Document toolboxDocument toolbox

Audit Events

Structure of the Log

Audit logs have the following structure for each entry.

``` {json}{ "time":"2019-09-25T23:40:02.695Z", "category":"UserAccounts", "actor":"vivian@logichub.com", "type":"UserLoginSuccess", "details":{ "needsPasswordReset":false, "actorRole":"user", "authenticationType":"password", "status":"SUCCESS" } }

The following parameters are at the top level of the structure. `time` is the date and time that the action took place. `category` indicates the type of action that is logged. `actor` is the username of the person who performs the action. `type` is the specific type of event. `details` Specifics about the particular category and type: ## Events Related to User Accounts Events in this category have `UserAccounts` in the `category` field. `actorRole` is the privilege level of the user who performs the action. `authenticationType` indicates whether authentication is password or LDAP based. `deletedUserName` or `deletedUserName` is the username of the user who is subject to a successful or failed deletion action. `message` indicates the cause of the result (success or failure), such as `Incorrect Username` or `Incorrect Password Entered`. `newUsernameCreated` is the username of the user who was successfully added. `role` indicates the privilege level of the user on whose behalf the action is performed. `status` indicates whether the action succeeded or failed. `newUsernameCreated` is the username of the user who was successfully added. `needsPasswordReset` indicates whether the user needs to change the password upon successful login. This is the case when the user logs in for the first time after being provisioned or after a password reset. `resetUsername` is the username of the person whose password is reset. `resetRole` is the role of the person whose password has been reset. `newUserName` is the username of the user who couldn't be added. `editedUsername` is the username of the user whose privileges are changed. `oldRole` is the previous role of the user. `newRole` is the new role of the user. Event type: UserLoginSuccess ``` {json} { "time": "2019-09-25T23:40:02.695Z", "category": "UserAccounts", "type": "UserLoginSuccess", "actor": "joe.smith@logichub.com", "details": { "needsPasswordReset": false, "actorRole": "user", "authenticationType": "password", "status": "SUCCESS" } }

Event type: UserLoginFailed

{ "time": "2019-09-25T23:40:02.695Z", "category": "UserAccounts", "type": "UserLoginFailed", "actor": "joe.smith@logichub.com", "details": { "message": "Incorrect Password", "status": "FAILURE" } }

Event type: UserLogoutSuccess

{ "time": "2019-09-26T02:05:10.995Z", "category": "UserAccounts", "type": "UserLogoutSuccess", "actor": "john.doe@logichub.com", "details": { "actorRole": "user", "authenticationType": "password", "status": "SUCCESS" } }

Event type:UserPasswordResetSuccess

Event type:UserPasswordResetFailed

Event type:UserCreateSuccess

Event type:UserCreateFailed

Event type: UserCreateSuccess

Event type: UserDeleteSuccess

Event type: UserDeleteFailed

Event type: UserPrivilegeChange

Event Type: UserEmailChanged

``` {json}{ "time": "2019-09-25T23:40:02.695Z", "category": "UserAccounts", "type": "UserGroupsChanged", "actor": "joe.smith@logichub.com", "details": { "username": "ritesh@gmail.com", "oldUsers": ["ritesh", "admin"], "newUsers": ["ritesh"], "status": "SUCCESS" } }

Event Type: UserGroupCreateFailed

Event Type: UserGroupDeleteSuccess

Event Type: UsersAdditionToGroupSuccess

Event Type: UserGroupUsersChanged

Event Type: UserGroupNameChanged

Event Type: UserGroupPermissionChanged

Event Type: UserAccountLocked

Events Related to Playbooks

Events in this category have Flow in the category field.
flowId is the unique identifier of the playbook whose batch is being executed.
version is the current version of playbook at the time of log.
modifiedType is one of FlowContentChanged or FlowRename
oldData signifies old flow name in case modifiedType is flowRename else it signifies old node structure.
newData signifies new flow name in case modifiedType is flowRename else it signifies new node structure.

Event Type: FlowPublished

Event Type: FlowCreated

Event Type: FlowModified

Event Type: FlowDeleted

Events Related to Script

Events in this category have Script in the category field.
name is the name of the script under consideration.
names are the names of scripts if some operation gets performed in a batch.

Event Type: PythonScriptAdded

Event Type: PythonScriptDeleted

Events Related to Playbook Execution

Events in this category have FlowExecution in the category field.
flowId is the unique identifier of the playbook whose batch is being executed.
streamIdis the unique identifier stream whose batch is being executed.
batchStartTime is the Unix time in milliseconds that indicates the start time of the batch.
batchEndTime is the Unix time in milliseconds that indicates the end time of the batch.
noOfResults is the number of rows generated in the batch run.
executionTime indicates the amount of time it took in milliseconds for batch completion. It is the difference between batchEndTime and batchStartTime.
nodeCount indicates the total number of nodes in the playbook that were executed in this batch.
size is the total size in bytes whenever data is ingested by the system due to a playbook action.

Event type: BatchExecuted

Event type: EventsIngested

Event Type: AlertTriageNodeExecuted

Event Type: NodeDeleted

Event Type: NodeAdded

Event Type: HumanTriggeredFlow

Event Type: FlowExported

Events Related to Case Management

Events in this category have CaseManagement in the category field.
title is the title of a case.
caseId is a unique case identifier assigned to a case.
timeTaken is the total time in milliseconds it took from creation to closure of the case.
countDone indicates the total count of cases in the 'done' state at the time of logging.
countTodo indicates the total count of cases in the 'todo' state at the time of logging.
countProgress indicates the total count of cases in the 'progress' state at the time of logging.

Event type: CaseCreated

Event type: CaseClosed

Event type: CaseCurrentStatus

Event Type: CaseModified

Event Type: CaseDeleted

Events Related to Integration

Events in this category have Integration in the category field.
integrationCount indicates the total number of unique integrations that are used by all the connections at the time of logging.
connectionCount indicates the total number of connections at the time of logging.

Event type: IntegrationCurrentStatus

Event Type: IntegrationConnectionDeleted

Event Type: IntegrationConnectionUpdated

Event Type: IntegrationConnectionCreated

Events Related to Custom List

Events in this category have CustomList in the category field.
name indicates name of the custom list.
schema indicates columns to the custom list.
action indicates action performed while editing data of the custom list. It can be one of APPENDED, REMOVED, REPLACED, DEDUPLICATED
before indicates the row value before edit
after indicates the row value after edit

Event Type: CustomListCreated

Event Type: CustomListDeleted

Event Type: CustomListRowEdited

Event Type: CustomListDataEdited

Events Related to Commands

Events in this category have Command in the category field.
parameters are the value of the parameter, user entered during the command execution.
initiator is from where the command has been triggered. It should be like Case CommandPreview or QuickAction.

Event Type: CommandRunSuccess

Event Type: CommandRunFailed