Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Viewing Audit Logs

Audit logs contain information about the login activity and specific tasks that were completed successfully using the ATP Cloud Web Portal. Audit log entries include details about user-initiated tasks, such as the username, task name, task details, and date and time of execution of the task. Administrators can view audit logs for a specific time span, search and filter for audit logs, and export audit logs in comma-separated values (CSV) format.

Note:
  • To view audit logs, you must have Audit Log Administrator privileges.

  • The retention period for audit logs is five years.

To view audit logs:

  1. On the ATP Cloud Web Portal UI, select Monitor > Audit.

    The Audit Log page appears displaying the audit logs in tabular format. The fields displayed on the Audit Log page are described in Table 1.

  2. (Optional) Click Details link to view the details for that audit log.

    The Audit Log Detail dialog box is displayed. This page displays additional fields that are not displayed on the Audit Log page; these fields are described in Table 2.

    Click OK to close the Audit Log Detail dialog box.

  3. (Optional) Click Export to export audit logs as a comma-separated values (CSV) file to view and analyze the exported audit logs as needed. You can either export all audit logs at once or for a specific timespan.
  4. (Optional) Click Time Span and select the time span to view the audit log for a specific period.
Table 1: Fields on the Audit Log Page

Field

Description

Timestamp

Timestamp for the audit log file that is stored in UTC time in the database but mapped to the local time zone of the client computer.

Username

Username of the user that initiated the task.

Action

Name of the task that triggered the audit log.

Details

Detailed information about the task performed.

Click the details link to view more details about the task.

Table 2: Fields on the Audit Log Details Page

Field

Description

Timestamp

Timestamp for the audit log file that is stored in UTC time in the database but mapped to the local time zone of the client computer.

Username

Username of the user that initiated the task.

Action

Name of the task that triggered the audit log. For details, see Table 3.

Table 3: Fields displayed for Audit Log Action

Action that triggered the Audit Log

Fields Displayed on Audit Log Details Column

Create application token

{'token id': , 'token name': , 'token description': }

Update application token

{"token id": , "token name": , "token description": }

Delete application token

{"token id": }

User login

{"role": , "mfa": , "client ip": , "XFF": }

User logout

{"role": , "client ip": , "XFF": }

Request enrollment slax script

{"enrolled from": }

Request disenrollment slax script

{"enrolled from": }

SRX enrollment complete (or) SRX disenrollment complete

{'serial number': , 'model': , 'version': , 'host': , 'enrolled from': }

SRX enrollment complete (or) SRX disenrollment complete

{'serial number': , 'model': , 'version': , 'host': , 'enrolled from': }

Report Threat Source server

{"cc server": , "report type": }

Create file inspection profile

{"profile name": }

Update file inspection profile

{"profile name":, "profile id": , 'category thresholds': , 'disabled categories': }

Delete file inspection profile

{"profile name": }

Create enrollment command

Create disenrollment command

Delete devices

{'devices': }

Delete device telemetry data

{'devices': }

Delete device

{"device": }

Enroll device

{"device": }

Disenroll device

{"device": }

Attach device to realm

{"device": , "realm": }

Detach device from realm

{"device": , "realm": }

Administrator action on IMAP blocked email

{"action": , "id": }

Administrator action on SMTP quarantined email

{"action": , "id": }

User action on IMAP blocked email

{"action": , "id": }

User action on SMTP quarantined email

{"action": , "id": }

Update SMTP configuration

{"smtp": {}, ... }

Update IMAP configuration

{"imap": {}, ... }

Update IMAP configuration

{"server_list": }

Update IMAP configuration

{'domain_name': }

Delete IMAP configuration

{'domain_name': }

Update SMTP quarantine configuration

{'release_option': , 'release_email': , 'replacement_link_text': , 'replacement_subject': , 'replacement_body': , 'learn_more_url': }

Update IMAP block configuration

{'notification_link_text': , 'notification_subject': , 'notification_body': , 'learn_more_url': , 'unblock_email': }

Update administrator IMAP block notification

{'notify_email': , 'notify_block': , 'notify_unblock': }

Delete administrator IMAP block notification

{'notify_email': , ….}

Update administrator SMTP quarantine notification

{'notify_email': , 'notify_quarantine': , 'notify_release': }

Delete administrator SMTP quarantine notification

{'notify_email': , ….}

Report Encrypted Traffic server

{"eta server": , "report type": }

Add data to Encrypted Traffic allowlist

[ {"value": , } ...]

