Audit Trail - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-05-22
End_of_Life
EoL
Category
Administrator Guide
Abstract

View, export, extract, and purge the audit trail in Cortex XSOAR. The audit trail logs all administrative user actions in XSOAR.

The audit trail displays a log of all administrative user interactions with Cortex XSOAR. The log is sorted by date and covers which users interacted in what way with system objects, and associated data. The audit trail does not include actions performed in the war room. These actions are documented in the War Room.

You can search the audit trail log for user interactions based on free text.

To view an audit trail, navigate to SettingsUsers and RolesAudit Trail.

To customize which columns are visible in the audit trail log, click the table settings button.

To export the audit trail log, use the /settings/audits endpoint from the Cortex XSOAR REST API. See the Cortex XSOAR REST API documentation.

Extract a Day’s Audit Trail

You can write a script that runs daily to extract that day's audit trail, and upload it to your SIEM with uploader programs. The following is an example of a curl command that will fetch all audits from June 22, 2017 and later - up to 10,000 actions.

curl -k -X POST https:// <IP>: <PORT>/settings/audits -H 'accept: application/json' -H 'authorization: <API KEY>' -H 'content-type: application/json' -d '{"size" : 10000,"query": "modified:>2017-06-22T00:00:00"}'

Purge Audit Entries

You can define the retention period of the audit trail. To purge periodically, add a server setting in SettingsAboutTroubleshooting where the key is:

  • demisto.audits.purge

    True will start the purging process.

  • demisto.audits.purge.retention

    The value is the number of days to save the log. Default is 365.

To define how often to check the audit trail log, in SettingsAboutTroubleshooting add demisto.audits.purge.delay where the value is how often to run the retention (demisto.audits.purge.retention). The default is every 24 hours.

Purging can also be done manually. The following is an example of a curl command that will purge all audits from June 22, 2017 to June 30, 2017.

curl -k -X POST https:// <IP>: <PORT>/settings/audits/purge -H 'accept: application/json' -H 'authorization: <API KEY>' -H 'content-type: application/json' -d '{"page": 0, "size": 100,"fromDate": "2017-07-22T09:01:08.462954465+03:00","toDate": "2017-07-30T12:23:08.462954597+03:00","period": {"by": "","toValue": null, "fromValue": null, "field": "" }, "fromDateLicense": "0001-01-01T00:00:00Z"}'

The following table describes components and actions

Component

Actions

account

  • block

  • unblock

  • add

  • delete

  • stop

  • start

APIKeys

  • delete

  • add

AppServer

  • restart

backup

  • edit

Canvas

  • add

  • edit

  • delete

classifier

  • add

  • copy

  • edit

content

  • install

ContentPack

  • edit

  • delete

ContributionPack

  • add

  • edit

  • delete

credentials

  • add

  • edit

  • delete

Dashboard

  • add

  • delete

  • edit

engine

  • add

  • edit

entry

  • restore

  • delete

  • removeentrypermanently

  • edit

execute

  • add

host

  • delete

  • downloadconf

  • add

HyperProcess(reputation)

  • add

  • delete

incident

  • edit

  • close

  • execute

  • delete

  • duplicate

  • notcreated

  • add

incidentField

  • add

  • edit

  • delete

IncidentType

  • attach

  • detach

  • disable

  • enable

  • delete

  • edit

  • add

indicator

  • edit

  • add

  • delete

indicator BulkEdit

  • edit

Integration permissions

  • edit

integrations

  • add

  • delete

  • edit

integrationsConfig

  • add

  • edit

  • delete

  • upload

investigation

  • close

  • reopen

  • edit

  • add

invite

  • add

  • utilized

  • delete

Jobs

  • add

  • edit

  • disable

  • enable

  • delete

  • pause

  • resume

  • runnow

  • abort

Layout

  • add

  • copy

  • edit

License

  • invalid

List

  • edit

  • add

  • delete

LiveBackup

  • switch

  • add

  • delete

login

  • failure

  • in

  • out

  • outall

  • outmyself

  • outmyselfothersessions

  • outuser

logout

  • failure

MarketplaceRegister

  • create

PasswordPolicy

  • edit

playbook

  • add

  • edit

  • attach

  • detach

  • upload

  • copy

  • delete

PreprocessRule

  • edit

  • add

PropagationLabel

  • delete

  • add

  • edit

RemoteDB

  • download

  • enable

  • disable

  • add

  • create

role

  • add

  • edit

  • delete

script

  • copy

  • upload

  • edit

  • add

  • delete

ServerConfiguration

  • edit

task

  • add

  • copy

Telemetry

  • edit

user

  • edit

  • lockout

  • unlock

  • add

  • enable

  • setpassword

whitelist

  • delete

  • batchcreate

  • add

Widget

  • edit

  • add

  • reset