Audit Trail
Coralogix provides you with easy access to monitor the usage events of your team.
When a team's Audit account is configured, it will gather all internal events that occur within your team.
By observing these events, you will track how your team uses Coralogix.
How does it work?
Under Settings on the right side click Audit Account.
Click on "Create New Audit Team"
Once the team is configured, you will be able to either open the activity of your entire team by clicking on "Open Audit History" or monitoring the activity of a specific user by clicking on "User Audit History."
The links send you to the logs tab to view the event logs from the audit team.
Within this audit team, you will be able to enjoy all the Coralogix capabilities such as creating custom views, alerting on suspicious activity, creating visualizations, and enriching IP addresses both by security and geo-enrichment to monitor where your teams are gaining access.
Are you a member of more than one team?
Once you have one audit team, you can attach it to other teams as well.
Audit Team settings
The audit team has a plan of up to 0.025GB per day and 7 days of retention.
The audit logs quota should be sufficient for audits, but if you wish to increase it, you can do it, and also, you can move the quota between teams using the quota management CLI.
Configuring an archive will allow you to store audit logs for a long time. As long as your bucket is live, you will be able to query these logs with our archive query feature.
Admins in your team will automatically be added to the audit team once it is created and can access the data.
Audit Team Management
The audit team and its logs can be managed in the same way like your team. You can switch to the audit team:
You can track actions based on action_details.operation.action. For example, you can track logins with the following query:
A part of actions contain additional information under action_details.operation.operation_payload key.
A log example:
{
actor:{
type:user
username:[email protected]
account_id:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
}
action_details:{
source_type:HTTP
ip_address:::ffff:10.1.2.3
operation:{
action:POST:/api/v1/logquery
user_agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
operation_payload:{
queryDef:{
type:freeText
pageSize:100
queryParams:{
query:{
text:test query
type:exact
templateIds:[]
}
templateIds:[]
metadata:{
applicationName:[]
subsystemName:[]
severity:[
1
2
3
4
5
6
]
}
jsonObject:{}
jsonAggFields:[]
aggregationInterval:1000
externalFilters:{
teams:[]
}
selectedLogs:[]
}
sortModel:[
{
field:timestamp
ordering:desc
missing:_last
}
]
endDate:1631256696661
startDate:1631255796661
tagId:-1
selectedViewId:-1
pageIndex:0
cacheQueryId:30zpfB11QzT
}
}
}
result:{
succeeded:true
status_code:200
}
}
action_start_timestamp:1631256697042
action_type:crud
audit_schema_version:v1
action:{
team_id:8868
team_name:cs-test-medium
description:get tags
}
}
Here is the list of the most common actions which include action_details.operation.operation_payload key:
POST:/api/v1/logquery/saved | Save log query |
---|---|
POST:/api/v1/logsparser/rules/group | Rules - New parsing rule group |
POST:/api/v1/logsparser/groups/reorder | Rules - Rule groups reorder |
POST:/api/v1/archiveproviders | Archive - Configure S3 Archive bucket |
POST:/api/v1/archiveproviders/edit | Archive - Edit S3 Archive bucket configuration |
POST:/api/v1/invite | Invites - An invitation sent |
POST:/api/v1/invite/request/approve | Invites - A user was approved |
POST:/api/v1/invite/request/decline | Invites - A user was declined |
POST:/api/v1/user/forgotpassword/:key | Password - Changes the password from the forgot password email |
POST:/api/v1/user/forgotpassword | Password - Send forgot password email |
POST:/api/v1/user/changepassword | Password - Change password |
POST:/api/v1/user/team/switch | Log out / switch team |
POST:/api/v1/companies/:companyId/rbac/groups | Groups - Get all RBAC groups |
POST:/api/v1/companies/:companyId/rbac/groups/:groupId/roles | Groups - Add RBAC group role for group |
