Audit Events
Structure of the Log
Audit logs have the following structure for each entry.
{
"time":"2019-09-25T23:40:02.695Z",
"category":"UserAccounts",
"actor":"[email protected]",
"type":"UserLoginSuccess",
"details":{
"needsPasswordReset":false,
"actorRole":"user",
"authenticationType":"password",
"status":"SUCCESS"
}
}
The following parameters are at the top level of the structure.
time
is the date and time that the action took place.
category
indicates the type of action that is logged.
actor
is the username of the person who performs the action.
type
is the specific type of event.
details
Specifics about the particular category and type:
Events Related to User Accounts
Events in this category have UserAccounts
in the category
field.
actorRole
is the privilege level of the user who performs the action.
authenticationType
indicates whether authentication is password or LDAP based.
deletedUserName
or deletedUserName
is the username of the user who is subject to a successful or failed deletion action.
message
indicates the cause of the result (success or failure), such as Incorrect Username
or Incorrect Password Entered
.
newUsernameCreated
is the username of the user who was successfully added.
role
indicates the privilege level of the user on whose behalf the action is performed.
status
indicates whether the action succeeded or failed.
newUsernameCreated
is the username of the user who was successfully added.
needsPasswordReset
indicates whether the user needs to change the password upon successful login. This is the case when the user logs in for the first time after being provisioned or after a password reset.
resetUsername
is the username of the person whose password is reset.
resetRole
is the role of the person whose password has been reset.
newUserName
is the username of the user who couldn't be added.
editedUsername
is the username of the user whose privileges are changed.
oldRole
is the previous role of the user.
newRole
is the new role of the user.
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserLoginSuccess",
"actor": "[email protected]",
"details": {
"needsPasswordReset": false,
"actorRole": "user",
"authenticationType": "password",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserLoginFailed",
"actor": "[email protected]",
"details": {
"message": "Incorrect Password",
"status": "FAILURE"
}
}
{ "time": "2019-09-26T02:05:10.995Z",
"category": "UserAccounts",
"type": "UserLogoutSuccess",
"actor": "[email protected]",
"details": {
"actorRole": "user",
"authenticationType": "password",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserPasswordResetSuccess",
"actor": "[email protected]",
"details": {
"actorRole": "user",
"resetUsername": [email protected],
"resetRole": "user",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserPasswordResetFailed",
"actor": "[email protected]",
"details": {
"message": "Incorrect password entered",
"status": "FAILURE"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserCreateSuccess",
"actor": "[email protected]",
"details": {
"authenticationType": "password",
"newUserNameCreated": hlee,
"role": "user",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserCreateFailed",
"actor": "[email protected]",
"details": {
"authenticationType": "password",
"actorRole": "user",
"newUsername": hlee,
"message": "user",
"status": "FAILURE"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserCreateSuccess",
"actor": "[email protected]",
"details": {
"authenticationType": "password",
"newUsernameCreated": hlee,
"role": "user",
"status": "FAILURE"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserDeleteSuccess",
"actor": "[email protected]",
"details": {
"actorRole": "admin",
"deletedUserName": "hlee",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserDeleteFailed",
"actor": "[email protected]",
"details": {
"actorRole": "admin",
"deleteUserName": "hlee",
"status": "FAILED"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserPrivilegeChange",
"actor": "[email protected]",
"details": {
"editedUsername": "hlee",
"oldRole": "user",
"newRole": "admin",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserEmailChanged",
"actor": "[email protected]",
"details": {
"oldEmail": "[email protected]",
"newEmail": "[email protected]",
"editedUsername": "ritesh",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserGroupsChanged",
"actor": "[email protected]",
"details": {
"username": "[email protected]",
"oldUsers": ["ritesh", "admin"],
"newUsers": ["ritesh"],
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserGroupCreateSuccess",
"actor": "[email protected]",
"details": {
"name": "ritesh",
"users": ["ritesh", "admin"],
"permission": ["User Management => List"],
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserGroupCreateFailed",
"actor": "[email protected]",
"details": {
"name": "ritesh",
"users": ["ritesh", "admin"],
"permission": ["User Management => List"],
"message": "group already exist with name as Everybody",
"status": "FAILED"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserGroupDeleteSuccess",
"actor": "[email protected]",
"details": {
"name": "developer",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UsersAdditionToGroupSuccess",
"actor": "[email protected]",
"details": {
"name": "developer",
"groups": ["ritesh", "rakesh"],
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserGroupUsersChanged",
"actor": "[email protected]",
"details": {
"name": "developer",
"oldUsers": ["ritesh", "rakesh"],
"newUsers": ["ritesh"],
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserGroupNameChanged",
"actor": "[email protected]",
"details": {
"oldName": "developer",
"newUsers": "coder",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "UserGroupPermissionChanged",
"actor": "[email protected]",
"details": {
"name": "developer",
"oldPermissions": ["User Management => List"],
"oldPermissions": ["Playbook => Admin"],
"status": "SUCCESS"
}
}
{ "time":"11/03/2020 12:10:59+05:30",
"category":"UserAccounts",
"type":"UserAccountLocked",
"actor":"admin",
"details": {
"message":"Excessive failed login attempts. Account locked",
"status":"FAILED"
}
}
Events Related to Playbooks
Events in this category have Flow
in the category
field.
flowId
is the unique identifier of the playbook whose batch is being executed.
version
is the current version of playbook at the time of log.
modifiedType
is one of FlowContentChanged
or FlowRename
oldData
signifies old flow name in case modifiedType
is flowRename else it signifies old node structure.
newData
signifies new flow name in case modifiedType
is flowRename else it signifies new node structure.
