Audit Trail

View, export, extract, and purge the audit trail in Cortex XSOAR. The audit trail logs all administrative user actions in XSOAR. log troubleshooting
The audit trail displays a log of all administrative user interactions with Cortex XSOAR. The log is sorted by date and covers which users interacted in what way with system objects, and associated data. The audit trail does not include actions performed in the war room. These actions are documented in the war room.
You can search the audit trail log for user interactions based on free text.
To view an audit trail, navigate to
Settings
Users and Roles
Audit Trail
.
To customize which columns are visible in the audit trail log, click the table settings button.
To export the audit trail log, use the
GetAudits
command from the Cortex XSOAR REST API. See the Cortex XSOAR REST API documentation.
Extract a Day’s Audit Trail
You can write a script that runs daily to extract that day's audit trail, and upload it to your SIEM with uploader programs. The following is an example of a curl command that will fetch all audits from June 22, 2017 and later - up to 10,000 actions.
curl -k -X POST https://
<IP>
:
<PORT>
/settings/audits -H 'accept: application/json' -H 'authorization:
<API KEY>
' -H 'content-type: application/json' -d '{"size" : 10000,"query": "modified:>2017-06-22T00:00:00"}'
Purge Audit Entries
You can define the retention period of the audit trail. By default audit entries will be retained forever. To purge periodically, add a server setting in
Settings
About
Troubleshooting
where the key is:
  • demisto.audits.purge
    True will start the purging process.
  • demisto.audits.purge.retention
    The value is the number of days to save the log. Default is 365.
To define how often to check the audit trail log, in
Settings
About
Troubleshooting
add
demisto.audits.purge.delay
where the value is how often to run the retention (
demisto.audits.purge.retention
). The default is every 24 hours.
Purging can also be done manually. The following is an example of a curl command that will purge all audits from June 22, 2017 to June 30, 2017.
curl -k -X POST https://
<IP>
:
<PORT>
/settings/audits/purge -H 'accept: application/json' -H 'authorization:
<API KEY>
' -H 'content-type: application/json' -d '{"page": 0, "size": 100,"fromDate": "2017-07-22T09:01:08.462954465+03:00","toDate": "2017-07-30T12:23:08.462954597+03:00","period": {"by": "","toValue": null, "fromValue": null, "field": "" }, "fromDateLicense": "0001-01-01T00:00:00Z"}'
The following table describes components and actions
Component
Actions
account
  • block
  • unblock
  • add
  • delete
  • stop
  • start
APIKeys
  • delete
  • add
AppServer
  • restart
backup
  • edit
Canvas
  • add
  • edit
  • delete
classifier
  • add
  • copy
  • edit
content
  • install
ContentPack
  • edit
  • delete
ContributionPack
  • add
  • edit
  • delete
credentials
  • add
  • edit
  • delete
Dashboard
  • add
  • delete
  • edit
engine
  • add
  • edit
entry
  • restore
  • delete
  • removeentrypermanently
  • edit
execute
  • add
host
  • delete
  • downloadconf
  • add
HyperProcess(reputation)
  • add
  • delete
incident
  • edit
  • close
  • execute
  • delete
  • duplicate
  • notcreated
  • add
incidentField
  • add
  • edit
  • delete
IncidentType
  • attach
  • detach
  • disable
  • enable
  • delete
  • edit
  • add
indicator
  • edit
  • add
  • delete
indicator BulkEdit
  • edit
Integration permissions
  • edit
integrations
  • add
  • delete
  • edit
integrationsConfig
  • add
  • edit
  • delete
  • upload
investigation
  • close
  • reopen
  • edit
  • add
invite
  • add
  • utilized
  • delete
Jobs
  • add
  • edit
  • disable
  • enable
  • delete
  • pause
  • resume
  • runnow
  • abort
Layout
  • add
  • copy
  • edit
License
  • invalid
List
  • edit
  • add
  • delete
LiveBackup
  • switch
  • add
  • delete
login
  • failure
  • in
  • out
  • outall
  • outmyself
  • outmyselfothersessions
  • outuser
logout
  • failure
MarketplaceRegister
  • create
PasswordPolicy
  • edit
playbook
  • add
  • edit
  • attach
  • detach
  • upload
  • copy
  • delete
PreprocessRule
  • edit
  • add
PropagationLabel
  • delete
  • add
  • edit
RemoteDB
  • download
  • enable
  • disable
  • add
  • create
role
  • add
  • edit
  • delete
script
  • copy
  • upload
  • edit
  • add
  • delete
ServerConfiguration
  • edit
task
  • add
  • copy
Telemetry
  • edit
user
  • edit
  • lockout
  • unlock
  • add
  • enable
  • setpassword
whitelist
  • delete
  • batchcreate
  • add
Widget
  • edit
  • add
  • reset

Recommended For You