1. F5 Distributed Cloud App Infrastructure Protection (AIP) Support
  2. Feature Walkthrough
  3. Audit Log

Audit Log Overview

The F5 Distributed Cloud App Infrastructure Protection (AIP) Audit Log captures and displays events from both the Distributed Cloud AIP Cloud Security Platform and the Distributed Cloud AIP API.

Data Captured

The Distributed Cloud AIP Audit Log feature captures the following information from events entering Distributed Cloud AIP:

Field Definition
id The unique event identification (ID) number. This number is a mix of letters and numbers.
user_email The email address of the Distributed Cloud AIP user account tied to the event.
user_id The unique ID number for the Distributed Cloud AIP user account tied to the event. Distributed Cloud AIP generates this ID number at account creation.
organization_id The unique ID number for the Distributed Cloud AIP organization with which the Distributed Cloud AIP user account is associated. Distributed Cloud AIP generates this ID number at org creation.
crud Acronym for “create,” “read,” “update,” and “delete.” The action the event took in your system.
result Whether the action succeeded (pass) or did not succeed (fail).
action

The specific action recorded by the event. The following is the list of actions available for capture by the Distributed Cloud AIP Audit Log:

  • agent-revoke
  • alert-dismiss
  • aws-profile-create
  • aws-profile-delete
  • aws-profile-update
  • billing-info-update
  • config-audit-suppression-create
  • config-audit-suppression-delete
  • create*
  • delete*
  • organization-update
  • read*
  • update*
  • user-invite
  • user-login
  • user-login-sso
  • user-promote
  • user-revoke
  • vulnerability-suppression-create
  • vulnerability-suppression-delete
source The source of the event: Web (Distributed Cloud AIP platform or API.
description

The query parameter that triggered the event.

  • Web (Distributed Cloud AIP platform): The results of the query.
  • API: <USER_ID>: <HTTP_METHOD> : <URL_PATH>
event_time The date and time, in UTC, at which the event occurred.
context**

The json, stored as jsonb, parameters associated with the event. The following is the list of parameters available for capture by the Distributed Cloud AIP Audit Log:

  • originIp: The IP address from which the event occurred.
  • url: The Distributed Cloud AIP API URL that triggered the event.
  • params: The query parameters specific to the Distributed Cloud AIP API URL.
  • httpMethod: The method (such as GET, POST, DELETE) used by the Distributed Cloud AIP API URL.
  • responseCode: The Distributed Cloud AIP API response code triggered by the event.
  • responseSize: The number of characters in the response.

* These are the only available actions when the event is sourced through the Distributed Cloud AIP API.

** This field is only applicable to events sourced from the Distributed Cloud AIP API.

View Audit Logs

Distributed Cloud AIP Platform

To view Distributed Cloud AIP Audit Logs through the Distributed Cloud AIP platform:

  1. Log into Distributed Cloud AIP.
  2. In the left navigation pane, click Audit Log. The Audit Log page displays.
    audit-log.png

Distributed Cloud AIP API

To view Distributed Cloud AIP Audit Logs through the Distributed Cloud AIP API, use the information in the API documentation.

Was this article helpful?
0 out of 0 found this helpful

Table of Contents

Related articles