Track user acvitiy with audit trails
This page describes Obser've audit logs for CRUD operations.
NoteAudit logs for CRUD operations is GA and documented here. Query audit logs is still in private preview. Please open a support request to have query audit logs enabled in your tenant.
As an administrator, you can use enable the audit trail to understand who is using Observe within your organization and what actions they are performing. See What is audited? for a summary of the objects and actions audited by Observe.
Using audit logs, you can understand changes in your Observe tenant, such as:
- A dashboard or monitor is now broken and needs to be fixed, due to a change in the input Dataset. Who modified the input Dataset, and when?
- An alert never went out during my on-call shift, because a monitor was disabled. Who disabled the monitor, and when?
For security teams, audit trail events help with compliance checks and maintaining audit trails of who did what, and when, for your Observe resources. For example, maintaining an audit trail:
- When someone changes the access controls on a dataset, providing too much access.
- For user logins, account, or role changes in your organization.
This audit trail can be exported to cloud object storage via the Observe Data Export feature, where your compliance requirements for retention are beyond your Observe retention, or for analysis by your SIEM.
What is audited?
The following table shows the Observe objects that are audited, and specifically the actions audited for each object:
| Object Type | Create | Read | Update | Delete | Disable | Enable |
|---|---|---|---|---|---|---|
| Dataset | ✓ | ✓ | ✓ | ✓ | ||
| Monitor | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Worksheet | ✓ | ✓ | ✓ | ✓ | ||
| Dashboard | ✓ | ✓ | ✓ | ✓ | ||
| Datastream | ✓ | ✓ | ✓ | ✓ | ||
| Reference table | ✓ | ✓ | ✓ | ✓ | ||
| Datastream token | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| API token | ✓ | ✓ | ✓ | ✓ | ✓ | |
| User | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Report | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| RBAC statement | ✓ | ✓ | ✓ | |||
| RBAC group | ✓ | ✓ | ✓ | |||
| RBAC group member | ✓ | ✓ | ||||
| Drop filter | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Document | ✓ | ✓ | ✓ | ✓ | ||
| Data export job | ✓ | ✓ | ✓ |
In addition, login and logout logs are also audited, including the login type, such as SAML or local, and whether the login attempt was successful or not. These logs are not associated with any Observe objects.
Enable audit logging
You can enable audit logging in your Observe instance settings. See Instance settings.
Configuration
Observe Usage reporting app
Observe has bundled the dataset usage/Audit Events with the Observe Usage reporting app focused on capturing audit trail data. You can also control access to the audit trail by adding access controls to the System datastream/root dataset as well as the usage/Audit Events dataset. You must be on version 0.22.0 or higher of the Observe Usage Reporting app to take advantage of this content.
Archive your audit trail
Archiving is an optional feature for the audit trail. You can use archiving to write to Amazon S3 and have your SIEM system read events from it, or store them for compliance reasons. Note that Data Export is currently in public preview.
Explore audit events
The Observe Usage reporting app now bundles audit trail content.
Audit Events dashboard: This dashboard provides examples for monitoring authentication events, overall CRUD operations per user, as well as content popularity.
usage/Audit Events Dataset: This Dataset enriches the raw audit data in the System Datastream with user information.
If you want to just view the raw events, you can open the System Datastream and run the following OPAL query, which shows all the audit events by their operation and object type. The example_events column will contain newline separated samples of your audit events.
make_col schema:string(EXTRA.schema)
filter schema = "audit_log"
statsby example_events:string_agg_distinct(string(FIELDS),"
"), group_by(FIELDS.object_kind,FIELDS.operation)
Create a monitor
Because the underlying raw data is exposed it is very simple to create monitors for specific audit events. For example, set a monitor that triggers when a specific user logs in, or set a monitor for anytime a dashboard is deleted. In the below example you can filter to failed login events by user, and alert when the number of failed logins per user surpasses a count over a specific timerange.
Create a scheduled report
You can use Observe dashboard reports to create scheduled report of the Audit Events dashboard. See Generate dashboard reports.
Download audit events as a CSV file
Observe Audit Trail allows you to download audit events as a CSV or JSON file locally. These events can then be analyzed locally, uploaded to a different tool for further analytics, or shared with appropriate team members as part of a security and compliance exercise.
To export audit events as CSV:
- Open the usage/Audit_Trail Dataset in a Worksheet.
- Filter the worksheet to just the audit events you want.
- Click Export, then select CSV or JSON as the format.
- Select the number of events to export.
Updated 26 days ago