Audit Log

 

Overview

The Threat Stack Audit Log captures and displays events from both the Threat Stack Cloud Security PlatformⓇ and the Threat Stack API.

Data Captured

The Threat Stack Audit Log feature captures the following information from events entering the Threat Stack CSP and the Threat Stack API:

Field Definition
id The unique event identification (ID) number. This number is a mix of letters and numbers.
user_email The email address of the Threat Stack user account tied to the event.
user_id The unique ID number for the Threat Stack user account tied to the event. Threat Stack generates this ID number at account creation.
organization_id The unique ID number for the Threat Stack organization with which the Threat Stack user account is associated. Threat Stack generates this ID number at org creation.
crud Acronym for “create,” “read,” “update,” and “delete.” The action the event took in your system.
result Whether the action succeeded (pass) or did not succeed (fail).
action

The specific action recorded by the event. The following is the list of actions available for capture by the Threat Stack Audit Log:

  • agent-revoke
  • alert-dismiss
  • aws-profile-create
  • aws-profile-delete
  • aws-profile-update
  • billing-info-update
  • config-audit-suppression-create
  • config-audit-suppression-delete
  • create*
  • delete*
  • organization-update
  • read*
  • update*
  • user-invite
  • user-login
  • user-login-sso
  • user-promote
  • user-revoke
  • vulnerability-suppression-create
  • vulnerability-suppression-delete
source The source of the event: Web (Threat Stack CSP) or API.
description

The query parameter that triggered the event.

  • Web (Threat Stack CSP): The results of the query.
  • API: <USER_ID>: <HTTP_METHOD> : <URL_PATH>
event_time The date and time, in UTC, at which the event occurred.
context**

The json, stored as jsonb, parameters associated with the event. The following is the list of parameters available for capture by the Threat Stack Audit Log:

  • originIp: The IP address from which the event occurred.
  • url: The Threat Stack API URL that triggered the event.
  • params: The query parameters specific to the Threat Stack API URL.
  • httpMethod: The method (such as GET, POST, DELETE) used by the Threat Stack API URL.
  • responseCode: The Threat Stack API response code triggered by the event.
  • responseSize: The number of characters in the response.

* These are the only available actions when the event is sourced through the Threat Stack API.

** This field is only applicable to events sourced from the Threat Stack API.

View Audit Logs

Threat Stack CSP

To view Threat Stack Audit Logs through the Threat Stack CSP:

  1. Log into Threat Stack.
  2. In the left navigation bar, click Audit Log. The Audit Log page displays.

AuditLogPage.png

Threat Stack API

To view Threat Stack Audit Logs through the Threat Stack API, use the information in the API documentation.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request