Cloud SOAR Audit Logging
The Audit Event Index provides event logs in JSON format on your account activity allowing you to monitor and audit changes. By default, the Audit Event Index is enabled for Cloud SOAR and Enterprise accounts.
Audit logging for the Automation Service uses the same logging as Cloud SOAR, since the Automation Service is based on core functionality in Cloud SOAR. See Automation Service Audit Logging.
Documentationβ
All available audited events are documented for your reference. This documentation is hosted on each deployment, instead of on this document. Sumo Logic has several deployments that are assigned depending on the geographic location and the date an account is created. See how to determine which endpoint to use if you are unsure.
Select the documentation link for your deployment:
Search the Audit Event Indexβ
Searching the Audit Event Index is the same as running a normal search against your ingested data.
You specify the _index
metadata field with one of these values:
sumologic_audit_events
. This index contains user action events, which are events that were triggered by a user action, either from the UI or an API.sumologic_system_events
. This index contains system action events, which are events that were triggered by Sumo Logic. For example, this index contains Automation Actions start events, rules triggered, and so on.
Cloud SOAR audited eventsβ
This Audit Event Index has detailed JSON logs for the following features.
To search for audit events for a specific feature, use the metadata field _sourceCategory
with its corresponding value.
For Cloud SOAR events, every _sourceCategory
related to a feature has the prefix oar
. So to limit the events returned to Cloud SOAR only, you can use:
(_index=sumologic_audit_events OR _index=sumologic_system_events) _sourceCategory=oar*
To search user action events for Tasks, you would use the query:
_index=sumologic_audit_events _sourceCategory=oarTasks
To search for system action events for Automation Actions, you would use the query:
_index=sumologic_system_events _sourceCategory=oarAutomationActions
The table below shows the _sourceCategory
that is assigned to event logs by Cloud SOAR feature.
Product Feature | _sourceCategory Value |
---|---|
App Central Packages | oarAppCentralPackages |
Automation Action | oarAutomationActions |
Automation Daemon/Rules | oarDaemons |
Custom Field | oarCustomFields |
Dashboard | oarDashboards |
oarEmails | |
Entity | oarEntities |
Folder | oarFolders |
Group | oarGroups |
Incident | oarIncidents |
Incident Artifact | oarIncidentArtifacts |
Incident Attachment | oarIncidentAttachments |
Incident Investigator | oarIncidentInvestigators |
Incident Note | oarIncidentNotes |
Incident Template | oarIncidentTemplates |
Integration | oarIntegrations |
Integration Resource | oarIntegrationResources |
Notification | oarNotifications |
Playbook Execution | oarPlaybookExecutions |
Playbook Revision | oarPlaybookRevisions |
Report | oarReports |
Setting | oarSettings |
Task | oarTasks |
Triage | oarTriage |
Triage Attachment | oarTriageAttachments |
Widget | oarWidgets |
_sourceName and _sourceHost assignmentβ
The _sourceName
and _sourceHost
fields are assigned to audit event
logs as follows.
Metadata Field | Assignment Description |
---|---|
_sourceName | Value of the common parameter, eventName . |
_sourceHost | The remote IP address of the host that made the request. If not available, the value will be no_sourceHost . |
Common parametersβ
Each audit event log has common keys that categorize it to a product area and provide details of the event.
Parameter | Description | Data Type |
---|---|---|
accountId | The unique identifier of the organization. | String |
eventId | The unique identifier of the event. | String |
eventName | The name of the event. | String |
eventTime | The event timestamp in ISO 8601 format. | String |
eventFormatVersion | The event log format version. | String |
operator | Information of who did the operation. If it's missing, the Sumo service was the operator. | JSON object of Strings |
subsystem | The product area of the event. | String |
Search the Audit Event Index for Cloud SOAR eventsβ
To search the Audit Event Index for logs that describe Cloud SOAR events:
- Open a search tab in the Sumo Logic UI by clicking + New and choosing Log Search.
- In the search tab, enter a search using
_index
to specify the partition you want to search, and other metadata or fields to further scope your search. For example:(_index=sumologic_system_events or _index=sumologic_audit_events) _sourceCategory=oar*
| where subsystem contains "Playbook" - Choose the time range for your search.
- Click Start to run the search.
Example event logβ
Here is an example PlaybookExecutionStarted
event log.
{
"accountId": "0000000000000131",
"eventId": "f002327d-4934-4499-9543-132ec10f3db3",
"subsystem": "oarPlaybookExecutions",
"eventName": "PlaybookExecutionStarted",
"eventTime": "2023-10-05T13:22:59.786+00:00Z",
"eventFormatVersion": "1.0 beta",
"severityLevel": "Info",
"PlaybookExecutionIdentity": {
"playbook_id": "651eb64eab7e66e25c766ad8",
"playbook_name": "Application Latency Playbook",
"running_id": "651eb8b386c1039545766d9c"
},
"PlaybookExecution": {
"playbook_id": "651eb64eab7e66e25c766ad8",
"playbook_name": "Application Latency Playbook",
"type": "Denial of Service",
"running_id": "651eb8b386c1039545766d9c",
"status": "Running",
"start": "2023-10-05T13:22:59.641+00:00Z",
"externalType": "INSIGHT",
"externalId": "INSIGHT-4332"
},
"from": {
"status": "Not executed"
},
"to": {
"status": "Running"
}
}
Index retention periodβ
By default, the retention period of the Audit Event Index is the same as the retention period of your Default Partition. You can change the retention period by editing the relevant partitions, sumologic_audit_events
and sumologic_system_events
. For more information, see Create and Edit a Partition.