V 2.0 : Admin Audit Logs
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Admin Audit Logs | Base Rule | General Audit Messages | Information |
| V 2.0 : Audit Logs Created | Sub Rule | Object Created | Access Success |
| V 2.0 : Audit Logs Deleted | Sub Rule | Object Deleted/Removed | Access Success |
| V 2.0 : Audit Logs Updated | Sub Rule | Object Modified | Access Success |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| ID | N/A | N/A | A unique identifier of the audit event. |
| Timestamp | N/A | N/A | The date and time when this request was made, in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone. |
| <account> | Text/String | The email of the user that triggered the event. | |
| User | <login> | Text/String | The account name of the user who created the change. |
| Type | <object> | Text/String | Where the change was made, such as settings or a policy. |
| Action | <action> <tag1> | Text/String | The type of change made, such as Create, Update, or Delete. |
| Logged in from | <sip> | IP Address | The user's IP source. |
| Before | N/A | N/A | The policy or setting before the change was made. |
| After | N/A | N/A | The policy or setting after the change was made. |