scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Part 3: Augment your SIEM
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
Powered by GitBook
On this page
  • Overview
  • Key Fields
  • Action Names
  • Example Use Cases
  • Example log event

Was this helpful?

  1. Using Scanner
  2. Built-in Indexes

_audit

Overview

The _audit index tracks user and system activities within the log search tool, such as starting queries, updating detection rules, or syncing external resources like GitHub repositories. It’s designed to help you monitor who performed what action, when, and with what resources, making it ideal for auditing, troubleshooting, and security reviews.

Key Fields

  • timestamp: When the action occurred (e.g., "2025-03-29T10:44:07.279834553+00:00").

    • Format: ISO 8601 with nanosecond precision and timezone.

    • Use: Pinpoint the exact time of an event.

  • action.name: The type of action performed (e.g., "StartQuery", "UpdateDetectionRule", "SyncGithubRepos").

    • Use: Identify what happened (e.g., a query started, a rule was updated).

  • action.resource: The resource affected by the action (e.g., "Query", "DetectionRule", "GithubRepoSyncSource").

    • Use: Understand the context or target of the action.

  • actor.type: The type of entity that performed the action (e.g., "User").

    • Use: Distinguish between user actions and potential system or automated actions.

  • actor.id: Unique identifier of the actor.

    • Use: Track specific users or entities across events.

  • actor.display_name: Human-readable name of the actor (e.g., "alice@example.com", "bob@example.com").

    • Use: Quickly identify who took the action without needing to look up IDs.

  • action.details.*: Additional metadata specific to the action (varies by action.name).

    • Examples:

      • action.details.start_time and action.details.end_time: Time range for actions like queries (e.g., "2025-02-01T10:44:06.213Z").

      • action.details.query_text[0] or [1]: The query string executed (e.g., %ingest.source_type="aws:cloudtrail" errorCode=*").

      • action.details.name: Name of the resource modified (e.g., "Webhook Event Sink").

    • Use: Dive deeper into the specifics of an action.

  • @index: The index name (always "_audit" in this case).

    • Use: Confirms the event belongs to this index (useful in multi-index queries).

  • @index_id: Unique identifier for the audit index instance.

    • Use: Differentiate between multiple audit indexes if applicable.

  • actor.details: Additional actor metadata (often null).

    • Use: May contain extra context about the actor in some cases (future-proof field).

Action Names

The _audit index logs a wide range of actions, identified by the action.name field. Below is the complete list of supported actions as of March 30, 2025, grouped by category. Each action corresponds to a specific operation in the log search tool, and the associated action.resource and action.details.* fields provide additional context.

  • Query and Export Actions:

    • StartQuery: Initiates a search query.

    • StartExport: Begins exporting query results.

    • DownloadExport: Downloads an exported file.

  • AWS Account Management:

    • CreateAwsAccount: Adds a new AWS account.

    • UpdateAwsAccount: Modifies an existing AWS account.

    • DeleteAwsAccount: Removes an AWS account.

    • CreateAwsAccountSetupData: Sets up initial AWS account data.

    • UpdateAwsAccountSetupData: Updates AWS account setup data.

    • DeleteAwsAccountSetupData: Deletes AWS account setup data.

  • User Invites:

    • CreateUserInvite: Sends an invitation to a new user.

    • DeleteUserInvite: Cancels an invitation.

    • AcceptUserInvite: User accepts an invitation.

  • API Key Management:

    • CreateApiKey: Generates a new API key.

    • UpdateApiKey: Modifies an existing API key.

    • DeleteApiKey: Deletes an API key.

  • Detection Rules:

    • CreateDetectionRule: Creates a new detection rule.

    • UpdateDetectionRule: Updates an existing detection rule.

    • DeleteDetectionRule: Deletes a detection rule.

  • Event Sinks:

    • CreateEventSink: Sets up a new event sink (e.g., for notifications).

    • UpdateEventSink: Modifies an event sink.

    • DeleteEventSink: Removes an event sink.

  • Index Management:

    • CreateIndex: Creates a new index.

    • UpdateIndex: Updates an existing index.

