Audit Events
Structure of the Log
Audit logs have the following structure for each entry.
``` {json}{ "time":"2019-09-25T23:40:02.695Z", "category":"UserAccounts", "actor":"vivian@logichub.com", "type":"UserLoginSuccess", "details":{ "needsPasswordReset":false, "actorRole":"user", "authenticationType":"password", "status":"SUCCESS" } }
The following parameters are at the top level of the structure.
`time` is the date and time that the action took place.
`category` indicates the type of action that is logged.
`actor` is the username of the person who performs the action.
`type` is the specific type of event.
`details` Specifics about the particular category and type:
## Events Related to User Accounts
Events in this category have `UserAccounts` in the `category` field.
`actorRole` is the privilege level of the user who performs the action.
`authenticationType` indicates whether authentication is password or LDAP based.
`deletedUserName` or `deletedUserName` is the username of the user who is subject to a successful or failed deletion action.
`message` indicates the cause of the result (success or failure), such as `Incorrect Username` or `Incorrect Password Entered`.
`newUsernameCreated` is the username of the user who was successfully added.
`role` indicates the privilege level of the user on whose behalf the action is performed.
`status` indicates whether the action succeeded or failed.
`newUsernameCreated` is the username of the user who was successfully added.
`needsPasswordReset` indicates whether the user needs to change the password upon successful login. This is the case when the user logs in for the first time after being provisioned or after a password reset.
`resetUsername` is the username of the person whose password is reset.
`resetRole` is the role of the person whose password has been reset.
`newUserName` is the username of the user who couldn't be added.
`editedUsername` is the username of the user whose privileges are changed.
`oldRole` is the previous role of the user.
`newRole` is the new role of the user.
Event type: UserLoginSuccess
``` {json}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserLoginSuccess",
"actor": "joe.smith@logichub.com",
"details": {
"needsPasswordReset": false,
"actorRole": "user",
"authenticationType": "password",
"status": "SUCCESS"
}
}
Event type: UserLoginFailed
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserLoginFailed",
"actor": "joe.smith@logichub.com",
"details": {
"message": "Incorrect Password",
"status": "FAILURE"
}
}
Event type: UserLogoutSuccess
{ "time": "2019-09-26T02:05:10.995Z",
"category": "UserAccounts",
"type": "UserLogoutSuccess",
"actor": "john.doe@logichub.com",
"details": {
"actorRole": "user",
"authenticationType": "password",
"status": "SUCCESS"
}
}
Event type:UserPasswordResetSuccess
Event type:UserPasswordResetFailed
Event type:UserCreateSuccess
Event type:UserCreateFailed
Event type: UserCreateSuccess
Event type: UserDeleteSuccess
Event type: UserDeleteFailed
Event type: UserPrivilegeChange
Event Type: UserEmailChanged
``` {json}{ "time": "2019-09-25T23:40:02.695Z", "category": "UserAccounts", "type": "UserGroupsChanged", "actor": "joe.smith@logichub.com", "details": { "username": "ritesh@gmail.com", "oldUsers": ["ritesh", "admin"], "newUsers": ["ritesh"], "status": "SUCCESS" } }
Event Type: UserGroupCreateFailed
Event Type: UserGroupDeleteSuccess
Event Type: UsersAdditionToGroupSuccess
Event Type: UserGroupUsersChanged
Event Type: UserGroupNameChanged
Event Type: UserGroupPermissionChanged
Event Type: UserAccountLocked
Events Related to Playbooks
Events in this category have Flow
in the category
field.
flowId
is the unique identifier of the playbook whose batch is being executed.
version
is the current version of playbook at the time of log.
modifiedType
is one of FlowContentChanged
or FlowRename
oldData
signifies old flow name in case modifiedType
is flowRename else it signifies old node structure.
newData
signifies new flow name in case modifiedType
is flowRename else it signifies new node structure.
Event Type: FlowPublished
Event Type: FlowCreated
Event Type: FlowModified
Event Type: FlowDeleted
Events Related to Script
Events in this category have Script
in the category
field.
name
is the name of the script under consideration.
names
are the names of scripts if some operation gets performed in a batch.
Event Type: PythonScriptAdded
Event Type: PythonScriptDeleted
Events Related to Playbook Execution
Events in this category have FlowExecution
in the category
field.
flowId
is the unique identifier of the playbook whose batch is being executed.
streamId
is the unique identifier stream whose batch is being executed.
batchStartTime
is the Unix time in milliseconds that indicates the start time of the batch.
batchEndTime
is the Unix time in milliseconds that indicates the end time of the batch.
noOfResults
is the number of rows generated in the batch run.
executionTime
indicates the amount of time it took in milliseconds for batch completion. It is the difference between batchEndTime
and batchStartTime
.
nodeCount
indicates the total number of nodes in the playbook that were executed in this batch.
size
is the total size in bytes whenever data is ingested by the system due to a playbook action.
Event type: BatchExecuted
Event type: EventsIngested
Event Type: AlertTriageNodeExecuted
Event Type: NodeDeleted
Event Type: NodeAdded
Event Type: HumanTriggeredFlow
Event Type: FlowExported
Events Related to Case Management
Events in this category have CaseManagement
in the category
field.
title
is the title of a case.
caseId
is a unique case identifier assigned to a case.
timeTaken
is the total time in milliseconds it took from creation to closure of the case.
countDone
indicates the total count of cases in the 'done' state at the time of logging.
countTodo
indicates the total count of cases in the 'todo' state at the time of logging.
countProgress
indicates the total count of cases in the 'progress' state at the time of logging.
Event type: CaseCreated
Event type: CaseClosed
Event type: CaseCurrentStatus
Event Type: CaseModified
Event Type: CaseDeleted
Events Related to Integration
Events in this category have Integration
in the category
field.
integrationCount
indicates the total number of unique integrations that are used by all the connections at the time of logging.
connectionCount
indicates the total number of connections at the time of logging.
Event type: IntegrationCurrentStatus
Event Type: IntegrationConnectionDeleted
Event Type: IntegrationConnectionUpdated
Event Type: IntegrationConnectionCreated
Events Related to Custom List
Events in this category have CustomList
in the category
field.
name
indicates name of the custom list.
schema
indicates columns to the custom list.
action
indicates action performed while editing data of the custom list. It can be one of APPENDED, REMOVED, REPLACED, DEDUPLICATED
before
indicates the row value before edit
after
indicates the row value after edit
Event Type: CustomListCreated
Event Type: CustomListDeleted
Event Type: CustomListRowEdited
Event Type: CustomListDataEdited
Events Related to Commands
Events in this category have Command
in the category
field.
parameters
are the value of the parameter, user entered during the command execution.
initiator
is from where the command has been triggered. It should be like Case
CommandPreview
or QuickAction
.
Event Type: CommandRunSuccess
Event Type: CommandRunFailed