Audit activities through logs

Corelight Investigator provides a record of key user and application activities. Activities are recorded in the Security Audit log and admin users can review them. Security Audit logs help diagnose problems, address security concerns, and comply with regulatory requirements.

A screenshot of the logs on the Security Audit page.

Log entries are grouped in these categories:

  • User – Actions taken by users such as logins, logouts, password changes, alias updates, 2FA setup and modifications, and cookie settings.

  • Admin – Actions taken by administrators, such as user creation, permission changes, and configuration changes.

  • System – Events related to the system itself, such as system errors or warnings, scheduled updates, and Corelight support activity.

  • Alert – Events or user actions on Alerts such as enabling or disabling an Alert Category.

  • Detection – Events or user actions on Detections such as assigning or closing a detection.

  • Entity – Events or user actions on entities, such as adding an entity to an exclusion list.

  • Export – Events related to Exporters such as creating, updating, or deleting.

Entries in the audit log are read-only and cannot be modified or deleted.

View the audit log

To access the audit log:

  • As an admin user, from the System Settings in the left navigation, choose Security Audit.

    The Security Audit page shows logs of recent activity, including a timestamp, user who performed the action, activity category, type of activity, and activity description.

You can filter the logs based on these values:

  • User – Choose a specific user to limit the results to their activity or choose to view all users. (All users associated with the account appear in the list.)

  • Category – Choose a category for the results.

  • Type – Choose Audit to show system activity or Error to show failed requests.

  • Date – Specify a time range. The window can range from 1 hour to 3 months. You can also specify a custom date range. The custom range cannot exceed 3 months.

Click the X to the right of a filter name to remove it.

You can also sort logs based on timestamp, user, category, or type.