POST:/api/v1/rbac/:companyId/users/:userId/removeFromGroup | Groups - Remove user from RBAC group |
POST:/api/v1/rbac/:companyId/users/:userId/moveToGroup | Groups - Move user to different RBAC group |
POST:/api/v1/rbac/:companyId/users/:userId/addToGroup | Groups - Add user to RBAC group |
POST:/api/v1/rbac/:companyId/users/:userId/addUserToGroups | Groups - Add user to RBAC groups |
POST:/api/v1/rbac/:companyId/users/:userId/removeUserFromGroups | Groups - Remove user to RBAC groups |
POST:/api/v1/company/saml/metadata | SAML - Update SAML metadata |
PUT:/api/v1/company/saml | SAML - Get company SAML configuration |
POST:/api/v1/alert/:id/snooze | Alerts - Snooze alert |
POST:/api/v1/alert/snoozed | Alerts - Get all snoozed alert |
POST:/api/v1/customenrichments/getUploadUrl | Custom Enrichment - Upload custom enrichment csv |
POST:/api/v1/cloudsecurity/install | Cloud Security - Installation |
POST:/api/v1/cloudsecurity/getstatus | Cloud Security - Get installation status |
POST:/api/v1/rulesapi/crud/ruleset | Rules - Create rule-set |
PUT:/api/v1/rulesapi/ruleset/reorder | Rules - Reorder rule set |
POST:/api/v1/archivequeries | Archive query - New archive query |
POST:/api/v1/archivequeries/:id/reindex | Archive query - Create new archive query reindex |
POST:/api/v1/archivequeries/:id/reindex/:reindexId/query | Archive query - Cache reindex query |
POST:/api/v1/quota-policies | TCO Optimizer - Create quota policy |
PUT:/api/v1/quota-policies/reorder | TCO Optimizer - Reorder quota policies |
PUT:/api/v1/quota-policies/:id | TCO Optimizer - Update quota policy |
PUT:/api/v1/quota-policies/toggle/:id | TCO Optimizer - Toggle quota policy |
PUT:/api/v1/quota-overrides | TCO Optimizer - Create quota override |
POST:/api/v1/external/alerts | Alerts - Add new alert |
POST:/api/v1/external/alerts/bulk | Alerts - Add new alerts |
PUT:/api/v1/external/alerts | Alerts - Update alert |
POST:/api/v1/external/group | Rules - Create rule parsing group |
PUT:/api/v1/external/group/:parsingThemeId | Rules - Update rule parsing group |
PUT:/api/v1/external/group/toggle/:parsingThemeId | Rules - Toggle rule parsing group |
POST:/api/v1/external/rule/:parsingThemeId | Rules - Add parsing rule to parsing group |
PUT:/api/v1/external/rule/:ruleId/group/:parsingThemeId | Rules - Update parsing rule |
POST:/api/v1/external/rules/export | Rules - Export rules |
POST:/api/v1/external/actions/rule | Rules - Add parsing rule group |
PUT:/api/v1/external/actions/rule/:groupId | Rules - Update parsing rule group |
POST:/api/v1/external/action/rule/:groupId | Rules - Create parsing rule group |
PUT:/api/v1/external/action/:ruleId/rule/:groupId | Rules - Update parsing rule |
PUT:/api/v1/external/customenrichments/:customEnrichmentId | Custom Enrichment - Update custom enrichment |
POST:/api/v1/external/tags | Tags - Get new tag |
POST:/api/v1/external/bitbucket | Tags - Get new Bitbucket tag |
POST:/api/v1/external/tfs | Tags - Get new tfs tag |
POST:/api/v1/external/gitlab | Tags - Get new Gitlab tag |
POST:/api/v1/external/tco/policies | TCO Optimizer - Create new policy |
PUT:/api/v1/external/tco/policies/reorder | TCO Optimizer - Reorder policies |
PUT:/api/v1/external/tco/policies/:id | TCO Optimizer - Update policy |
PUT:/api/v1/external/tco/policies/:id/toggle | TCO Optimizer - Toggle policy |
POST:/api/v1/external/tco/overrides | TCO Optimizer - Add new TCO override |
POST:/api/v1/external/tco/overrides/bulk | TCO Optimizer - Add new TCO overrides |
POST:/api/v1/user/settings/es_api_key | API Access - Generate new Logs Query Key for user |
POST:/api/v1/user/settings/teams_api_key | API Access - Generate new Teams API Key for user |
POST:/api/v1/payment/subscriber | Plan - Subscribe to payment |
POST:/api/v1/payment/unsubscribe | Plan - Unsubscribe to payment |
POST:/api/v1/payment/changePlan | Plan - Change payment plan |
As mentioned, the audit team behavior is the same as any team so you can also set alerts to be notified about particular actions.