View Audit Logs

Audit logs contain information about the login activity and specific tasks that were completed successfully using the ATP Cloud Web Portal. Audit log entries include details about user-initiated tasks, such as the username, task name, task details, and date and time of execution of the task. Administrators can view audit logs for a specific time span, search and filter for audit logs, and export audit logs in comma-separated values (CSV) format.

Note:

To view audit logs, you must have Audit Log Administrator privileges.
The retention period for audit logs is five years.

To view audit logs:

On the ATP Cloud Web Portal UI, select Monitor > Audit.
The Audit Log page appears displaying the audit logs in tabular format. The fields displayed on the Audit Log page are described in Table 1.
(Optional) Click Details link to view the details for that audit log.
The Audit Log Detail dialog box is displayed. This page displays additional fields that are not displayed on the Audit Log page; these fields are described in Table 2.

Click OK to close the Audit Log Detail dialog box.
(Optional) Click Export to export audit logs as a comma-separated values (CSV) file to view and analyze the exported audit logs as needed. You can either export all audit logs at once or for a specific timespan.
(Optional) Click Time Span and select the time span to view the audit log for a specific period.

Table 1: Fields on the Audit Log Page
Field	Description
Timestamp	Timestamp for the audit log file that is stored in UTC time in the database but mapped to the local time zone of the client computer.
Username	Username of the user that initiated the task.
Action	Name of the task that triggered the audit log.
Details	Detailed information about the task performed. Click the details link to view more details about the task.

Table 2: Fields on the Audit Log Details Page
Field	Description
Timestamp	Timestamp for the audit log file that is stored in UTC time in the database but mapped to the local time zone of the client computer.
Username	Username of the user that initiated the task.
Action	Name of the task that triggered the audit log. For details, see Table 3.

