Skip to main content

Sumo Logic Enterprise Audit apps

icon

The Sumo Logic Enterprise Audit apps are JSON-based to provide for more meaningful audit messages. The apps generate queries that are compatible with the new Sumo Logic Audit Event Index. The Enterprise Audit apps do not support the previous version of the audit index. For information on available datasets and related source categories, see Audit Event Index.

Prerequisites

The Audit Event Index is only available for Trial and Enterprise accounts.

Account TypeAccount Level
Cloud FlexTrial, Enterprise
CreditsTrial, Enterprise Operations, Enterprise Suite, Enterprise Security

Enterprise Audit Apps

Enterprise Audit Apps utilize predefined searches and Dashboards that provide visibility into your environment. The following Enterprise Audit Apps present information on account management activities, user activities, as well as management of library content (searches, dashboards/reports, and folders) for your Sumo Logic account:

Audit data is not backfilled to any time before Enterprise Audit was installed. The Audit Event Index is enabled by default.

Installing Enterprise Audit apps

To install the app:

  1. Select App Catalog.
  2. In the Search Apps field, search for and then select your app.
  3. Optionally, you can scroll down to preview the dashboards included with the app. Then, click Install App (sometimes this button says Add Integration).
  4. Click Next.
  5. Look for the dialog confirming that your app was installed successfully.
    app-success-sumo-apps.png

Once an app is installed, it will appear in your Personal folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.

Viewing Enterprise Audit App Dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
  • Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Enterprise Audit - Collector and Data Forwarding Management app

test

The Enterprise Audit - Collector and Data Forwarding Management App dashboards present information on Collector, Sources activities, and data forwarding trends by destination types. This app has the following two dashboard categories:

  • Collector Management
  • Data Forwarding Management

Collector Management Overview

The Enterprise Audit - Collector Management Overview dashboard provides a high-level view of trends related to collector and source activities, collector upgrade requests, upgrade successes and failures, the number of ephemeral collectors created and deleted, and the number of clobber collectors that were deleted.

Use this dashboard to:

  • Review collector types, both hosted and installable.
  • Review distributions by interface from where operation are performed, whether collector, UI, or API.
  • Review 7-Day trends for various collector and collector source activities.
  • Get the number of ephemeral collectors that were created and deleted, as well as the number of requested collector upgrades and clobber collectors that were deleted.
  • Navigate to a dashboard and view more detailed information by clicking a panel.
test

Collector Activities

The Enterprise Audit - Collector Activities dashboard provides detailed information on collector activities, such as top users by activity and a one-day time comparison. You can also review data on recent collector activities and upgrades, and use pre-populated filters for a granular view of selected data.

Use this dashboard to:

  • Review the geographic locations where activities are performed.
  • Review the activities of top users and by a one-day time comparison.
  • Analyze data for recent activities, collector upgrades, deleted clobber collectors, and all collector activities.
test

Collector Sources Activities

The Enterprise Audit - Collector Sources Activities dashboard provides detailed information on created, updated and deleted sources, the top collectors where sources were added, active users, and one-day time comparisons. You can use pre-populated filters for a more granular view of selected data.

Use this dashboard to:

  • Review the geographic location where activities were performed.
  • Review one-day time shift comparisons, active users, source type distribution, and the top collectors where sources were added.
  • Analyze data for sources recently added to a collector using local configuration management, and sources activities for all collectors.
test

Data Forwarding Management Overview

The Enterprise Audit - Data Forwarding Management Overview dashboard provides an at-a-glance view of trends for destination types and the distribution of destination types, such as Amazon S3, hitachi, Syslog, and Generic REST. Visual representations for the distribution of data forwarding destinations and data forwarding indexes are also shown.

Use this dashboard to:

  • Assess destination type trends.
  • Track data forwarding destination and data forwarding index activities.
  • Get a high-level view of active and inactive Amazon S3 indexes and encrypted Amazon S3 indexes.
  • Get an overview of the distribution of data source types and format type for data forwarding.
test

Data Forwarding Destination Activities

The Enterprise Audit - Data Forwarding Destination Activities dashboard provides detailed information on data forwarding destination activities. You can review trends for activities, their geographical locations, one-day times shift comparisons, user activity, and recent destination activities. For a more granular view of the data, you can use the pre populated filters.

Use this dashboard to:

  • Review data forwarding destination trends and the geographic locations from where the activities were performed.
  • Get an at-a-glance overview of user activity and one-day time shift comparisons.
  • Review data for all recent destination activities.
test

Data Forwarding Index Activities

The Enterprise Audit - Data Forwarding Index Activities dashboard provides detailed information about data forwarding indexes that were created using partitions and scheduled views. You can review trends, geographical locations for data forwarding index activities, one-day time shift comparisons, user activities, as well as data on disabled indexes and recent index activities. For a more granular analysis of the data, you can use the pre-populated filters.

