Query Auditing
LogRhythm offers additional auditing to track the type of data accessed by analysts during ad hoc and saved searches in both the Client and Web Consoles. When a user runs a query (tail, investigation, drill-down, report, etc.) an audit log is generated and logged to the LRQueryAuditLog table in the EMDB (Event Management Database). The below table provides information on the Audit Log ID, Event ID, Event Date, User ID, Object Type ID, and Criteria Info.
| LogRhythm Tool | Actions Audited |
|---|---|
| Console | Logon LogOff |
| Personal Dashboard | Add Host to Known Hosts Search / Drill Down Correlate Contextualize |
| Investigator | Add Host to Known Hosts Run Search / Drill Down Correlate Contextualize |
| Tail | Run Search |
| Report | Run View Search |
| Report Package | Run |
| Archive Restoration Wizard | Run Secondlook |
| Log Message Viewer | View Log Information |
| Log Miner | Run Log Miner Investigation Search Correlate Contextualize |
| Alarm Viewer | Modify Status of Alarm Open Alarm Viewer View Alarm |
| Web Search | Run |
Ensure you follow the below steps while query auditing:
The audit data must be obtained by querying the database. Entries are made in LRQueryAudit table when the following scheduled reports are run using the Job Manager:
LR SIEM Versions Report Names LR SIEM version 7.10 and prior - LogRhythm Auditing Activity Summary By User
- LogRhythm Auditing Event Detail By User
- LogRhythm Auditing Event Detail By Date
LR SIEM version 7.11 and later Usage Auditing Activity Summary
- Usage Auditing Event Detail
- Usage Auditing Event List
- Usage Auditing Logon & Logoff Events
- Installation or setup is not required. This feature is pre-installed in the Client Console.
- The query data is stored in the EMDB. Each Elasticseach query can contain multiple parts and generate multiple lines of data. Customers should ensure that they have ample space available on the drive where the EMDB is stored as the table data can overflow quickly.