Table 3: Fields displayed for Audit Log Action
Action that triggered the Audit Log	Fields Displayed on Audit Log Details Column
Create application token	{'token id': , 'token name': , 'token description': }
Update application token	{"token id": , "token name": , "token description": }
Delete application token	{"token id": }
User login	{"role": , "client ip": , "XFF": }
User logout	{"role": , "client ip": , "XFF": }
Request enrollment slax script	{"enrolled from": }
Request disenrollment slax script	{"enrolled from": }
SRX enrollment complete (or) SRX disenrollment complete	{'serial number': , 'model': , 'version': , 'host': , 'enrolled from': }
SRX enrollment complete (or) SRX disenrollment complete	{'serial number': , 'model': , 'version': , 'host': , 'enrolled from': }
Report Threat Source server	{"cc server": , "report type": }
Create file inspection profile	{"profile name": }
Update file inspection profile	{"profile name":, "profile id": , 'category thresholds': , 'disabled categories': }
Delete file inspection profile	{"profile name": }
Create enrollment command
Create disenrollment command
Delete devices	{'devices': }
Delete device statistics data	{'devices': }
Delete device	{"device": }
Enroll device	{"device": }
Disenroll device	{"device": }
Attach device to realm	{"device": , "realm": }
Detach device from realm	{"device": , "realm": }
Administrator action on blocked attachments	{"action": , "id": }
Administrator action on quarantined emails	{"action": , "id": }
User action on blocked attachments	{"action": , "id": }
User action on quarantined emails	{"action": , "id": }
Update quarantined emails configuration	{"smtp": {}, ... }
Update blocked attachments configuration	{"imap": {}, ... }
Update blocked attachments configuration	{"server_list": }
Update blocked attachments configuration	{'domain_name': }
Delete blocked attachments configuration	{'domain_name': }
Update quarantined emails configuration	{'release_option': , 'release_email': , 'replacement_link_text': , 'replacement_subject': , 'replacement_body': , 'learn_more_url': }
Update blocked attachments configuration	{'notification_link_text': , 'notification_subject': , 'notification_body': , 'learn_more_url': , 'unblock_email': }
Update administrator blocked attachments notification	{'notify_email': , 'notify_block': , 'notify_unblock': }
Delete administrator blocked attachments notification	{'notify_email': , ….}
Update administrator quarantined emails notification	{'notify_email': , 'notify_quarantine': , 'notify_release': }
Delete administrator quarantined emails notification	{'notify_email': , ….}
Report Encrypted Traffic server	{"eta server": , "report type": }
Add data to Encrypted Traffic allowlist	[ {"value": , } ...]
Update data of Encrypted Traffic allowlist	{"existing value": , "new value": }
Delete data from Encrypted Traffic allowlist	{"deleted value": }
Update infected host threat level threshold	{"host threshold": }
Update TAXII sharing threshold	{"taxii threshold": , "taxii sharing": }
Update host event and malware logging	{"host status": , "malware status": }
Update MIST integration status	{"mist status": }
Create infected host email configuration	{"email": , "email threshold":}
Update infected host email configuration	{"email": , "email threshold": }
Delete infected host email configuration	{"email": }
Add data to hash	{'valid hashes': ,'unique hashes': , 'invalid hashes': }
Replace data of hash	{'valid hashes': ,'unique hashes': , 'invalid hashes': }
Delete data from hash	{"hashes": }
Delete data from hash	{'valid_hashes': , 'invalid_hashes': }
Update host investigation status	{"host ip": , "inv status": , "policy": , "label": }
Update host investigation status	{"host ip": , "inv status": , "policy": , "label": }
Log host tracking records
Update SecIntel third party feed configuration	{"feeds": [{"feed_name": , "feed_in_ha": }, ... ]}
Request password reset
Successful password reset
Update proxies	{'proxy ips': }
Delete proxies	{'proxy ips': }
Create security realm	{"realm": }
Delete security realm event data	{"realm": }
Add data to C&C Server [allowlist\|blocklist]	[ {'value': ,'user_comments':}, ….]
Delete data from C&C Server [allowlist\|blocklist]	[ {'value': ,'user_comments':}, ….]
Add data to C&C Server [allowlist\|blocklist]	{"file name": , "data": }
Delete data from C&C Server [allowlist\|blocklist]	{"file name": , "data": }
Update data of C&C Server [allowlist\|blocklist]	{"entry id": , "value": }
Delete data from C&C Server [allowlist\|blocklist]	{"entry": , "value": , "last_updated": , "user_comments": , "submitted_by": }
Report file submission	{"submission id": , "report type": , 'already submitted': }
User manually uploaded file	{"submission id": , "user comments": , "file name": , "already submitted": , "threat level": }
Create user profile	{'first_name': , 'last_name': , "username": }
Update user profile	{'first_name': , 'last_name': , "username": }
Update user profile	{'first_name': , 'last_name': , "username": }
Update user profile	{'first_name': , 'last_name': , "username": }
Update user profile	{'first_name': , 'last_name': , "username": }
Delete user profile	{"username": }
Change user password
Submit user feedback	{"feedback_type": }
Add data to [URL\| IP] [allowlist\|blocklist]	{"added_values": }
Update data of [allowlist\|blocklist]	{"previous value": , "new value": }
Delete data from [allowlist\|blocklist]	{"deleted value": }
Replace [allowlist\|blocklist] data	{"data": [ {'value': }, …]}
Replace [allowlist\|blocklist] data	{"data": [ {'value': }, …]}
Update [allowlist\|blocklist] data	{operation: } operation can be 'add' or 'remove'
Update [allowlist\|blocklist] data	{operation: } operation can be 'add' or 'remove'
Update [allowlist\|blocklist]data	{operation: } operation can be 'add' or 'remove'
Update [allowlist\|blocklist] data	{operation: } operation can be 'add' or 'remove'
Update [allowlist\|blocklist] data	{operation: , "file name": } operation can be 'add' or 'remove'
Update [allowlist\|blocklist] data	{operation: , "file name": } operation can be 'add' or 'remove'
User logged in	{"role": , "client ip": , "XFF": }
SRX initiated enrollment	{"version": , "model": , "realm": }
SRX initiated disenrollment	{"version": , "model": , "realm": }
Delete device	{"device": }
Delete device	{"devices": }
Update infected host expiration	data = {"expiry config": , "ips": [ {"value": }, …] }
Update Multifactor Authentication	{"mfa method": , "mfa period": }
Request Multifactor Authentication Code	{"mfa_method":}
Verify Multifactor Authentication Code
Request MFA OTP Change
Enforce MFA OTP Change
Request MFA OTP Enrollment
Enforce MFA OTP Enrollment
Delete MFA OTP
Request MFA OTP reset
Enforce MFA OTP reset
Update phone number of a user	{"phone": }
Verify updated phone number
Add new phone number	{"phone": }
Verify new phone number
Delete user phone number
Attach realm	{"realm": ,"associated realm": }
Detach realm	{"realm": ,"disassociated realm": }
Create report	{ {"reports_api": , …}, "report_id": }
Create report definition	{"duration": , "recurrence": , "name": , "definition type":}
Update report definition	{"name": , "type": , "duration": , "recurrence": }
Delete report definition	{"name": }
Delete report	{"report id": }
Create adaptive threat profiling feed	{"feed type": , "ttl": , "infected host feed": , "feed category": , "feed name": }
Delete excluded adaptive threat profiling feed entry	{"delete entry": }
Add excluded adaptive threat profiling feed entry	{"feed name": , "added entry": }
Add user excluded adaptive threat profiling feed entry	{"feed name": , "added entry": }
Update adaptive threat profiling feed	{"ttl": , "infected host feed": , "feed name": }
Delete adaptive threat profiling feed	{"feed name": }

Note:

If the value of the field is none, then that field is not displayed on the Audit Log Details page

View Audit Logs

Related Documentation