Audit Events

Structure of the Log

Audit logs have the following structure for each entry.

{ 
   "time":"2019-09-25T23:40:02.695Z",
   "category":"UserAccounts",
   "actor":"[email protected]",
   "type":"UserLoginSuccess",
   "details":{ 
      "needsPasswordReset":false,
      "actorRole":"user",
      "authenticationType":"password",
      "status":"SUCCESS"
   }
}

The following parameters are at the top level of the structure.

time is the date and time that the action took place.
category indicates the type of action that is logged.
actor is the username of the person who performs the action.
type is the specific type of event.
details Specifics about the particular category and type:

Events Related to User Accounts

Events in this category have UserAccounts in the category field.
actorRole is the privilege level of the user who performs the action.
authenticationType indicates whether authentication is password or LDAP based.
deletedUserName or deletedUserName is the username of the user who is subject to a successful or failed deletion action.
message indicates the cause of the result (success or failure), such as Incorrect Username or Incorrect Password Entered.
newUsernameCreated is the username of the user who was successfully added.
role indicates the privilege level of the user on whose behalf the action is performed.
status indicates whether the action succeeded or failed.
newUsernameCreated is the username of the user who was successfully added.
needsPasswordReset indicates whether the user needs to change the password upon successful login. This is the case when the user logs in for the first time after being provisioned or after a password reset.
resetUsername is the username of the person whose password is reset.
resetRole is the role of the person whose password has been reset.
newUserName is the username of the user who couldn't be added.
editedUsername is the username of the user whose privileges are changed.
oldRole is the previous role of the user.
newRole is the new role of the user.

{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserLoginSuccess",
  "actor": "[email protected]",
  "details": {
    "needsPasswordReset": false,
    "actorRole": "user",
    "authenticationType": "password",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserLoginFailed",
  "actor": "[email protected]",
  "details": {
    "message": "Incorrect Password",
    "status": "FAILURE"
  }
}
{ "time": "2019-09-26T02:05:10.995Z",
  "category": "UserAccounts",
  "type": "UserLogoutSuccess",
  "actor": "[email protected]",
  "details": {
    "actorRole": "user",
    "authenticationType": "password",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserPasswordResetSuccess",
  "actor": "[email protected]",
  "details": {
    "actorRole": "user",
    "resetUsername": [email protected],
    "resetRole": "user",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserPasswordResetFailed",
  "actor": "[email protected]",
  "details": {
    "message": "Incorrect password entered",
    "status": "FAILURE"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserCreateSuccess",
  "actor": "[email protected]",
  "details": {
    "authenticationType": "password",
    "newUserNameCreated": hlee,
    "role": "user",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserCreateFailed",
  "actor": "[email protected]",
  "details": {
    "authenticationType": "password",
    "actorRole": "user",
    "newUsername": hlee,
    "message": "user",
    "status": "FAILURE"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserCreateSuccess",
  "actor": "[email protected]",
  "details": {
    "authenticationType": "password",
    "newUsernameCreated": hlee,
    "role": "user",
    "status": "FAILURE"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserDeleteSuccess",
  "actor": "[email protected]",
  "details": {
    "actorRole": "admin",
    "deletedUserName": "hlee",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserDeleteFailed",
  "actor": "[email protected]",
  "details": {
    "actorRole": "admin",
    "deleteUserName": "hlee",
    "status": "FAILED"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserPrivilegeChange",
  "actor": "[email protected]",
  "details": {
    "editedUsername": "hlee",
    "oldRole": "user",
    "newRole": "admin",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserEmailChanged",
  "actor": "[email protected]",
  "details": {
    "oldEmail": "[email protected]",
    "newEmail": "[email protected]",
    "editedUsername": "ritesh",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserGroupsChanged",
  "actor": "[email protected]",
  "details": {
    "username": "[email protected]",
    "oldUsers": ["ritesh", "admin"],
    "newUsers": ["ritesh"],
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserGroupCreateSuccess",
  "actor": "[email protected]",
  "details": {
    "name": "ritesh",
    "users": ["ritesh", "admin"],
    "permission": ["User Management => List"],
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserGroupCreateFailed",
  "actor": "[email protected]",
  "details": {
    "name": "ritesh",
    "users": ["ritesh", "admin"],
    "permission": ["User Management => List"],
    "message": "group already exist with name as Everybody",
    "status": "FAILED"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserGroupDeleteSuccess",
  "actor": "[email protected]",
  "details": {
    "name": "developer",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UsersAdditionToGroupSuccess",
  "actor": "[email protected]",
  "details": {
    "name": "developer",
    "groups": ["ritesh", "rakesh"],
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserGroupUsersChanged",
  "actor": "[email protected]",
  "details": {
    "name": "developer",
    "oldUsers": ["ritesh", "rakesh"],
    "newUsers": ["ritesh"],
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserGroupNameChanged",
  "actor": "[email protected]",
  "details": {
    "oldName": "developer",
    "newUsers": "coder",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "UserGroupPermissionChanged",
  "actor": "[email protected]",
  "details": {
    "name": "developer",
    "oldPermissions": ["User Management => List"],
    "oldPermissions": ["Playbook => Admin"],
    "status": "SUCCESS"
  }
}
{ "time":"11/03/2020 12:10:59+05:30",
  "category":"UserAccounts",
  "type":"UserAccountLocked",
  "actor":"admin",
  "details": {
    "message":"Excessive failed login attempts. Account locked",
    "status":"FAILED"
  }
}

Events Related to Playbooks

Events in this category have Flow in the category field.
flowId is the unique identifier of the playbook whose batch is being executed.
version is the current version of playbook at the time of log.
modifiedType is one of FlowContentChanged or FlowRename
oldData signifies old flow name in case modifiedType is flowRename else it signifies old node structure.
newData signifies new flow name in case modifiedType is flowRename else it signifies new node structure.