    • DeleteIndex: Deletes an index.

  • RBAC (Role-Based Access Control):

    • CreateRbacRole: Defines a new role.

    • UpdateRbacRole: Modifies a role.

    • DeleteRbacRole: Deletes a role.

    • CreateRbacUserInviteRole: Assigns a role to a user invite.

    • DeleteRbacUserInviteRole: Removes a role from a user invite.

    • CreateRbacUserRole: Assigns a role to a user.

    • DeleteRbacUserRole: Removes a role from a user.

    • CreateRbacApiKeyRole: Assigns a role to an API key.

    • DeleteRbacApiKeyRole: Removes a role from an API key.

    • CreateRbacRolePermission: Adds a permission to a role.

    • DeleteRbacRolePermission: Removes a permission from a role.

  • Integrations:

    • CreateIntegration: Sets up a new integration (e.g., third-party service).

    • DeleteIntegration: Removes an integration.

  • S3 Import Rules:

    • CreateS3ImportRule: Creates a rule to import logs from S3.

    • UpdateS3ImportRule: Updates an S3 import rule.

    • DeleteS3ImportRule: Deletes an S3 import rule.

  • GitHub Repository Sync:

    • CreateGithubRepoSyncSource: Sets up a GitHub repo sync source.

    • UpdateGithubRepoSyncSource: Modifies a GitHub sync source.

    • DeleteGithubRepoSyncSource: Deletes a GitHub sync source.

    • SyncGithubRepos: Triggers a sync of GitHub repositories.

  • User Management:

    • DeleteUser: Removes a user from the system.

Note: Each action.name is paired with an action.resource (e.g., "Query", "DetectionRule") and optional action.details.* fields that provide specifics like IDs, names, or timestamps. Use these fields in queries to filter or analyze specific events.

Example Use Cases

  1. Tracking Query Activity:

    • Scenario: You want to see who ran queries yesterday and what they searched for.

    • Why: Monitor usage patterns or investigate unexpected query behavior.

    • Query:

      @index=_audit action.name=StartQuery

  2. Auditing Detection Rule Changes:

    • Scenario: A detection rule stopped working, and you need to check who modified it last.

    • Why: Ensure accountability and troubleshoot rule misconfigurations.

    • Query:

      @index=_audit action.name=UpdateDetectionRule

  3. Monitoring Sync Operations:

    • Scenario: GitHub repo syncs are failing, and you need to confirm when the last sync attempt occurred.

    • Why: Debug integration issues with external sources.

    • Query:

      @index=_audit action.name=SyncGithubRepos actor.display_name:alice@example.com

Tips

  • Filter by action.name to focus on specific event types (e.g., "StartQuery", "UpdateDetectionRule").

  • Combine actor.id and actor.display_name for precise user tracking, especially if display names might change.

  • If looking to see if users have made a particular query, use a wildcard for the query_text array index, eg. action.details.query_text[*]: "query here" . When Scanner runs queries, it often runs multiple queries at once, one to generate the search results table and the other to generate the histogram. Hence, you will often see fields action.details.query_text[0] and [1] in StartQuery audit events.

  • Check action.details.* fields for action-specific insights, as they vary by event type.

Example log event

Here's an example of a StartQuery log event that may appear in the _audit index.

{
  "timestamp": "2025-03-30T10:04:23.347043287+00:00",
  "action.name": "StartQuery",
  "action.details.start_time": "2025-03-30T10:04:22.953Z",
  "action.details.end_time": "2025-03-30T10:04:22.953Z",
  "action.details.query_text[0]": "errorCode:* | count()",
  "action.details.query_text[1]": "errorCode:*",
  "action.resource": "Query",
  "actor.type": "User",
  "actor.display_name": "alice@example.com",
  "actor.id": "06491588-c3ab-4674-885c-51d4e578c088",
  "actor.details": null,
  "@index": "_audit",
  "@index_id": "439b3ad8-22e2-4300-a91d-e8a5dcb50e19",
}

PreviousBuilt-in IndexesNextRole-Based Access Control (RBAC)

Last updated 2 days ago

Was this helpful?