SOAR audit logs

You can configure the SOAR Platform to log audit messages for user logins and logouts and for administrative actions that are taken from the user interface. Audit logging is disabled by default.

After you enable audit logging, audit log messages are created for all login and logout actions, both successful and unsuccessful. Messages are also logged for administrative create, update, and delete actions that are taken from the user interface on users, roles, groups, and workspaces. The messages that are provided are similar to the Syslog format. The messages show event key/value pairs and values are separated by a semi-colon. For new actions, the new state is logged. For deleted events, the prior state is logged. For updated actions, the prior state and the new states are logged. All logged events have a message ID. Messages are output to client.log. If you have Syslog set up and configured, audit messages are also sent to Syslog.

Actions are logged for users, external LDAP, SAML, and two factor authentication users. Audit messages are logged for the following actions through the user interface and REST API:
Login and logout
Audit messages are generated for user logins and logouts on the user interface for SAML, LDAP, two factor authentication and standard system users. All login and logout messages have an easily readable message, for example, User login successful. The following information is logged:
  • All login attempts, successful or unsuccessful, showing the user IP address, user email and ID, and time and date of the login.
    Note: For two factor authentication users, an extra message is logged, showing that two factor authentication is successful.
  • A message is also logged for session timeouts and user logouts.
User
  • Create user actions.
  • Update actions on users, including deactivation and reactivation of users, and updates to user details on the My Settings tab, including password changes, but not including changes to the Notifications section or the theme setting. Audit messages for password changes are logged for regular system users only.
  • Delete user actions.
Note: Actions for SAML and standard system users produce similar messages. Logging of changes to LDAP users on Active Directory is not managed by the SOAR Platform.
API keys
  • Create API keys.
  • Update API keys.
  • Delete API keys.
  • Expired API keys.
Groups
  • Create group actions.
  • Update group actions.
  • Delete group actions.
Incidents
  • Create incident.
  • Delete incident.
Message destinations
  • Create message destination actions.
  • Update message destination actions.
  • Delete message destination actions.
Roles
  • Create role actions.
  • Update role actions.
  • Delete role actions.
Rules
  • Create rule actions.
  • Update rule actions.
  • Delete rule actions.
  • Update to rule ordering.
Scripts
  • Create script.
  • Update script.
  • Delete script.
Threat Service
  • Enable threat service.
  • Disable threat service.
Workflows
  • Create workflow actions.
  • Update workflow actions.
  • Delete workflow actions.
Workspaces
  • Create workspace actions.
  • Update workspace actions, including changing the default workspace.
  • Delete workspace actions.