLICY_TEST
  • ADD_POLICY_TEST
  • UPDATE_POLICY_TEST_OPERATOR
  • DELETE_POLICY_TESTS
  • UPDATE_POLICY_VERSION
  • SAVE_POLICY_LOG_SUMMARY

Troubleshoot Policy Customization

Insight Platform administrators can troubleshoot all the changes performed during a policy customization by a specific user. Custom Policy Builder records all changes from every user and sends them to Audit Logging. All related changes are assigned a unique savingID, which is recorded as soon as a user saves the policy.

As an Insight Platform administrator, you can copy the SavingID from any audit event to search for it. Only actions associated with a specific savingID will show up in the search results.

Find and Identify the SavingID

  1. Navigate to the Audit Logs page.

  2. Open an event in the audit log table.

  3. Look for service_info.saving_id. This value is the unique SavingID.

    SavingID Field and Value

  4. Copy the SavingID.

  5. Search for the SavingID to show all related changes.

SavingID search results