Audit Logs

Welcome to the Exabeam Security Operations Platform
- Exabeam Security Operations Platform Architecture
- Navigation Center
Licenses
- Exabeam Security Operations Portfolio Licenses
  - Exabeam Security Operations Portfolio License Types
  - Features by Exabeam Security Operations Portfolio License Type
- Fusion Licenses
  - Fusion License Types
  - Features by Fusion License Type
Get Started with the Exabeam Security Operations Platform
- (Optional) Allow Exabeam IP Addresses for your Region
- Define a Unique Site Name
Universal Role-Based Access
Exabeam Copilot
Monitoring

Audit logs represent user, object, or setting events in your organization. Specific events related to all users identified in your Exabeam Security Operations Platform are logged, including activities within the user interface and configuration activities. This is especially useful for reviewing activities for audits (for example GDPR).

Note

Internal audit logs of activity performed by Exabeam employees supporting customer environments are not available for customer consumption.

Exabeam stores all audit logs and provides a query interface in Search that you can use to find and export audit logs.

Note

For information on setting retention limits for your audit logs, see Global Log Retention in the Exabeam Search Guide.

Types of Audit Logs

The following table displays the types of events captured in the audit log for the Exabeam Security Operations Platform by feature area. Each event also has an associated activity type—as defined in the common information model—that references additional, granular fields that you can use to search your audit logs. For each event, the activity type is displayed in parentheses.

Feature	Events
API Settings	API key creation (key-create) API key modified (key-write) API key deleted (key-delete)
Authentication	EULA signed (file-write) Logged in (app-login) Logged out (app-logout) Logged in (app-login) Logged out (app-logout)
Cloud Collectors	Log source created (log_source-add) Log source modified (log_source-modify) Log source deleted (log_source-remove) Log source enabled (log_source-enable) Log source disabled (log_source-disable) Log account created (log_account-create) Log account modified (log_account-modify) Log account deleted (log_account-delete)
Context Management	Context table created (context_table-create) Context table deleted (context_table-delete) Context table modified (context_table-modify)
Correlation Rules	Rule created (rule-create) Rule modified (rule-modify) Rule deleted (rule-delete) Rule enabled (rule-enable) Rule disabled (rule-disable)
Dashboards	Report created (report-create) Report deleted (report-delete) Report downloaded (report-download) Report modified (report-modify) Report published (report-publish)
Dashboard Visualizations	Visualization created (visualization-create) Visualization deleted (visualization-delete) Visualization exported (visualization-export) Visualization modified (visualization-modify) Visualization published (visualization-publish)
Role Settings	Custom role created (role-create) Custom role modified (role-modify) Custom role deleted (role-delete)
Search	Log search (log-search) Log download (log-download) Log export (log-export)
SSO Settings	Single sign-on deleted (configuration-delete) Single sign-on created (configuration-create) Single sign-on modified (configuration-modify)
Threat Center	Alert created (alert-create) Alert modified (alert-modify) Alert read (alert-read) Case created (case-create) Case modified (case-modify) Case read (case-read)
User Settings	User invited (user-invite) User invitation canceled (user-invite-cancel) User activated (user-enable) User deactivated (user-disable) User modified (user-modify) User password reset (user-password-reset) User deleted (user-delete)

Audit Log Visibility

To access audit logs, use the Search app available from the Exabeam Security Operations Platform. From Search, you can view all audit logs over a specific time period and search for specific audit log types. For ease of use, an Audit Logs tab is accessible in the Search query builder. For information about using the Audit Logs tab, see Basic Search in the Search Feature Guide.

In the common information model, all audit logs are assigned to the Exabeam vendor and Audit Log product.

For example, to search for events related to case modification events in Threat Center, use the following parameters in your Search query:

vendor: Exabeam
product: Audit Log
activity_type: case-modify

Exabeam Security Operations PlatformExabeam Security Operations Platform Administration Guide

Table of ContentsTable of Contents

Audit Logs

Note

Note

Types of Audit Logs

Audit Log Visibility