Skip to main content

Cloud-delivered Advanced AnalyticsExabeam Advanced Analytics Administration Guide

Audit Logs

Audit logs represent user, object, or setting events in your organization. Specific events related to all Exabeam users are logged, including activities within the user interface as well as configuration activities.

Advanced Analytics audit logs are stored. The entire auditing history is stored and you cannot purge audit logs or set retention limits.

To access the activity data, you can forward audit logs via Syslog to an existing SIEM, to Data Lake, or to Search. Exabeam sends the Advanced Analytics activity data every five minutes. To access audit logs via Syslog, follow the notification setup procedure in Set Up Notifications to a Log Repository, Ticketing System, or SIEM.

Note

Advanced Analytics activity log data is not masked or obfuscated when sent via Syslog. It is your responsibility to upload the data to a dedicated index which is available only to users with appropriate privileges.

The following events are logged:

  • Log in and log out

  • Failed log in

  • User addition, update, and removal

  • Role addition, update, and deletion

  • Permission addition and deletion

  • Audit being turned on or off

  • Token create, read, and update

  • Reindex job create and initiate

  • Threat Hunter Search

  • Component restart

  • SAML events

  • Adding or editing of secured resources

  • API cluster authorization events

  • Log source addition, update, and deletion

  • Log feed addition, update, and deletion

  • Syslog enable and disable

  • Full and partial acceptance of a session

  • Full and partial acceptance of a lockout

  • Full and partial acceptance of an asset sequence

  • Starting of a session

  • Starring of an asset sequence

  • Watchlist addition, update, and delete

An additional type of audit logging is available for applications in the Exabeam Security Operations Platform. Access to these stored audit logs is available in Search. For ease of use, an Audit Logs tab is accessible in the Search query builder. For information about using the Audit Logs tab, see Basic Search in the Search Feature Guide.

Events from the following Exabeam Security Operations Platform applications are logged:

  • Authentication

  • Threat Center

  • Correlation Rules

  • Search

  • Settings, including

    • Users

    • Roles

    • Single sign-on

    • API keys