View, export, extract, and purge the audit trail in Cortex XSOAR. The audit trail logs all administrative user actions in XSOAR.
The audit trail displays a log of all administrative user interactions with Cortex XSOAR. The log is sorted by date and covers which users interacted in what way with system objects, and associated data. The audit trail does not include actions performed in the war room. These actions are documented in the War Room.
You can search the audit trail log for user interactions based on free text.
To view an audit trail, navigate to
→ → .To customize which columns are visible in the audit trail log, click the table settings button.
To export the audit trail log, use the /settings/audits endpoint from the Cortex XSOAR REST API. See the Cortex XSOAR REST API documentation.
Extract a Day’s Audit Trail
You can write a script that runs daily to extract that day's audit trail, and upload it to your SIEM with uploader programs. The following is an example of a curl command that will fetch all audits from June 22, 2017 and later - up to 10,000 actions.
curl -k -X POST https://
<IP>
: <PORT>
/settings/audits -H 'accept: application/json' -H 'authorization: <API KEY>
' -H 'content-type: application/json' -d '{"size" : 10000,"query": "modified:>2017-06-22T00:00:00"}'
Purge Audit Entries
You can define the retention period of the audit trail. To purge periodically, add a server setting in
→ → where the key is:demisto.audits.purge
True will start the purging process.
demisto.audits.purge.retention
The value is the number of days to save the log. Default is 365.
To define how often to check the audit trail log, in demisto.audits.purge.delay
where the value is how often to run the retention (demisto.audits.purge.retention
). The default is every 24 hours.
Purging can also be done manually. The following is an example of a curl command that will purge all audits from June 22, 2017 to June 30, 2017.
curl -k -X POST https://
<IP>
: <PORT>
/settings/audits/purge -H 'accept: application/json' -H 'authorization: <API KEY>
' -H 'content-type: application/json' -d '{"page": 0, "size": 100,"fromDate": "2017-07-22T09:01:08.462954465+03:00","toDate": "2017-07-30T12:23:08.462954597+03:00","period": {"by": "","toValue": null, "fromValue": null, "field": "" }, "fromDateLicense": "0001-01-01T00:00:00Z"}'
The following table describes components and actions
Component | Actions |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|