Audit Trail

Overview

Warning

Audit Trail is currently in public preview. To enable the Observe Audit Trail, contact Observe Support. Curated Audit Trail dashboards and datasets are bundled with the “Observe Usage reporting” app version 0.22.0.

As an administrator, you can use Observe Audit Trail to understand who is using Observe within your organization as well as how they are using Observe. Observe Audit Trail contains events related to Create, Read, Update, and Delete (CRUD) operations for the following object types: Users, Ingest Tokens, Datastreams, Datasets, Dashboards, Worksheets and RBAC rules, Monitors, Dashboard Reports. Users, Monitors, and Dashboard Reports also include “enable” / “disable” operations. Observe Audit Trail also supports login and logout events per user. This includes the login type such as SAML vs local, and success or failure. These events can then be used to understand changes in your Observe tenant like:

  • A dashboard or monitor is now broken and needs to be fixed, due to a change in the input dataset. Who modified the input dataset, and when?

  • An alert never went out during my on-call shift, because a monitor was disabled. Who disabled the monitor, and when?

For security teams, audit trail events help with compliance checks and maintaining audit trails of who did what, and when, for your Observe resources. For example, maintaining an audit trail:

  • When someone changes the access controls on a dataset, providing too much access.

  • For user logins, account, or role changes in your organization.

This audit trail can be exported to cloud object storage via the Observe Data Export feature, where your compliance requirements for retention are beyond your Observe retention, or for analysis by your SIEM.

Configuration

Observe Usage reporting app

Observe has bundled the dataset usage/Audit Events with the Observe Usage reporting app focused on capturing audit trail data. You can also control access to the audit trail by adding access controls to the System datastream/root dataset as well as the usage/Audit Events dataset. You must be on version 0.22.0 or higher of the Observe Usage reporting app to take advantage of this content.

Archiving

Archiving is an optional feature for the Audit Trail. You can use archiving to write to Amazon S3 and have your SIEM system read events from it, or store them for compliance reasons. Note that Data Export is currently in public preview.

Explore audit events

The Observe Usage reporting app now bundles Audit Trail content.

Audit Events Dashboard: This dashboard provides examples for monitoring authentication events, overall CRUD operations per user, as well as content popularity.

Audit Trail Dashboard

Figure 1 - Audit Trail Dashboard

usage/Audit Events Dataset: This dataset enriches the raw audit data in the system datastream with user information.

Audit Event Dataset

Figure 2 - Audit Events Dataset

If you wish to just view the raw events, you can open the Observe System datastream and run the following OPAL query:

make_col schema:string(EXTRA.schema)
filter schema = "audit_log"
statsby example_events:string_agg_distinct(string(FIELDS),"\n"), group_by(FIELDS.object_kind,FIELDS.operation)

This will show a list of all the audit events by their operation and object type. The example_events column will contain newline separated samples of your audit events.

Create a monitor

Because the underlying raw data is exposed it is very simple to create monitors for specific audit events. For example, set a monitor that triggers when a specific user logs in, or set a monitor for anytime a dashboard is deleted. In the below example you can filter to failed login events by user, and alert when the number of failed logins per user surpasses a count over a specific timerange.

Audit Event Dataset

Figure 3 - Monitor For Failed Logins

Create a scheduled report

You can use the Observe Dashboard Reports feature to create scheduled report of the Audit Events Dashboard.

Download Audit Events as CSV

Observe Audit Trail allows you to download audit events as a CSV or JSON file locally. These events can then be analyzed locally, uploaded to a different tool for further analytics, or shared with appropriate team members as part of a security and compliance exercise.

To export audit events as CSV:

  • Open the usage/Audit_Trail Dataset in a worksheet

  • Filter the worksheet to just the audit events you want

  • Click on Export > CSV or JSON

  • Select the number of events to export

Export Audit Event Dataset From Worksheet

Figure 4 - Export Audit Events To CSV