Splunk® Phantom

Administer Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Phantom. Click here for the latest version.
Acrobat logo Download topic as PDF

Enable and download audit trail logs in Splunk Phantom

Enable audit trail logging to help you track the activities of various components in Splunk Phantom. Once enabled, audit trail logs can be downloaded and included as evidence in an investigation, or analyzed when troubleshooting an issue.

Enable audit trail tracking

By default, all audit tracking in Splunk Phantom is disabled. Perform the following tasks to enable audit trail tracking in Splunk Phantom:

  1. From the main menu, select Administration.
  2. Select System Health > Audit Trail.
  3. Click Manage Audit Trail.
  4. Select the product areas for which you want to enable audit tracking.
  5. Click Save.

Splunk Phantom immediately starts tracking audit events for the selected items.

Even when the audit categories are disabled, Splunk Phantom automatically tracks events such as action and playbook runs and logs them as audit events.

Export audit logs

To export audit logs for a particular product, make sure you enabled audit tracking for that product area.

After you enable audit logging, use the rest of the Audit Trail to configure the audit logs you want to download as a CSV file. Perform the following steps to export audit events to a CSV file for download. This example shows you how to configure audit logging for containers and download a CSV file.

First, enable audit logging for containers:

  1. From the Main Menu, select Administration.
  2. Select System Health > Audit Trail.
  3. Click Manage Audit Trail.
  4. Click the Container toggle to enable audit tracking for containers.
  5. Click Save.

Next, export a CSV file. This example exports the CSV file for a specific container.

  1. From the Audit Trail page in the Audit Type section, click Custom.
  2. Click Containers.
  3. In the drop-down list for Containers, select Custom.
  4. Specify the container ID, such as 123456. Only the audit trail for this specific container is downloaded.
  5. By default, the audit trail from the last 30 days is downloaded. Click Custom in the Audit Range Time Frame field to configure a specific date range.
  6. Click Download to download the CSV file.

Export audit logs for multiple users

Exporting audit logs for multiple users adds a new input field where you can specify a container to report on. When you download the audit logs, you receive only audit events for the container specified instead of all containers. Other categories might let you pick from a list, such as Users.

You can download audit logs for multiple users. Use %1E as the separator. For example, if you want to specify user1 and user2:

user1%1Euser2

Export audit logs for roles

Roles return two types of events. First, creating a role or changing permissions in it shows up as audit events for that role. Second, the logs show audit events for users currently in that group. In other words, the logs treat the role like a user group, and shows events for those users in it. See Accessing Audit Data in the REST API Reference for more information.

Required privileges for enabling audit trail

In order to access the Audit Trail page, users must have a role with the View System Settings privilege. If they want to view or change anything under the Manage Audit Trail, then they also need the Edit System Settings privilege.

With only the View System Settings privilege, the user can't access all audit items. Attempting to download with the Audit Type section set to All results in an error.

A user with only some of the required privileges can switch to Custom and select only the items they have the rights to access. The privileges for each of the items are as follows:

Audit Trail Area Required privileges
Authentication View Users and Roles
Administration View System Settings
User View Users and Roles
Role View Users and Roles
Playbooks View Playbooks
Containers View Containers

Enable the audit trail for individual objects

Users can access audit information in two places: on the page for a playbook and on the Investigation page for a container.

Download a playbook's audit trail

Perform the following steps to download an audit trail for a playbook:

  1. Open the playbook.
  2. Click Playbook Settings.
  3. Click Audit Trail to download a CSV file containing the audit information for this playbook.

Download a container's audit trail

Perform the following steps to download an audit trail for a container:

  1. Click the container to view the container.
  2. Click the ... icon, and then select Audit.

A CSV file is downloaded containing the audit information related to this container.

Last modified on 25 January, 2020
PREVIOUS
Configure the logging levels for Splunk Phantom daemons
  NEXT
Locate long-running playbooks for debugging or troubleshooting in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters