Audit Log Channels

Threat Defender can send notifications of audit log events via email, webhook and desktop notification. The notifications contain reported events from the user and asset logs, system logs, as well as threat intelligence incident logs. Navigate to Logging > Audit Log Channels to set up notification channels.

To set up a new audit log channel, click the ADD button above the overview table (see Audit Log Channel Settings).

Threat Defender provides three audit log channels:

  • Email – Threat Defender sends audit log information to a specified email address. For this purpose, Threat Defender needs to be able to contact a mail server.
  • Webhook – Threat Defender sends audit log notifications via webhook to Slack-compatible applications.
  • Desktop – Threat Defender pushes notifications as pop-ups to the desktop. To see the desktop notifications you need to be logged in to the GUI of Threat Defender.

You can select various event categories to be included in the notifications, such as events concerning system actions (e.g. boot up, shutdown), license and update events, events concerning assets and users, TI incidents, etc.

The table displays the audit log channels configured in the system with an auto-generated, descriptive name, and the date and number of successfully transmitted messages as well as failures. The slider switch in the first column allows you to enable () or disable () the reporting channel. The buttons in the last column allow you to view the details on the respective audit log channel as well as to edit or delete the channel.

1. Audit Log Channel Details

To see the details of an audit log channel, click in the overview table or double-click its row. The details page displays the available information on the channel in several tabs.

The buttons at the top of the page allow you to edit or delete the audit log channel.

1.1. Audit Log Channel

The Audit Log Channel tab displays general information on the audit log channel.
Depending on the selected type of audit log channel, the Configured table shows its configuration details:

Field Description
Enabled The icon in this column indicates whether the audit log channel is enabled () or disabled ().
Name The auto-generated name of the channel.
Note An optional description of the channel.
Type The selected type of audit log channel.
From Address Only for Email reports: The email address of the sender.
To Address Only for Email reports: The email address of the recipient.
Hostname Only for Email reports: The mail server used.
Port Only for Email reports: The port that Threat Defender sends the messages to.
Https Only for Email reports: The icon in this column indicates whether the email is sent via HTTPS () or not ().
Username Only for Email reports: The username used for authentication at the mail server.
Password Only for Email reports: The password used for authentication at the mail server.
Uri Only for Webhook reports: The URI Threat Defender sends the notifications to.
Channel Only for Webhook reports: The channel Threat Defender sends notifications to.
Username Only for Webhook reports: The username of the sender of the notifications, e.g. td.
Icon URL Only for Webhook reports: An optional URL if an icon is used in the notification.
Created At The date and time the channel was created in Threat Defender.
Updated At The date and time the channel was last updated in Threat Defender.

The Statistics table shows statistical information on the messages sent via the channel:

Field Description
Sent At The date and time the most recent audit log notification was sent via the audit log channel.
Sent The total number of notifications sent via this channel.
Failed At The date and time when sending an audit log notification most recently failed via the channel.
Failed The total number of failed notifications via this channel.
Fail Message An error message that indicates why the failure occurred.

Click TEST CHANNEL at the bottom of this page to test the audit log channel by immediately sending a notification.

1.2. Matched Events and Unsent Events

The Matched Events tab displays the audit log events that were sent via this audit log channel. The Unsent Events tab displays the audit log events that were not yet sent via this audit log channel, but will be sent when the next notification is scheduled. Click to access the respective event in the audit logs.

The tables on the two tabs show the following information:

Field Description
Created At The date and time the event was created in Threat Defender.
State The state of the logged event, i.e. whether it was successful or failed.
Tag The tag assigns the event to a certain log.
Action The action logged logged by the event.
Message A message describing the event.
Username The login name of the user involved in the event.
User IP Address The IP address of the user involved in the event.

2. Audit Log Channel Settings

If you add or edit an audit log channel, the settings screen is displayed with the following elements:

Field Description
/ The slider switch indicates whether the audit log channel is enabled or not.
Note Optional: Add a short description of the channel.
Report Type Select the type of report you want to send by clicking the respective button.
Hostname Only for Email reports: Specify the mail server you want to use.
Port Only for Email reports: Specify the port that Threat Defender sends the messages to.
/ Only for Email reports: Set the slider switch to to connect via TLS, or to to connect via plain text.
Username Only for Email reports: Enter the username for authentication at the mail server.
Password Only for Email reports: Enter the password for authentication at the mail server. Optional: Click Show Password if you want to display the password in plaintext.
From Address Only for Email reports: Enter the email address of the sender, e.g. td@company.com.
To Address Only for Email reports: Enter the email address of the recipient.
Webhook URL Only for Webhook reports: Enter the URL you want to send the notifications to.
Username Only for Webhook reports: Enter the username of the sender of the notifications, e.g. td.
Channel Only for Webhook reports: Enter the channel you want to send notifications to.
Icon URL Only for Webhook reports: Optional. Enter a URL if you want to use an icon in the notification.
Filter by these categories Select the event categories you want to include in the report. You can type in the input field to narrow down the list to the categories that contain the characters you are typing. Click next to an element to remove individual categories from the selection.
Interval Select the frequency in which notifications will be generated by clicking the respective button. If you select Immediate, you will be immediately notified of every new event.

The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).

results matching ""

    No results matching ""