The Audit Event Index provides event logs in JSON format on your account activity so you to monitor and audit changes. By default the Audit Event Index is enabled for Cloud SIEM and Enterprise accounts.
This page describes functionality that is available to users whose Cloud SIEM URL ends in
Where to find the documentation
The audit logging documentation is hosted on each Sumo Logic deployment. Sumo Logic has several deployments that are assigned depending on the geographic location and the date an account is created. If you're not sure what what your deployment is, see how to determine which endpoint to use.
Select the documentation link for your deployment:
Scoping your Audit Index search
This section explains how to scope a search of the Audit Event Index to return Cloud SIEM events.
Limit search to user or system events
Cloud SIEM audit events are stored in two Partitions:
sumologic_audit_events. This index contains user action events, which are events that were triggered by a user action, either from the UI or an API. For example, a user created an Insight from a Signal using the Cloud SIEM UI.
sumologic_system_events. This index contains system action events, which are events that were triggered by the system. For example, an Insight was generated by Cloud SIEM.
_index=sumologic_audit_events to limit results to events related to user actions
_index=sumologic_system_events to limit results to events related to system actions.
Limit search to Cloud SIEM events
You can use the
subsystem field, which every event log contains, to limit the events returned to Cloud SIEM-related events:
For information about other fields you can use in Audit Index searches, see auto-generated documentation at the documentation URL for your deployment.
Limit search by Cloud SIEM feature
The table below shows the
_sourceCategory that is assigned to event logs by Cloud SIEM feature.
|Product Feature||_sourceCategory Value|
|Configure Assigned Insight Emails|
(Relates to the option, on the Actions page, that causes a user to receive an email whenever another user assigns an Insight to them.)
|Cloud SOAR Incident|
|Custom Entity Type|
|Custom Match List Column|
|Custom Tag Schema|
|Customer Sourced Entity Lookup Table|
|Entity Criticality Config|
|Entity Domain Configuration|
|Inventory Entity Lookup Table|
|Streaming Export Configuration|
|Templated Match Rule|
|Threat Intel Sources|
(Applies to all source types on the Threat Intel page.)
|Virus Total Configuration|
_sourceName and _sourceHost assignment
_sourceHost fields are assigned to audit event
logs as follows.
|Metadata Field||Assignment Description|
|Value of the common parameter, |
|The remote IP address of the host that made the request. If not available the value will be |
Each audit event log has common keys that categorize it to a product area and provide details of the event.
|The unique identifier of the organization.||String|
|The unique identifier of the event.||String|
|The name of the event.||String|
|The event timestamp in ISO 8601 format.||String|
|The event log format version.||String|
|Information of who did the operation. If it's missing, the Sumo service was the operator.||JSON object of Strings|
|The product area of the event.||String|
Search the Audit Event Index
To search the Audit Event Index for logs that describe Cloud SIEM events:
- Open a search tab in the Sumo Logic UI by clicking + New and choosing Log Search.
- In the search tab, enter a search using
_indexto specify the partition you want to search, and other metadata or fields to further scope your search. For example:
| json auto
| where subsystem="cse"
- Choose the time range for your search.
- Click Start to run the search.
Example event log
Here is an example
InsightCreated event log.
Index retention period
By default, the retention period of the Audit Event Index is the same as the retention period of your Default Partition. You can change the retention period by editing the relevant partitions,
sumologic_system_events. For more information, see Create and Edit a Partition.