Use this dashboard to:

  • Review trends for data forwarding index activities and the geographic locations where the activities were performed.
  • Get an at-a-glance view of user activity, one-day time shift comparisons, and the number of data forwarding index that have been disabled.
  • Review data on all recent activities.
test

Enterprise Audit - Content Management App

test

The Enterprise Audit - Content Management App dashboards provide information on content activities, such as content that is created, updated, deleted, imported, exported, copied, moved, publicly accessed, made visible to the public, and application installed.

Content Management Overview

The Enterprise Audit - Content Management Overview dashboard provides a high-level view of system activities with data on content activities over time, top applications, top content, publicly accessed content, and exported content. You can also view data on user activity and top content on which permission are added and deleted.

Use this dashboard to:

  • Review 7 Day trends for all content activities.
  • Review the top content that is exported, updated, and is visible and accessed publicly.
  • Review data for installed applications.
  • Review the data for top users and those who are admins.
  • Review data for recent content on which permission is added and removed.
test

Created, Deleted, Exported, Imported Content

The Enterprise Audit - Created, Deleted, Exported, Imported Content dashboard provides detailed information on content that is created, deleted, exported, and imported. The dashboard is organized according to activities performed by users in User Mode and Content Administrator Mode. You can view more granular data using pre-populated filters for Event Type, Content Type and Admin Mode.

Use the dashboard to:

  • View data on the activities of regular users and admin users side by side.
  • View the geographic locations for all the activities.
  • Review data on top users and content types.
  • Review data on recent activities and 7 Day trends.
  • Filter for more granular data on users, IPs, content type, and name.
test

Updated, Moved, Copied Content

The Enterprise Audit- Updated, Moved, Copied Content dashboard provides detailed information about content that is updated, moved and copied. The dashboard is organized according to activities performed by users in User Mode and Content Administrator Mode. You can view more granular data using pre-populated filters for Event Type, Content Type and Admin Mode.

Use the dashboard to:

  • Quickly view activities happening in User Mode and Admin Mode side by side.
  • Geo Location for all the activities.
  • Get a look at Top users and Top Content Type.
  • Review 7 Days trend for all the activities.
  • Recent activities which can be filtered based on User, User Ip, content Name.
test

Permission Updated, Synchronized Content

The Enterprise Audit- Permission Updated, Synchronized Content dashboard provides detailed information on content permissions that have been added or deleted, as well as content that has been synchronized. The dashboard is organized according to Content Synchronization and Content Permissions.

Use this dashboard to:

  • Get an at-a-glance view of Top Content and Top Users based on activities, such as updated permissions and synchronized content.
  • Review the 7 Days Trend for added and deleted permissions, and synchronized content.
  • Analyze recent activities for synchronized content and updated permissions.
test

Publicly Accessed, Application Installed

The Enterprise Audit- Publicly Accessed, Application Installed dashboard provides detailed information on installed applications, shared and publicly accessed content. The dashboard is organized according to installed applications and publicly accessed content. For a more granular view of the data, you can filter on Event Type, Content Type, Admin Mode, Visibility using the pre-populated filters.

Use this dashboard to:

  • Get an at-a-glance view of the geographical locations of installed applications, as well as where content was accessed publicly.
  • Analyze data on content that’s recently been accessed publicly and content with visibility changes.
  • Review the trend of events for all activities.
  • Analyze one-day time shift comparisons.
test

Field Extraction Rule Activities

The Enterprise Audit - Field Extraction Rule Activities dashboard provides detailed information on the geographic location, active users, recent activities, trends, and one day time shift comparison for Field Extraction Rules. You can analyze more granular data using the pre-populated filters.

Use this dashboard to:

  • Review data on user field extraction rule activity.
  • Analyze one-day time shift comparisons.
  • Get an at-a-glance view of the geographical locations of field extraction rule events.
  • Review field extraction rule trends.
  • Analyze data on recent field extraction rule events.
test

Enterprise Audit - User and Role Management App

test

Enterprise Audit - User and Role Management App dashboards provide visibility on user activities such as creating, deleting, and modifying user roles, email account, and password changes. You can also review various user session data.

User & Role Management Overview

User & Role Management Overview dashBoard provides an at-a-glance view of user activities and sessions, email account requests, and trends over time. You can also review user role data, such as user activities by role.

Use this dashboard to:

  • Get an at-a-glance view of user activities, and activities over time.
  • Monitor user sessions and role activities.
  • Review top users by activity and top users across all activities.
  • Click a panel to view more granular data.
test

User Activities

The Enterprise Audit- User Activities dashboard provides detailed information about user activities, including top admins, one-day time comparison, and recent events. For a granular view of data, you can filter by event name and user active status using pre-populated filters.

Use this dashboard to:

  • Review activity trends and the geographic locations where activities are performed.
  • Review user activities, such as top admins, recent activities performed by admins, and one-day time comparisons.
test

Role Activities

The Enterprise Audit- Role Activities dashboard provides detailed information on activities by user role, such as top capabilities, admin role activities, and recent events. For a granular view of data, you can filter by event name and system using pre-populated filters.

