Skip to main content

Audit Logging for the Automation Service and Cloud SOAR

The Audit Event Index and System Event Index provide event logs in JSON format on your account activity allowing you to monitor and audit changes. By default, the Audit Event Index and System Event Index are enabled for the Automation Service and Cloud SOAR.

note

Audit logging for the Automation Service uses the same logging as Cloud SOAR, since the Automation Service is based on core functionality in Cloud SOAR. For more information about the shared functionality, see Cloud SOAR Compared to the Automation Service.

Where to find documentation

For documentation of the audit log definitions, see Automation Service and Cloud SOAR audit log definitions.

Search for events

Searching the Audit Event Index and System Event Index is the same as running a normal search against your ingested data. You specify the _index metadata field with one of these values:

  • sumologic_audit_events. This index contains user action events, which are events that were triggered by a user action, either from the UI or an API.
  • sumologic_system_events. This index contains system action events, which are events that were triggered by Sumo Logic. For example, this index contains Automation Actions start events, rules triggered, and so on.

To search for events:

  1. Classic UI. Go to the Home screen and select Log Search.
    New UI. In the main Sumo Logic menu, select Logs > Log Search. You can also click the Go To... menu at the top of the screen and select Log Search.
  2. In the search tab, enter a search using _index to specify the partition you want to search, and other metadata or fields to further scope your search. For example:
    (_index=sumologic_audit_events or _index=sumologic_system_events) _sourceCategory=oar*
    | where subsystem contains "Playbook"
  3. Choose the time range for your search.
  4. Click Start to run the search.

Audit Event Index events

The Audit Event Index has detailed JSON logs for the following Automation Service and Cloud SIEM features.

info

For Audit Event Index documentation, see Automation Service and Cloud SOAR audit log definitions.

To search for Audit Event Index events for a specific feature, use _index=sumologic_audit_events and enter the _sourceCategory for that feature. For example:

_index=sumologic_audit_events _sourceCategory=oarPlaybookExecutions

Audit events for the Automation Service and Cloud SOAR

The table below shows the _sourceCategory that is assigned to Audit Event Index events for features that are in both the Automation Service and Cloud SOAR.

Product Feature_sourceCategory Value
App Central packagesoarAppCentralPackages
Automation actionoarAutomationActions
Automation action configurationoarAutomationActionConfigurations
IntegrationoarIntegrations
Integration resourceoarIntegrationResources
Playbook executionoarPlaybookExecutions
Playbook revisionoarPlaybookRevisions

Audit events for Cloud SOAR only

The table below shows the _sourceCategory that is assigned to Audit Event Index events for features that are only in Cloud SOAR.

Product Feature_sourceCategory Value
Custom FieldoarCustomFields
DaemonoarDaemons
DashboardoarDashboards
EmailoarEmails
EntityoarEntities
FolderoarFolders
GroupoarGroups
IncidentoarIncidents
Incident ArtifactoarIncidentArtifacts
Incident AttachmentoarIncidentAttachments
Incident InvestigatoroarIncidentInvestigators
Incident NoteoarIncidentNotes
Incident TemplateoarIncidentTemplates
NotificationoarNotifications
ReportoarReports
SettingoarSettings
TaskoarTasks
TriageoarTriage
Triage AttachmentoarTriageAttachments
TriggersoarTriggers
WidgetoarWidgets

System Event Index events

The System Event Index has detailed JSON logs for the following Automation Service and Cloud SIEM features.

info

For System Event Index documentation, see Automation Service and Cloud SOAR audit log definitions. When you access the Cloud SOAR Audit Log Definition page, in the left margin scroll down to the SUMOLOGIC_SYSTEM_EVENTS section.

To search for System Event Index events for a specific feature, use _index=sumologic_system_events and enter the _sourceCategory for that feature. For example:

_index=sumologic_system_events _sourceCategory=oarAutomationActions

System events for the Automation Service and Cloud SOAR

The table below shows the _sourceCategory that is assigned to System Event Index events for features that are in both the Automation Service and Cloud SOAR.

Product Feature_sourceCategory Value
Automation actionoarAutomationActions
Playbook executionoarPlaybookExecutions

System events for Cloud SOAR only

The table below shows the _sourceCategory that is assigned to System Event Index events for features that are only in Cloud SOAR.

Product Feature_sourceCategory Value
EntityoarEntities
InvestigatorsoarIncidentInvestigators
IncidentoarIncidents
TriageoarTriage

_sourceName and _sourceHost assignment

The _sourceName and _sourceHost fields are assigned to audit event logs as follows.

Metadata FieldAssignment Description
_sourceNameValue of the common parameter, eventName.
_sourceHostThe remote IP address of the host that made the request. If not available, the value will be no_sourceHost.

Common parameters

Each audit event log has common keys that categorize it to a product area and provide details of the event.

ParameterDescriptionData Type
accountIdThe unique identifier of the organization.String
eventIdThe unique identifier of the event.String
eventNameThe name of the event.String
eventTimeThe event timestamp in ISO 8601 format.String
eventFormatVersionThe event log format version.String
operatorInformation of who did the operation. If it's missing, the Sumo service was the operator.JSON object of Strings
subsystemThe product area of the event.String

Example event log

Here is an example PlaybookExecutionStarted event log.

{
"accountId": "0000000000000131",
"eventId": "f002327d-4934-4499-9543-132ec10f3db3",
"subsystem": "oarPlaybookExecutions",
"eventName": "PlaybookExecutionStarted",
"eventTime": "2023-10-05T13:22:59.786+00:00Z",
"eventFormatVersion": "1.0 beta",
"severityLevel": "Info",
"PlaybookExecutionIdentity": {
"playbook_id": "651eb64eab7e66e25c766ad8",
"playbook_name": "Application Latency Playbook",
"running_id": "651eb8b386c1039545766d9c"
},
"PlaybookExecution": {
"playbook_id": "651eb64eab7e66e25c766ad8",
"playbook_name": "Application Latency Playbook",
"type": "Denial of Service",
"running_id": "651eb8b386c1039545766d9c",
"status": "Running",
"start": "2023-10-05T13:22:59.641+00:00Z",
"externalType": "INSIGHT",
"externalId": "INSIGHT-4332"
},
"from": {
"status": "Not executed"
},
"to": {
"status": "Running"
}
}

Index retention period

By default, the retention period of the Audit Event Index and System Event Index is the same as the retention period of your Default Partition. You can change the retention period by editing the relevant partitions, sumologic_audit_events and sumologic_system_events. For more information, see Create and Edit a Partition.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.