Update data of Encrypted Traffic allowlist

{"existing value": , "new value": }

Delete data from Encrypted Traffic allowlist

{"deleted value": }

Update infected host threat level threshold

{"host threshold": }

Update TAXII sharing threshold

{"taxii threshold": , "taxii sharing": }

Update host event and malware logging

{"host status": , "malware status": }

Update MIST integration status

{"mist status": }

Create infected host email configuration

{"email": , "email threshold":}

Update infected host email configuration

{"email": , "email threshold": }

Delete infected host email configuration

{"email": }

Add data to hash

{'valid hashes': ,'unique hashes': , 'invalid hashes': }

Replace data of hash

{'valid hashes': ,'unique hashes': , 'invalid hashes': }

Delete data from hash

{"hashes": }

Delete data from hash

{'valid_hashes': , 'invalid_hashes': }

Update host investigation status

{"host ip": , "inv status": , "policy": , "label": }

Update host investigation status

{"host ip": , "inv status": , "policy": , "label": }

Log host tracking records

Update SecIntel third party feed configuration

{"feeds": [{"feed_name": , "feed_in_ha": }, ... ]}

Request password reset

Successful password reset

Update proxies

{'proxy ips': }

Delete proxies

{'proxy ips': }

Create security realm

{"realm": }

Delete security realm event data

{"realm": }

Add data to C&C Server [allowlist|blocklist]

[ {'value': ,'user_comments':}, ….]

Delete data from C&C Server [allowlist|blocklist]

[ {'value': ,'user_comments':}, ….]

Add data to C&C Server [allowlist|blocklist]

{"file name": , "data": }

Delete data from C&C Server [allowlist|blocklist]

{"file name": , "data": }

Update data of C&C Server [allowlist|blocklist]

{"entry id": , "value": }

Delete data from C&C Server [allowlist|blocklist]

{"entry": , "value": , "last_updated": , "user_comments": , "submitted_by": }

Report file submission

{"submission id": , "report type": , 'already submitted': }

User manually uploaded file

{"submission id": , "user comments": , "file name": , "already submitted": , "threat level": }

Create user profile

{'first_name': , 'last_name': , "username": }

Update user profile

{'first_name': , 'last_name': , "username": }

Update user profile

{'first_name': , 'last_name': , "username": }

Update user profile

{'first_name': , 'last_name': , "username": }

Update user profile

{'first_name': , 'last_name': , "username": }

Delete user profile

{"username": }

Change user password

Submit user feedback

{"feedback_type": }

Add data to [URL| IP] [allowlist|blocklist]

{"added_values": }

Update data of [allowlist|blocklist]

{"previous value": , "new value": }

Delete data from [allowlist|blocklist]

{"deleted value": }

Replace [allowlist|blocklist] data

{"data": [ {'value': }, …]}

Replace [allowlist|blocklist] data

{"data": [ {'value': }, …]}

Update [allowlist|blocklist] data

{operation: } operation can be 'add' or 'remove'

Update [allowlist|blocklist] data

{operation: } operation can be 'add' or 'remove'

Update [allowlist|blocklist]data

{operation: } operation can be 'add' or 'remove'

Update [allowlist|blocklist] data

{operation: } operation can be 'add' or 'remove'

Update [allowlist|blocklist] data

{operation: , "file name": } operation can be 'add' or 'remove'

Update [allowlist|blocklist] data

{operation: , "file name": } operation can be 'add' or 'remove'

User logged in

{"role": , "mfa": , "client ip": , "XFF": }

SRX initiated enrollment

{"version": , "model": , "realm": }

SRX initiated disenrollment

{"version": , "model": , "realm": }

Delete device

{"device": }

Delete device

{"devices": }

Update infected host expiration

data = {"expiry config": , "ips": [ {"value": }, …] }

Update Multifactor Authentication

{"mfa method": , "mfa period": }

Request Multifactor Authentication Code

{"mfa_method":}

Verify Multifactor Authentication Code

Request MFA OTP Change

Enforce MFA OTP Change

Request MFA OTP Enrollment

Enforce MFA OTP Enrollment

Delete MFA OTP

Request MFA OTP reset

Enforce MFA OTP reset

Update phone number of a user

{"phone": }

Verify updated phone number

Add new phone number

{"phone": }

Verify new phone number

Delete user phone number

Attach realm

{"realm": ,"associated realm": }

Detach realm

{"realm": ,"disassociated realm": }

Create report

{ {"reports_api": , …}, "report_id": }

Create report definition

{"duration": , "recurrence": , "name": , "definition type":}

Update report definition

{"name": , "type": , "duration": , "recurrence": }

Delete report definition

{"name": }

Delete report

{"report id": }

Create adaptive threat profiling feed

{"feed type": , "ttl": , "infected host feed": , "feed category": , "feed name": }

Delete excluded adaptive threat profiling feed entry

{"delete entry": }

Add excluded adaptive threat profiling feed entry

{"feed name": , "added entry": }

Add user excluded adaptive threat profiling feed entry

{"feed name": , "added entry": }

Update adaptive threat profiling feed

{"ttl": , "infected host feed": , "feed name": }

Delete adaptive threat profiling feed

{"feed name": }

Note:

If the value of the field is none, then that field is not displayed on the Audit Log Details page