End-of-Life (EoL)
Audit Trail
log troubleshooting
The audit trail displays a log of all
administrative user interactions with Cortex XSOAR. The log is sorted
by date and covers which users interacted in what way with system
objects, and associated data. The audit trail does not include actions
performed in the war room. These actions are documented in the war room.
You can search the audit trail log for user interactions based
on free text.
To view an audit trail, navigate to .
Settings
Users and Roles
Audit Trail
To customize which columns are visible in the audit trail log,
click the table settings button.
To export the audit trail log, use the
GetAudits
command
from the Cortex XSOAR REST API. See the Cortex XSOAR REST API documentation. Extract a Day’s Audit Trail
You can write a script that runs daily to extract that day's
audit trail, and upload it to your SIEM with uploader programs.
The following is an example of a curl command that will fetch all
audits from June 22, 2017 and later - up to 10,000 actions.
curl -k -X POST https://
<IP>
:<PORT>
/settings/audits -H 'accept: application/json' -H 'authorization:<API KEY>
' -H 'content-type: application/json' -d '{"size" : 10000,"query": "modified:>2017-06-22T00:00:00"}'Purge Audit Entries
You can define the retention period of the audit trail. By default
audit entries will be retained forever. To purge periodically, add
a server setting in where
the key is:
Settings
About
Troubleshooting
- demisto.audits.purgeTrue will start the purging process.
- demisto.audits.purge.retentionThe value is the number of days to save the log. Default is 365.
To define how often to check the audit trail log, in add
Settings
About
Troubleshooting
demisto.audits.purge.delay
where
the value is how often to run the retention (demisto.audits.purge.retention
). The
default is every 24 hours.Purging can also be done manually. The following is an example
of a curl command that will purge all audits from June 22, 2017
to June 30, 2017.
curl -k -X POST https://
<IP>
:<PORT>
/settings/audits/purge -H 'accept: application/json' -H 'authorization:<API KEY>
' -H 'content-type: application/json' -d '{"page": 0, "size": 100,"fromDate": "2017-07-22T09:01:08.462954465+03:00","toDate": "2017-07-30T12:23:08.462954597+03:00","period": {"by": "","toValue": null, "fromValue": null, "field": "" }, "fromDateLicense": "0001-01-01T00:00:00Z"}'The following table describes components and actions.
Component | Actions |
|---|---|
account |
|
APIKeys |
|
AppServer |
|
backup |
|
Canvas |
|
classifier |
|
content |
|
ContentPack |
|
ContributionPack |
|
credentials |
|
Dashboard |
|
engine |
|
entry |
|
execute |
|
host |
|
HyperProcess(reputation) |
|
incident |
|
incidentField |
|
IncidentType |
|
indicator |
|
indicator BulkEdit |
|
integrations |
|
integrationsConfig |
|
investigation |
|
invite |
|
Jobs |
|
Layout |
|
License |
|
List |
|
LiveBackup |
|
login |
|
logout |
|
MarketplaceRegister |
|
PasswordPolicy |
|
playbook |
|
PreprocessRule |
|
PropagationLabel |
|
RemoteDB |
|
role |
|
script |
|
ServerConfiguration |
|
task |
|
Telemetry |
|
user |
|
whitelist |
|
Widget |
|
Recommended For You
Recommended Videos
Recommended videos not found.
