Enable and download audit trail logs in Splunk Phantom
Enable audit trail logging to help you track the activities of various components in Splunk Phantom. Once enabled, audit trail logs can be downloaded and included as evidence in an investigation, or analyzed when troubleshooting an issue.
Enable audit trail tracking
By default, all audit tracking in Splunk Phantom is disabled. Perform the following tasks to enable audit trail tracking in Splunk Phantom:
- From the main menu, select Administration.
- Select System Health > Audit Trail.
- Click Manage Audit Trail.
- Select the product areas for which you want to enable audit tracking.
- Click Save.
Splunk Phantom immediately starts tracking audit events for the selected items.
Even when the audit categories are disabled, Splunk Phantom automatically tracks events such as action and playbook runs and logs them as audit events.
Export audit logs
To export audit logs for a particular product, make sure you enabled audit tracking for that product area.
After you enable audit logging, use the rest of the Audit Trail to configure the audit logs you want to download as a CSV file. Perform the following steps to export audit events to a CSV file for download. This example shows you how to configure audit logging for containers and download a CSV file.
First, enable audit logging for containers:
- From the Main Menu, select Administration.
- Select System Health > Audit Trail.
- Click Manage Audit Trail.
- Click the Container toggle to enable audit tracking for containers.
- Click Save.
Next, export a CSV file. This example exports the CSV file for a specific container.
- From the Audit Trail page in the Audit Type section, click Custom.
- Click Containers.
- In the drop-down list for Containers, select Custom.
- Specify the container ID, such as 123456. Only the audit trail for this specific container is downloaded.
- By default, the audit trail from the last 30 days is downloaded. Click Custom in the Audit Range Time Frame field to configure a specific date range.
- Click Download to download the CSV file.
Export audit logs for multiple users
Exporting audit logs for multiple users adds a new input field where you can specify a container to report on. When you download the audit logs, you receive only audit events for the container specified instead of all containers. Other categories might let you pick from a list, such as Users.
You can download audit logs for multiple users. Use %1E
as the separator. For example, if you want to specify user1
and user2
:
user1%1Euser2
Export audit logs for roles
Roles return two types of events. First, creating a role or changing permissions in it shows up as audit events for that role. Second, the logs show audit events for users currently in that group. In other words, the logs treat the role like a user group, and shows events for those users in it. See Accessing Audit Data in the REST API Reference for more information.
Required privileges for enabling audit trail
In order to access the Audit Trail page, users must have a role with the View System Settings privilege. If they want to view or change anything under the Manage Audit Trail, then they also need the Edit System Settings privilege.
With only the View System Settings privilege, the user can't access all audit items. Attempting to download with the Audit Type section set to All results in an error.
A user with only some of the required privileges can switch to Custom and select only the items they have the rights to access. The privileges for each of the items are as follows:
Audit Trail Area | Required privileges |
---|---|
Authentication | View Users and Roles |
Administration | View System Settings |
User | View Users and Roles |
Role | View Users and Roles |
Playbooks | View Playbooks |
Containers | View Containers |
Enable the audit trail for individual objects
Users can access audit information in two places: on the page for a playbook and on the Investigation page for a container.
Download a playbook's audit trail
Perform the following steps to download an audit trail for a playbook:
- Open the playbook.
- Click Playbook Settings.
- Click Audit Trail to download a CSV file containing the audit information for this playbook.
Download a container's audit trail
Perform the following steps to download an audit trail for a container:
- Click the container to view the container.
- Click the ... icon, and then select Audit.
A CSV file is downloaded containing the audit information related to this container.
Configure the logging levels for Splunk Phantom daemons | Locate long-running playbooks for debugging or troubleshooting in Splunk Phantom |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!