{ "time": "2019-09-25T23:40:02.695Z",
"category": "Flow",
"type": "FlowPublished",
"actor": "[email protected]",
"details": {
"flowId": "flow-44721",
"version": 23,
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "Flow",
"type": "FlowCreated",
"actor": "[email protected]",
"details": {
"flowId": "flow-44721",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "Flow",
"type": "FlowModified",
"actor": "[email protected]",
"details": {
"flowId": "flow-44721",
"modifiedType": "FlowRename",
"status": "SUCCESS",
"oldData": "Gmail Scan",
"newData": "Gmail Scan - deprecated"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "Flow",
"type": "FlowDeleted",
"actor": "[email protected]",
"details": {
"flowId": "flow-44721",
"status": "SUCCESS"
}
}
Events Related to Script
Events in this category have Script
in the category
field.
name
is the name of the script under consideration.
names
are the names of scripts if some operation gets performed in a batch.
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "PythonScriptAdded",
"actor": "[email protected]",
"details": {
"name": "script1.py",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "UserAccounts",
"type": "PythonScriptDeleted",
"actor": "[email protected]",
"details": {
"names": ["script1.py"],
"status": "SUCCESS"
}
}
Events Related to Playbook Execution
Events in this category have FlowExecution
in the category
field.
flowId
is the unique identifier of the playbook whose batch is being executed.
streamId
is the unique identifier stream whose batch is being executed.
batchStartTime
is the Unix time in milliseconds that indicates the start time of the batch.
batchEndTime
is the Unix time in milliseconds that indicates the end time of the batch.
noOfResults
is the number of rows generated in the batch run.
executionTime
indicates the amount of time it took in milliseconds for batch completion. It is the difference between batchEndTime
and batchStartTime
.
nodeCount
indicates the total number of nodes in the playbook that were executed in this batch.
size
is the total size in bytes whenever data is ingested by the system due to a playbook action.
{ "time": "2019-09-25T23:40:02.695Z",
"category": "FlowExecutions",
"type": "BatchExecuted",
"actor": "[email protected]",
"details": {
"flowId": "flow-44721",
"streamId": "stream-5740",
"batchStartTime": "1569575400206",
"batchEndTime": "1569575400206",
"noOfResults": "15278",
"executionTime": "10830",
"nodeCount": "35",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "FlowExecutions",
"type": "EventsIngested",
"actor": "[email protected]",
"details": {
"size": "18241",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "FlowExecutions",
"type": "AlertTriageNodeExecuted",
"actor": "[email protected]",
"details": {
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "FlowExecutions",
"type": "NodeDeleted",
"actor": "[email protected]",
"details": {
"flowId": "flow-12",
"nodeIds": ["1232-2awd2-2abd-bg54"],
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "FlowExecutions",
"type": "NodeAdded",
"actor": "[email protected]",
"details": {
"flowId": "flow-12",
"nodeId": "1232-2awd2-2abd-bg54",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "FlowExecutions",
"type": "HumanTriggeredFlow",
"actor": "[email protected]",
"details": {
"flowId": "flow-12",
"nodeId": "1232-2awd2-2abd-bg54",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "FlowExecutions",
"type": "FlowExported",
"actor": "[email protected]",
"details": {
"flowIds": ["flow-12"],
"status": "SUCCESS"
}
}
Manual Triggered Event Tracking
In case you want to track a manually triggered event leading to some unexpected data you can use the above event type: "HumanTriggeredFlow" to find the details of the execution such as who triggered it and when.
To do this:
- Use the default system event type to fetch all the logs.
- Filter the data to find the manual execution logs using simple queries to filter on the basis of event_type being equal to "HumanTriggeredFlow"
- After getting all the data regarding manual execution filter on the basis of need to find the source of anomaly. For example, if you want to find the details of node execution, you can filter on the basis of nodeId to get the data belonging to the specific node.
You can refer to the image for a sample scenario:
Events Related to Case Management
Events in this category have CaseManagement
in the category
field.
title
is the title of a case.
caseId
is a unique case identifier assigned to a case.
timeTaken
is the total time in milliseconds it took from creation to closure of the case.
countDone
indicates the total count of cases in the 'done' state at the time of logging.
countTodo
indicates the total count of cases in the 'todo' state at the time of logging.
countProgress
indicates the total count of cases in the 'progress' state at the time of logging.