Use this dashboard to:

  • Review activity trends and the geographic locations where activities are performed.
  • Get an overview of the top capabilities added to roles, top admins performing activities, system defined roles, user defined roles, and recent role activities performed by admins.
test

User Session Activities

The Enterprise Audit - User Session Activities dashboard provides detailed information on user session activities, such as locked and unlocked account activities, top admins, current logged in and logged out users, and timed out users. For a more granular view of the data, you can filter by event name using the pre-populated filters.

Use this dashboard to:

  • Review the number of logged in users, logged out users, locked out users, timed out users, and the geographic location where the activities were performed.
  • Get an overview of the authentication source for login comparison, one-day time shift comparisons, recent activities, and all activities.
test

User (Email, Password) Activities

User(Email, Password) Activities dashboard provides detailed information on user password and email activities, such as password changes, password resets by admins, and user email change requests and changes. For a more granular view of the data, you can filter by event name using the pre-populated filters.

Use this dashboard to:

  • Review trends for password and email changes, as well as the top admins performing password resets.
  • Get an overview of the recent password resets and email changes, and the geographic locations where all email and password activities were performed.
test

User Role Relationship Activities

The Enterprise Audit - User Role Relationship Activities dashboard provides detailed information on activities for user and role modification. You can review the top users that were added to and removed from roles, the top roles from which users were added and removed, and the top admins.

Use this dashboard to:

  • Review the top users added to and removed from roles, and top roles added to and removed from users.
  • Get a high-level view of the active admins, recent role and user modifications, as well as the geographic locations where all user role relationship activities were performed.
test

Enterprise Audit - Security Management App

test

The Enterprise Audit - Security Management App dashboard provide visibility into security posture, such as Access Key Activities, SAML Activities, Password Policy, Multi-Factor Authorization (MFA), and Service AllowList activities within your Sumo Logic Environment.

Security Management Overview

The Enterprise Audit - Security Management Overview dashboard provides an at-a-glance view of security activities over time, user activity, the number of users who have been enabled and disabled MFA, and the geographic locations of security activities.

Use this dashboard to:

  • Review the distribution of access keys, SAML configuration and allow list user activities.
  • Get an overview of the geographic locations for all security activities.
  • Review security activity trends and a breakdown of active users by events.
  • See a tabulation of the number of Users who enabled and disabled Multi factor Authorization.
test

Password Policy, MFA, Service AllowList Activities

Enterprise Audit - Password Policy, MFA, Service AllowList Activities dashboard provides detailed information about password policy creation, deletion, and updates. It also provides a high-level view of users that enable and disable multi factor authorization (MFA), service allowlist updates, as well as user and admin activities.

Use this dashboard to:

  • Get an overview of the geographic locations of all security related activities, as well as geographic locations for all allowlist users.
  • Review recent activities related to password policy updates, allowlist permission activities, allowlist user activities, and admin activities.
  • Review the lists of recent users who enabled and disabled MFA.
test

Access Key Activities

The Enterprise Audit - Access Key Activities dashboard provides detailed information about access key activities, such as creation, deletion, and updates. You can also review trends, user activity, the number of active access keys, and one-day time comparisons. For more granular data, such as type of event or access key status, you can use the predefined filters.

Use this dashboard to:

  • Review access key trends and the geographic locations where the activities were performed.
  • Get an overview of user activity, active and inactive access keys, and one-day time comparisons.
test

SAML Activities

The Enterprise Audit - SAML Activities dashboard provides detailed information about SAML activities, such as SAML lockdown and SAML configuration. You can also review AllowList user activities such as creating, deleting, and updating allowlists. You can view more granular data for an activity using the predefined filters.

Use this dashboard to:

  • Review SAML Lockdown trends, AllowList User and SAML configuration activities.
  • Get an overview of the geographic locations from where SAML activities are performed.
  • Review admin activities and one-day time shift comparisons.
test

Upgrade/Downgrade the Enterprise Audit apps (Optional)

To update the app, do the following:

  1. Select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    Optionally, you can identify apps that can be upgraded in the Upgrade available section.
  3. To upgrade the app, select Upgrade from the Manage dropdown.
    1. If the upgrade does not have any configuration or property changes, you will be redirected to the Preview & Done section.
    2. If the upgrade has any configuration or property changes, you will be redirected to Setup Data page.
      1. In the Configure section of your respective app, complete the following fields.
        • Key. Select either of these options for the data source.
          • Choose Source Category and select a source category from the list for Default Value.
          • Choose Custom and enter a custom metadata field. Insert its value in Default Value.
      2. Click Next. You will be redirected to the Preview & Done section.

Post-update

Your upgraded app will be installed in the Installed Apps folder, and dashboard panels will start to fill automatically.

note

See our Release Notes changelog for new updates in the app.

To revert the app to a previous version, do the following:

  1. Select App Catalog.
  2. In the Search Apps field, search for and then select your app.
  3. To version down the app, select Revert to < previous version of your app > from the Manage dropdown.

Uninstalling the Enterprise Audit apps (Optional)

To uninstall the app, do the following:

  1. Select App Catalog.
  2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
  3. Click Uninstall.
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.