_audit
Overview
The _audit
index tracks user and system activities within the log search tool, such as starting queries, updating detection rules, or syncing external resources like GitHub repositories. It’s designed to help you monitor who performed what action, when, and with what resources, making it ideal for auditing, troubleshooting, and security reviews.
Key Fields
timestamp
: When the action occurred (e.g.,"2025-03-29T10:44:07.279834553+00:00"
).Format: ISO 8601 with nanosecond precision and timezone.
Use: Pinpoint the exact time of an event.
action.name
: The type of action performed (e.g.,"StartQuery"
,"UpdateDetectionRule"
,"SyncGithubRepos"
).Use: Identify what happened (e.g., a query started, a rule was updated).
action.resource
: The resource affected by the action (e.g.,"Query"
,"DetectionRule"
,"GithubRepoSyncSource"
).Use: Understand the context or target of the action.
actor.type
: The type of entity that performed the action (e.g.,"User"
).Use: Distinguish between user actions and potential system or automated actions.
actor.id
: Unique identifier of the actor.Use: Track specific users or entities across events.
actor.display_name
: Human-readable name of the actor (e.g.,"alice@example.com"
,"bob@example.com"
).Use: Quickly identify who took the action without needing to look up IDs.
action.details.*
: Additional metadata specific to the action (varies byaction.name
).Examples:
action.details.start_time
andaction.details.end_time
: Time range for actions like queries (e.g.,"2025-02-01T10:44:06.213Z"
).action.details.query_text[0]
or[1]
: The query string executed (e.g.,%ingest.source_type="aws:cloudtrail" errorCode=*"
).action.details.name
: Name of the resource modified (e.g.,"Webhook Event Sink"
).
Use: Dive deeper into the specifics of an action.
@index
: The index name (always"_audit"
in this case).Use: Confirms the event belongs to this index (useful in multi-index queries).
@index_id
: Unique identifier for the audit index instance.Use: Differentiate between multiple audit indexes if applicable.
actor.details
: Additional actor metadata (oftennull
).Use: May contain extra context about the actor in some cases (future-proof field).
Action Names
The _audit
index logs a wide range of actions, identified by the action.name
field. Below is the complete list of supported actions as of March 30, 2025, grouped by category. Each action corresponds to a specific operation in the log search tool, and the associated action.resource
and action.details.*
fields provide additional context.
Query and Export Actions:
StartQuery
: Initiates a search query.StartExport
: Begins exporting query results.DownloadExport
: Downloads an exported file.
AWS Account Management:
CreateAwsAccount
: Adds a new AWS account.UpdateAwsAccount
: Modifies an existing AWS account.DeleteAwsAccount
: Removes an AWS account.CreateAwsAccountSetupData
: Sets up initial AWS account data.UpdateAwsAccountSetupData
: Updates AWS account setup data.DeleteAwsAccountSetupData
: Deletes AWS account setup data.
User Invites:
CreateUserInvite
: Sends an invitation to a new user.DeleteUserInvite
: Cancels an invitation.AcceptUserInvite
: User accepts an invitation.
API Key Management:
CreateApiKey
: Generates a new API key.UpdateApiKey
: Modifies an existing API key.DeleteApiKey
: Deletes an API key.
Detection Rules:
CreateDetectionRule
: Creates a new detection rule.UpdateDetectionRule
: Updates an existing detection rule.DeleteDetectionRule
: Deletes a detection rule.
Event Sinks:
CreateEventSink
: Sets up a new event sink (e.g., for notifications).UpdateEventSink
: Modifies an event sink.DeleteEventSink
: Removes an event sink.
Index Management:
CreateIndex
: Creates a new index.UpdateIndex
: Updates an existing index.DeleteIndex
: Deletes an index.
RBAC (Role-Based Access Control):
CreateRbacRole
: Defines a new role.UpdateRbacRole
: Modifies a role.DeleteRbacRole
: Deletes a role.CreateRbacUserInviteRole
: Assigns a role to a user invite.DeleteRbacUserInviteRole
: Removes a role from a user invite.CreateRbacUserRole
: Assigns a role to a user.DeleteRbacUserRole
: Removes a role from a user.CreateRbacApiKeyRole
: Assigns a role to an API key.DeleteRbacApiKeyRole
: Removes a role from an API key.CreateRbacRolePermission
: Adds a permission to a role.DeleteRbacRolePermission
: Removes a permission from a role.
Integrations:
CreateIntegration
: Sets up a new integration (e.g., third-party service).DeleteIntegration
: Removes an integration.
S3 Import Rules:
CreateS3ImportRule
: Creates a rule to import logs from S3.UpdateS3ImportRule
: Updates an S3 import rule.DeleteS3ImportRule
: Deletes an S3 import rule.
GitHub Repository Sync:
CreateGithubRepoSyncSource
: Sets up a GitHub repo sync source.UpdateGithubRepoSyncSource
: Modifies a GitHub sync source.DeleteGithubRepoSyncSource
: Deletes a GitHub sync source.SyncGithubRepos
: Triggers a sync of GitHub repositories.
User Management:
DeleteUser
: Removes a user from the system.
Note: Each action.name
is paired with an action.resource
(e.g., "Query"
, "DetectionRule"
) and optional action.details.*
fields that provide specifics like IDs, names, or timestamps. Use these fields in queries to filter or analyze specific events.
Example Use Cases
Tracking Query Activity:
Scenario: You want to see who ran queries yesterday and what they searched for.
Why: Monitor usage patterns or investigate unexpected query behavior.
Query:
Auditing Detection Rule Changes:
Scenario: A detection rule stopped working, and you need to check who modified it last.
Why: Ensure accountability and troubleshoot rule misconfigurations.
Query:
Monitoring Sync Operations:
Scenario: GitHub repo syncs are failing, and you need to confirm when the last sync attempt occurred.
Why: Debug integration issues with external sources.
Query:
Tips
Filter by
action.name
to focus on specific event types (e.g.,"StartQuery"
,"UpdateDetectionRule"
).Combine
actor.id
andactor.display_name
for precise user tracking, especially if display names might change.If looking to see if users have made a particular query, use a wildcard for the
query_text
array index, eg.action.details.query_text[*]: "query here"
. When Scanner runs queries, it often runs multiple queries at once, one to generate the search results table and the other to generate the histogram. Hence, you will often see fieldsaction.details.query_text[0]
and[1]
inStartQuery
audit events.Check
action.details.*
fields for action-specific insights, as they vary by event type.
Example log event
Here's an example of a StartQuery
log event that may appear in the _audit
index.
Last updated
Was this helpful?