{ "time": "2019-09-25T23:40:02.695Z",
  "category": "Flow",
  "type": "FlowPublished",
  "actor": "[email protected]",
  "details": {
    "flowId": "flow-44721",
    "version": 23,
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "Flow",
  "type": "FlowCreated",
  "actor": "[email protected]",
  "details": {
    "flowId": "flow-44721",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "Flow",
  "type": "FlowModified",
  "actor": "[email protected]",
  "details": {
    "flowId": "flow-44721",
    "modifiedType": "FlowRename",
    "status": "SUCCESS",
    "oldData": "Gmail Scan",
    "newData": "Gmail Scan - deprecated"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "Flow",
  "type": "FlowDeleted",
  "actor": "[email protected]",
  "details": {
    "flowId": "flow-44721",
    "status": "SUCCESS"
  }
}

Events Related to Script

Events in this category have Script in the category field.
name is the name of the script under consideration.
names are the names of scripts if some operation gets performed in a batch.

{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "PythonScriptAdded",
  "actor": "[email protected]",
  "details": {
    "name": "script1.py",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "UserAccounts",
  "type": "PythonScriptDeleted",
  "actor": "[email protected]",
  "details": {
    "names": ["script1.py"],
    "status": "SUCCESS"
  }
}

Events Related to Playbook Execution

Events in this category have FlowExecution in the category field.
flowId is the unique identifier of the playbook whose batch is being executed.
streamIdis the unique identifier stream whose batch is being executed.
batchStartTime is the Unix time in milliseconds that indicates the start time of the batch.
batchEndTime is the Unix time in milliseconds that indicates the end time of the batch.
noOfResults is the number of rows generated in the batch run.
executionTime indicates the amount of time it took in milliseconds for batch completion. It is the difference between batchEndTime and batchStartTime.
nodeCount indicates the total number of nodes in the playbook that were executed in this batch.
size is the total size in bytes whenever data is ingested by the system due to a playbook action.

{ "time": "2019-09-25T23:40:02.695Z",
  "category": "FlowExecutions",
  "type": "BatchExecuted",
  "actor": "[email protected]",
  "details": {
    "flowId": "flow-44721",
    "streamId": "stream-5740",
    "batchStartTime": "1569575400206",
    "batchEndTime": "1569575400206",
    "noOfResults": "15278",
    "executionTime": "10830",
    "nodeCount": "35",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "FlowExecutions",
  "type": "EventsIngested",
  "actor": "[email protected]",
  "details": {
    "size": "18241",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "FlowExecutions",
  "type": "AlertTriageNodeExecuted",
  "actor": "[email protected]",
  "details": {
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "FlowExecutions",
  "type": "NodeDeleted",
  "actor": "[email protected]",
  "details": {
    "flowId": "flow-12",
    "nodeIds": ["1232-2awd2-2abd-bg54"],
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "FlowExecutions",
  "type": "NodeAdded",
  "actor": "[email protected]",
  "details": {
    "flowId": "flow-12",
    "nodeId": "1232-2awd2-2abd-bg54",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "FlowExecutions",
  "type": "HumanTriggeredFlow",
  "actor": "[email protected]",
  "details": {
    "flowId": "flow-12",
    "nodeId": "1232-2awd2-2abd-bg54",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "FlowExecutions",
  "type": "FlowExported",
  "actor": "[email protected]",
  "details": {
    "flowIds": ["flow-12"],
    "status": "SUCCESS"
  }
}

Manual Triggered Event Tracking

In case you want to track a manually triggered event leading to some unexpected data you can use the above event type: "HumanTriggeredFlow" to find the details of the execution such as who triggered it and when.

To do this:

  1. Use the default system event type to fetch all the logs.
  2. Filter the data to find the manual execution logs using simple queries to filter on the basis of event_type being equal to "HumanTriggeredFlow"
  3. After getting all the data regarding manual execution filter on the basis of need to find the source of anomaly. For example, if you want to find the details of node execution, you can filter on the basis of nodeId to get the data belonging to the specific node.

You can refer to the image for a sample scenario:

Events Related to Case Management

Events in this category have CaseManagement in the category field.
title is the title of a case.
caseId is a unique case identifier assigned to a case.
timeTaken is the total time in milliseconds it took from creation to closure of the case.
countDone indicates the total count of cases in the 'done' state at the time of logging.
countTodo indicates the total count of cases in the 'todo' state at the time of logging.
countProgress indicates the total count of cases in the 'progress' state at the time of logging.