{ "time": "2019-09-25T23:40:02.695Z",
"category": "CaseManagement",
"type": "CaseCreated",
"actor": "[email protected]",
"details": {
"caseId": "283",
"title": "Unexpected Access to instance i-12345678901234",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "CaseManagement",
"type": "CaseClosed",
"actor": "[email protected]",
"details": {
"caseId": "283",
"title": "Unexpected Access to instance i-12345678901234",
"timeTaken": "17588929"
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "CaseManagement",
"type": "CaseCurrentStatus",
"actor": "[email protected]",
"details": {
"countDone": "33",
"countToDo": "95",
"countProgress": "10"
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "CaseManagement",
"type": "CaseModified",
"actor": "[email protected]",
"details": {
"caseId": 12,
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "CaseManagement",
"type": "CaseModified",
"actor": "[email protected]",
"details": {
"caseId": 12,
"status": "SUCCESS"
}
}
Events Related to Integration
Events in this category have Integration
in the category
field.
integrationCount
indicates the total number of unique integrations that are used by all the connections at the time of logging.
connectionCount
indicates the total number of connections at the time of logging.
{ "time": "2019-09-25T23:40:02.695Z",
"category": "Integration",
"type": "IntegrationCurrentStatus",
"actor": "[email protected]",
"details": {
"integrationCount": "66",
"connectionCount": "247",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "Integration",
"type": "IntegrationConnectionDeleted",
"actor": "[email protected]",
"details": {
"label": "Ritesh - AWS Connection",
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "Integration",
"type": "IntegrationConnectionDeleted",
"actor": "[email protected]",
"details": {
"label": "Ritesh - AWS Connection",
"oldData" : {"url": "www.aws.com"},
"newInstanceData": {"url": "www.aws.com"},
"status": "SUCCESS"
}
}
{ "time": "2019-09-25T23:40:02.695Z",
"category": "Integration",
"type": "IntegrationConnectionCreated",
"actor": "[email protected]",
"details": {
"label": "Ritesh - AWS Connection",
"data" : {"url": "www.aws.com"},
"descriptorId": "logichub.aws",
"status": "SUCCESS"
}
}
Events Related to Custom List
Events in this category have CustomList
in the category
field.
name
indicates name of the custom list.
schema
indicates columns to the custom list.
action
indicates action performed while editing data of the custom list. It can be one of APPENDED, REMOVED, REPLACED, DEDUPLICATED
before
indicates the row value before edit
after
indicates the row value after edit
{
"time":"06/10/2020 06:28:42 +05.5:30",
"category":"CustomLists",
"type":"CustomListCreated",
"details": {
"name":"customlist0531_1",
"schema":{
"columns": [
{
"name":"__lhub_inserted_time__",
"dataType":"bigint",
"visible":false,
"semanticType":"the insertion timestamp"
},
{
"name":"aa",
"dataType":"string",
"visible":true,
"semanticType":"other"
}
]
},
"status":"SUCCESS"
}
}
{
"time":"06/10/2020 06:28:42 +05.5:30",
"category":"CustomLists",
"type":"CustomListDeleted",
"details": {
"name":"customlist0531_1",
"status":"SUCCESS"
}
}
{
"time":"06/10/2020 06:28:42 +05.5:30",
"category":"CustomLists",
"type":"CustomListRowEdited",
"details": {
"name":"list_name",
"before": {
"__lhub_inserted_time__":"1584491009298",
"list_1":"UserAuthenticationTypeChange"
},
"after":{
"__lhub_inserted_time__":"1584491009298",
"list_1":"UserAuthenticationTypeChange_edited"
},
"status":"SUCCESS",
"action":"EDITED"
}
}
{
"time":"06/10/2020 06:28:42 +05.5:30",
"category":"CustomLists",
"type":"CustomListDataEdited",
"details": {
"name":"list_name",
"action":"REPLACED",
"status":"SUCCESS"
}
}
Events Related to Commands
Events in this category have Command
in the category
field.
parameters
are the value of the parameter, user entered during the command execution.
initiator
is from where the command has been triggered. It should be like Case
CommandPreview
or QuickAction
.
{
"command": "Command_test_m82_1",
"executionTime": 0,
"status": "SUCCESS",
"parameters":{
"param1": "Indra",
"param2": "Jeet"
},
"initiator": {
"caseId": "Lhub-10299",
"via": "Case"
}
}
{
"command": "Command_test_m86_3",
"error": "[Execution Error] Executing step nodeOutput failed. The node nodeOutput is broken: Couldn't compile lql: Failure was: [Syntax Error] SQL failed to parse token 'null <select>' at line 1 column 1. Next input was: `* from Parameter_Node``",
"status": "FAILED",
"parameters":
{},
"initiator": {
"via": "CommandPreview"
}
}
Updated 3 months ago