Audit Log Channels

Threat Defender can send notifications of audit log events via email, webhook and desktop notification. The notifications contain reported events from the user and asset logs, system logs, as well as threat intelligence incident logs. Navigate to Logging > Audit Log Channels to set up notification channels.

To set up a new audit log channel, click the Add button above the overview table (see Audit Log Channel Settings).

Threat Defender provides three audit log channels:

  • Email – Threat Defender sends audit log information to a specified email address. For this purpose, Threat Defender needs to be able to contact a mail server.

  • Webhook – Threat Defender sends audit log notifications via webhook to Slack-compatible applications.

  • Desktop – Threat Defender pushes notifications as pop-ups to the desktop. To see the desktop notifications you need to be logged in to the GUI of Threat Defender.

You can select various event categories to be included in the notifications, such as events concerning system actions (e.g. boot up, shutdown), license and update events, events concerning assets and users, TI incidents, etc.

The table displays the audit log channels configured in the system with an auto-generated, descriptive name, and the date and number of successfully transmitted messages as well as failures. The slider switch in the first column allows you to enable (on) or disable (off) the audit log channel. The icons in the last column allow you to view the details on the respective audit log channel as well as to edit or delete the channel.

Audit Log Channel Details

To see the details of an audit log channel, click view_icon in the overview table or double-click its row. The details page displays the available information on the channel in several tabs.

The buttons at the top of the page allow you to edit or delete the audit log channel.

Audit Log Channel

The Audit Log Channel tab displays general information on the audit log channel. Depending on the selected type of audit log channel, the Configured table shows its configuration details:

Field

Description

Enabled

The icon in this column indicates whether the audit log channel is enabled (indicator_yes_icon) or disabled (indicator_no_icon).

Name

The auto-generated name of the channel.

Note

An optional description of the channel.

Type

The selected type of audit log channel.

From Address

Only for Email reports: The email address of the sender.

To Address

Only for Email reports: The email address of the recipient.

Hostname

Only for Email reports: The mail server used.

Port

Only for Email reports: The port that Threat Defender sends the messages to.

Https

Only for Email reports: The icon in this column indicates whether the email is sent via HTTPS (indicator_yes_icon) or not (indicator_no_icon).

Username

Only for Email reports: The username used for authentication at the mail server.

Password

Only for Email reports: The password used for authentication at the mail server.

Uri

Only for Webhook reports: The URI Threat Defender sends the notifications to.

Channel

Only for Webhook reports: The channel Threat Defender sends notifications to.

Username

Only for Webhook reports: The username of the sender of the notifications, e.g. td.

Icon URL

Only for Webhook reports: An optional URL if an icon is used in the notification.

Created At

The date when the channel was created in Threat Defender.

Updated At

The date when the channel was last updated in Threat Defender.

The Statistics table shows statistical information on the messages sent via the channel:

Field

Description

Sent At

The date when the most recent audit log notification was sent via the audit log channel.

Sent

The total number of notifications sent via this channel.

Failed At

The date when sending an audit log notification most recently failed via the channel.

Failed

The total number of failed notifications via this channel.

Fail Message

An error message that indicates why the failure occurred.

Click TEST CHANNEL at the bottom of this page to test the audit log channel by immediately sending a notification.

Matched Events and Unsent Events

The Matched Events tab displays the audit log events that were sent via this audit log channel. The Unsent Events tab displays the audit log events that were not yet sent via this audit log channel, but will be sent when the next notification is scheduled. Click view_icon to access the respective event in the Audit Logs.

The tables on the two tabs show the following information:

Field

Description

Created At

The date and time the event was created in Threat Defender.

State

The state of the logged event, i.e. whether it was successful or failed.

Tag

The tag assigns the event to a certain log.

Action

The action logged logged by the event.

Message

A message describing the event.

Username

The login name of the user involved in the event.

User IP Address

The IP address of the user involved in the event.

Audit Log Channel Settings

If you add or edit an audit log channel, the settings screen is displayed with the following elements:

Field

Description

on/off

The slider switch indicates whether the audit log channel is enabled or not.

Note

Optional: Add a short description of the channel.

Report Type

Select the type of report you want to send by clicking the respective button.

Hostname

Only for Email reports: Specify the mail server you want to use.

Port

Only for Email reports: Specify the port that Threat Defender sends the messages to.

on/off

Only for Email reports: Set the slider switch to on to connect via TLS, or to off to connect via plain text.

Username

Only for Email reports: Enter the username for authentication at the mail server.

Password

Only for Email reports: Enter the password for authentication at the mail server. Optional: Click Show Password if you want to display the password in plaintext.

From Address

Only for Email reports: Enter the email address of the sender, e.g. td@company.com.

To Address

Only for Email reports: Enter the email address of the recipient.

Webhook URL

Only for Webhook reports: Enter the URL you want to send the notifications to.

Username

Only for Webhook reports: Enter the username of the sender of the notifications, e.g. td.

Channel

Only for Webhook reports: Enter the channel you want to send notifications to.

Icon URL

Only for Webhook reports: Optional. Enter a URL if you want to use an icon in the notification.

Filter by these categories

Select the event categories you want to include in the report. You can type in the input field to narrow down the list to the categories that contain the characters you are typing. Click x next to an element to remove individual categories from the selection.

Interval

Select the frequency in which notifications will be generated by clicking the respective button. If you select Immediate, you will be immediately notified of every new event.

The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).