{ "time": "2019-09-25T23:40:02.695Z",
  "category": "CaseManagement",
  "type": "CaseCreated",
  "actor": "[email protected]",
  "details": {
    "caseId": "283",
    "title": "Unexpected Access to instance i-12345678901234",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "CaseManagement",
  "type": "CaseClosed",
  "actor": "[email protected]",
  "details": {
    "caseId": "283",
    "title": "Unexpected Access to instance i-12345678901234",
    "timeTaken": "17588929"
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "CaseManagement",
  "type": "CaseCurrentStatus",
  "actor": "[email protected]",
  "details": {
    "countDone": "33",
    "countToDo": "95",
    "countProgress": "10"
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "CaseManagement",
  "type": "CaseModified",
  "actor": "[email protected]",
  "details": {
    "caseId": 12,
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "CaseManagement",
  "type": "CaseModified",
  "actor": "[email protected]",
  "details": {
    "caseId": 12,
    "status": "SUCCESS"
  }
}

Events Related to Integration

Events in this category have Integration in the category field.
integrationCount indicates the total number of unique integrations that are used by all the connections at the time of logging.
connectionCount indicates the total number of connections at the time of logging.

{ "time": "2019-09-25T23:40:02.695Z",
  "category": "Integration",
  "type": "IntegrationCurrentStatus",
  "actor": "[email protected]",
  "details": {
    "integrationCount": "66",
    "connectionCount": "247",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "Integration",
  "type": "IntegrationConnectionDeleted",
  "actor": "[email protected]",
  "details": {
    "label": "Ritesh - AWS Connection",
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "Integration",
  "type": "IntegrationConnectionDeleted",
  "actor": "[email protected]",
  "details": {
    "label": "Ritesh - AWS Connection",
    "oldData" : {"url": "www.aws.com"},
    "newInstanceData": {"url": "www.aws.com"},
    "status": "SUCCESS"
  }
}
{ "time": "2019-09-25T23:40:02.695Z",
  "category": "Integration",
  "type": "IntegrationConnectionCreated",
  "actor": "[email protected]",
  "details": {
    "label": "Ritesh - AWS Connection",
    "data" : {"url": "www.aws.com"},
    "descriptorId": "logichub.aws",
    "status": "SUCCESS"
  }
}

Events Related to Custom List

Events in this category have CustomList in the category field.
name indicates name of the custom list.
schema indicates columns to the custom list.
action indicates action performed while editing data of the custom list. It can be one of APPENDED, REMOVED, REPLACED, DEDUPLICATED
before indicates the row value before edit
after indicates the row value after edit

{
  "time":"06/10/2020 06:28:42 +05.5:30",
  "category":"CustomLists",
  "type":"CustomListCreated",
  "details": {
    "name":"customlist0531_1",
    "schema":{
      "columns": [
        {
          "name":"__lhub_inserted_time__",
          "dataType":"bigint",
          "visible":false,
          "semanticType":"the insertion timestamp"
        },
        {
          "name":"aa",
          "dataType":"string",
          "visible":true,
          "semanticType":"other"
        }
      ]
    },
    "status":"SUCCESS"
  }
}
{
  "time":"06/10/2020 06:28:42 +05.5:30",
  "category":"CustomLists",
  "type":"CustomListDeleted",
  "details": {
    "name":"customlist0531_1",
    "status":"SUCCESS"
  }
}
{
  "time":"06/10/2020 06:28:42 +05.5:30",
  "category":"CustomLists",
  "type":"CustomListRowEdited",
  "details": {
    "name":"list_name",
    "before": {
      "__lhub_inserted_time__":"1584491009298",
      "list_1":"UserAuthenticationTypeChange"
    },
    "after":{
      "__lhub_inserted_time__":"1584491009298",
      "list_1":"UserAuthenticationTypeChange_edited"
    },
    "status":"SUCCESS",
    "action":"EDITED"                  
  }
}
{
  "time":"06/10/2020 06:28:42 +05.5:30",
  "category":"CustomLists",
  "type":"CustomListDataEdited",
  "details": {
    "name":"list_name",
    "action":"REPLACED",
    "status":"SUCCESS"
  }
}

Events Related to Commands

Events in this category have Command in the category field.
parameters are the value of the parameter, user entered during the command execution.
initiator is from where the command has been triggered. It should be like Case CommandPreview or QuickAction.

{
  "command": "Command_test_m82_1",
  "executionTime": 0,
  "status": "SUCCESS",
  "parameters":{
    "param1": "Indra",
    "param2": "Jeet"
  },
  "initiator": {
    "caseId": "Lhub-10299",
    "via": "Case"
  }
}
{
  "command": "Command_test_m86_3",
  "error": "[Execution Error] Executing step nodeOutput failed. The node nodeOutput is broken: Couldn't compile lql: Failure was: [Syntax Error] SQL failed to parse token 'null <select>' at line 1 column 1. Next input was: `* from Parameter_Node``",
  "status": "FAILED",
  "parameters":
  {},
  "initiator": {
    "via": "CommandPreview"
  }
}

What's Next