Audit Log Channels
Threat Defender can send notifications of audit log events via email, webhook and desktop notification. The notifications contain reported events from the user and asset logs, system logs, as well as threat intelligence incident logs. Navigate to Logging > Audit Log Channels to set up notification channels.
To set up a new audit log channel, click the Add button above the overview table (see Audit Log Channel Settings).
Threat Defender provides three audit log channels:
Email – Threat Defender sends audit log information to a specified email address. For this purpose, Threat Defender needs to be able to contact a mail server.
Webhook – Threat Defender sends audit log notifications via webhook to Slack-compatible applications.
Desktop – Threat Defender pushes notifications as pop-ups to the desktop. To see the desktop notifications, you need to be logged in to the GUI of Threat Defender.
You can select various event categories to be included in the notifications, such as events concerning system actions (e.g. boot up, shutdown), license and update events, events concerning assets and users, TI incidents, etc.
The table displays the audit log channels configured in the system with an auto-generated, descriptive name, and the date and number of successfully transmitted messages as well as failures. The slider switch in the first column allows you to enable () or disable () the audit log channel. The icons in the last column allow you to view the details on the respective audit log channel as well as to edit or delete the channel.
Audit Log Channel Details
To see the details of an audit log channel, click in the overview table or double-click its row. The details page displays the available information on the channel in several tabs.
The buttons at the top of the page allow you to edit or delete the audit log channel.
Audit Log Channel
The Audit Log Channel tab displays general information on the audit log channel. Depending on the selected type of audit log channel, the Configured table shows its configuration details:
The Statistics table shows statistical information on the messages sent via the channel:
Field |
Description |
---|---|
Sent At |
The date when the most recent audit log notification was sent via the audit log channel. |
Sent |
The total number of notifications sent via this channel. |
Failed At |
The date when sending an audit log notification most recently failed via the channel. |
Failed |
The total number of failed notifications via this channel. |
Fail Message |
An error message that indicates why the failure occurred. |
Click TEST CHANNEL at the bottom of this page to test the audit log channel by immediately sending a notification.
Matched Events and Unsent Events
The Matched Events tab displays the audit log events that were sent via this audit log channel. The Unsent Events tab displays the audit log events that were not yet sent via this audit log channel, but will be sent when the next notification is scheduled. Click to access the respective event in the Audit Logs.
The tables on the two tabs show the following information:
Field |
Description |
---|---|
Created At |
The date and time the event was created in Threat Defender. |
State |
The state of the logged event, i.e. whether it was successful or failed. |
Tag |
The tag assigns the event to a certain log. |
Action |
The action logged by the event. |
Message |
A message describing the event. |
Username |
The login name of the user involved in the event. |
User IP Address |
The IP address of the user involved in the event. |
Audit Log Channel Settings
If you add or edit an audit log channel, the settings screen is displayed with the following elements:
The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).