Working with Audit Logs

 

Overview

The Audit Log page is found under Reports > Audit Log.

The Audit Log page table displays activities taken in the system such as:

  • Policy changes

  • Playbook changes

  • Date and time the log was produced

  • Action performed on the Audit log

  • and more

  • The Audit Log page table enables you to view and filter this information.

Audit Events

  • Spirion Agents v13-13.5 only: Audit Log events queue in RabbitMQ and then move to the database.

  • The event then continues to Audit Log Table.

  • The Audit Log does not retain non-functional event types.

  • The event state must be successful to be recorded.

  • Any event that fails is removed from the Audit Log.

  • When the "Type" filter uses only event types triggered in Spirion Sensitive Data Platform, they are displayed on the Audit Log page.

How to Access and View Audit Logs

How to Grant Users Access to the Audit Log Page

  • Access to the Audit Log page is limited to selected users and roles.

  • To access Audit Logs, an Administrator must apply the Manage privilege in the Manage Administrative Settings area for the user. See Working with User Management

  • The Audit Log page is available only to users who are members of a role which contain the Manage privilege.

How to View Audit Logs

Procedure:

  1. From the left menu, click Reports.

  2. Click Audit Log.

  3. The Audit Log page appears.

Audit Log Table Columns

The Audit Log table displays these columns:

Field Description
Date/Time The timestamp of when the action occurred.
Type

The action that was logged:

  • Application Setting - Written when an app setting is changed. Within Spirion Sensitive Data Platform, see Settings>Application Settings.

  • Cloud Provider Authenticated - Written when Spirion Sensitive Data Platform console authenticates with a cloud provider.

  • Global Ignore List - Written a global ignore list is added or deleted. Within Sensitive Data Platform, see Settings>Application Settings>Global Ignore List.

  • Global Ignore List Item - Written when items are added to a given Ignore list.

  • Playbook Override - Written when the override action is performed on the location details dialog.

  • Policy - Written when a policy is created, updated (changed), or deleted using edit mode.

  • Remote Result Action - Written when a Shred, Quarantine, or Ignore action initiated from the Console Results tab is scheduled for processing by an endpoint

  • Sensitive Data Type - Written when custom data types are created, modified, deleted, etc. These are called "sensitive data types" in Spirion Sensitive Data Manager. Within Sensitive Data Platform, see Settings>Global Data Types>Custom Data Types tab.

  • Sensitive Data Type Export - Written when row menu on the page above is used and an item is exported.

  • Spirion Support User - Not logged.

  • Tag - Written when a tag is changed, created, or deleted.

  • Targets Merge - Written when Targets are merged.

  • User - Written each time a user logs in to the Console and permissions are synchronized.
Action Type

The type of action that was taken:

  • Accessed

  • Cloned

  • Created

  • Deleted

  • Updated
Location

The location within Spirion Sensitive Data Platform where the action occurred:

  • Agents And Endpoints

  • Analytics

  • Analytics Dashboard

  • Audit Log

  • Change Password

  • Classifications

  • Compliance

  • Dashboard

  • Discovery Teams

  • Endpoints

  • Excluded Rows

  • Identity Requests

  • Identity Results

  • Incidents Management

  • Incidents Results

  • Installation

  • Map Data

  • Notifications

  • Playbooks

  • Policies

  • Privacy Manager

  • Profile

  • Results

  • Roles

  • Scans

  • Scans Dashboard

  • Schedules

  • Script Repository

  • Sensitive Data Types

  • Spirion Support User

  • Tag Management

  • Tags

  • Unknown

  • Users
Description Includes Action Type, Name, and Type
More Options menu (3 vertical dots) View Details

How to Sort Table Columns

Procedure:

  1. Click a column to sort ascending.

  2. Click the column again to sort descending.

How to Search for an Audit Log

You can search for a log by Account Name, Action Type, and Location.

To search for a log:

  1. Type in the name of the log in the Search entry field.

  2. Click the magnifying glass (search) icon or press Enter.

  3. The result displays.

  4. Click the x to clear the search.

How to View Audit Log Details

To view the details of an Audit Log:

  1. Locate the log you want to view in the Audit Log list.

  2. Click the More Options menu at the end of the column.

  3. Click View Details.

  4. The Log Details window opens.

  5. Click Close to close the window and return to the previous screen.

How to Apply Filters to Locate Specific Log Characteristics

Do the following steps to apply filters to locate specific audits:

  1. In the top right of the screen, click Filters.

  2. Click Add Filter.

  3. Click Select Filter.

  4. Select an option from the Select Filter drop-down list :

    • Action Type

    • Audit Location

    • Date/Time

    • Information

    • IP Address

    • Status

    • Type

    • User

  5. Select one or more filter categories from the drop-down list:

Action Type: Select one:

  • Accessed

  • Cloned

  • Created

  • Deleted

  • Updated

  • Date/Time

Audit Location: Select an option from the drop-down list:

  • Agents And Endpoints

  • Analytics

  • Analytics Dashboard

  • Audit Log

  • Change Password

  • Classifications

  • Compliance

  • Dashboard

  • Discovery Teams

  • Endpoints

  • Excluded Rows

  • Global Settings

  • Identity Requests

  • Identity Results

  • Incidents Management

  • Incidents Results

  • Installation

  • Map Data

  • Notifications

  • Playbooks

  • Policies

  • Privacy Manager

  • Profile

  • Results

  • Roles

  • Scans

  • Scans Dashboard

  • Schedules

  • Script Repository

  • Sensitive Data Types

  • Tag Management

  • Tags

  • Unknown

  • User Management

  • Users
Date/Time: Use the calendar picker to select a date.

Information: Type information in the box.
IP Address: Type IP address in the box.

Status: Select one:

  • Failed

  • Pending

  • Success

Type: Select an option from the drop-down list:

  • Admin User

  • Admin User Unlock

  • Application Setting

  • Classification Auto

  • Classification Manual

  • Cloud Provider Authenticated

  • Console License Uploaded

  • Discovery Team

  • Endpoint Pruned

  • Endpoints Merge

  • Excluded Rows

  • Export Config Export

  • Export Config Import

  • Global Ignore List

  • Global Ignore List Export

  • Global Ignore List Item

  • Map Data

  • Policy

  • Remote Results Action

  • Role

  • Role Permissions

  • Schedule

  • Sensitive Data Type

  • Sensitive Data Type Export

  • Spirion Support User

  • Tag

  • User

  • User Lock

  • User Login

  • User Password

  • Windows Endpoint Classification Settings
User: Type the user name in the box.

  1. Click X to remove a specific filter.

  2. Click Apply to add filters.

  3. Click Clear to remove all filters.

The Filter button displays the number of filters applied.

Note: Adding multiple filters can extend the wait time for the search results.

How to Use Filters to Find an Audit Log

Note: The Type filter only uses and displays event types triggered in Sensitive Data Platform.

To use the filter feature to find an Audit Log based on specific criteria:

  1. In the upper left of the screen, go to the Filters.

  2. For the selection criteria, select one or more items from the list of filters.

    • IP Address

    • For audits, the user's IP Address is preferred.

    • Date/Time

    • Type

    • Action Type

    • Location

    • Description

  1. Click Apply to apply the filter to the Audit Log list.

  2. Click Clear and then click Apply to remove the filter.