Audit logs contain information regarding user-initiated events that happen in Cisco Vulnerability Management and the API. This information includes:
-
Date/Timestamp
-
User ID
-
User Email
-
Client ID
-
Impersonator ID
-
IP Address
-
Action (called event name)
-
Details
The following actions are logged:
- User login time
Important: Logout events are currently not logged. Sessions expire after a period without any activity from the user and logout time should be considered as the time of the last event including the inactivity period.
- Risk meter
- Created
- Deleted
- Updated
- Asset updates
Important: User-initiated priority score changes are logged as part of the asset updated event.
- User account
- Created
- Deleted
- Updated
- Vulnerability status changes
- Password updates
- API Key
- Created
- Revoked
- Connector
- Created
- Deleted
- Updated
- Request Activity
- Risk Score Overrides
- Export
- Created
- Downloaded
Events that are not logged:
- When Cisco Vulnerability Management operates on a resource (such as any non-human changes).
- When a customer requests that Cisco Support makes changes in the UI.
- When an administrator creates, edits, or deletes a user while logged in an MSSP.
Important Details:
- Audit logs are available through the API and are not currently accessible from the Cisco Vulnerability Management UI.
- The audit log feature only logs events that happen in the Cisco Vulnerability Management UI and the API.
- Events can take up to 24 hours to appear in the output.
- The API output format is a gzipped JSON lines file.
- Start and End dates are required for a GET request.
- Currently, the only supported filtering option is a date range, which you must specify in the API request.
- The date range is limited to 365 calendar days from the date of request.
Important: Event logging began on December 11, 2020 for most customers.
- Within the allowed date range user may request any date/time slot.
- A file with no content is returned if there are no audit logs for the specified period.
Important: A valid API token from an administrator account is required to request audit logs.
Use Audit Logs
1. In Cisco Vulnerability Management, click the Settings icon ().
2. Click API Keys.
3. Locate your API key and click Copy. You token is copied to your clipboard.
4. In a command prompt, enter the following command:
curl -H "X-Risk-Token: <enter your token here>" -H "Content-type: application/gzip" "https://{your base kenna url}/audit_logs?start_date={enter start date}&end_date={enter end date}" -o {enter your file name here}.json.gz
Important: You must use the YYYY-MM-DD format for the start and end dates.
A successful request returns a compressed gzip results file with contents similar to those shown in the example below. The file can contain multiple lines with each being an independent JSON object. In this example, on December 2, 2020 user 18176 from IP address 172.18.0.22 created an API Key.
Note: The response was formatted using a JSON formatter.
Date format: 2020-12-02 20:59:42 UTC
Formatted response:
{
"audit_log_event":{
"details":{
"target_user_id":33536
},
"ip_address":"172.18.0.22",
"client_id":16649,
"impersonator_id":null,
"kenna_user_id":18176,
"user_email":"demo@kennasecurity.com",
"name":"ApiKeyCreated",
"uuid":"13af44f3-72f8-49f6-ae1d-fcf6177fbb06",
"occurred_at":"2020-12-02 20:59:42 UTC"
}
Error Responses
Errors are generated when the API call is unsuccessful and no response is received.
In the case of a start time that is not older than the end time, the following error message displays.
Formatted error response:
{
"success":"false",
"error":"unprocessable_entity",
"message":"start_time must be less than or equal to end_date"
}
When an unauthorized request is made, the following error message displays.
Formatted error response:
{
"success":"false",
"error":"unauthorized",
"message":"401 Unauthorized. Incorrect API key format."
}
Appendix A - Reference
Events (Serialized by Auditor)
This table outlines all the standard events that are logged.
Name |
Event (returned by API) |
Trigger (user activity) |
RiskMeterCreated |
{ name: "RiskMeterCreated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { id: 12345, name: 'A Risk Meter' fields: [{ name: 'saved_search', value: { "status": [ "active"], "vulnerability": { "status": ["open"], "top_exploit": ["true"] } }] } } |
UI
API
|
RiskMeterUpdated |
{ name: "RiskMeterUpdated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { id: 12345, name: 'A Risk Meter' fields: [{ name: 'saved_search', value: { "status": [ "active"], "vulnerability": { "status": ["open"], "top_exploit": ["true"] } }] } } |
UI
API
|
RiskMeterDeleted |
{ name: "RiskMeterDeleted", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { id: 12345, name: 'A Risk Meter' } } |
UI
API
|
UserCreated |
{ name: "UserCreated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { target_user_id: 1, fields: { email: john.smith@example.com, first_name: John last_name: Smith phone: 1234567890 role: administrator } } }
|
UI
API
|
UserUpdated |
{ name: "UserUpdated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { target_user_id: 1 fields: { email: john.smith@example.com, first_name: John last_name: Smith phone: 1234567890 role: administrator } } } |
UI
API
|
UserPasswordUpdated |
{ name: "UserPasswordUpdated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { target_user_id: 1 } } |
UI
API
|
UserDeleted |
{ name: "UserDeleted", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { target_user_id: 1, target_user_email: john.smith@example.com, } } |
UI
API
|
ConnectorCreated |
{ name: "ConnectorCreated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { connector_id: 1 fields: { name: ‘name’, host: ‘example.com’, scan_list: ‘1,2,3’ } } } |
UI
|
ConnectorUpdated |
{ name: "ConnectorUpdated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { connector_id: 1 fields: { name: ‘name’, host: ‘example.com’, scan_list: ‘1,2,3’ } } } |
UI
API
|
ConnectorDeleted |
{ name: "ConnectorDeleted", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { connector_id: 1 name: 'name', } } |
UI
|
ApiKeyCreated |
{ name: "APIKeyCreated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { target_user_id: 1 } } |
UI
|
ApiKeyRevoked |
{ name: "APIKeyRevoked", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { target_user_id: 1 } } |
UI
|
AssetUpdated |
{ name: "AssetUpdated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { asset_id: 1 fields: { ec2_locator mac_address_locator netbios_locator ip_address_locator hostname_locator url_locator file_locator fqdn_locator application_locator external_id_locator database_locator priority notes operating_system last_booted_at ipv6 inactive last_seen_time owner } } } |
UI
API
|
VulnerabilityStatusChange |
{ name: "VulnerabilityStatusChange", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { vulnerability_id: 1 fields: [ { status: 'closed' } ] } } |
UI
API status can be passed as a value to update vulnerability or bulk update vulnerabilities using the following routes:
|
RiskScoreOverridden |
{ name: "RiskScoreOverridden", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { vulnerability_id: 1 fields: [ { risk_score: 400 } ] } } |
UI
API override_score can be passed as a value to update vulnerability or bulk update vulnerabilities using the following routes:
|
SessionCreated |
{ name: "SessionCreated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: {} } |
UI
|
ExportCreated |
{ name: "ExportCreated", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { export_type: "Asset", export_format: "json", risk_meter_name: ‘name’, (if RM present on export) risk_meter_id: 1,(if RM present on export) query: {status: ‘open’}(if no RM present) } } |
UI
API
|
ExportRetrieved |
{ name: "ExportRetrieved", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', details: { export_type: "Asset", export_format: "json", risk_meter_name: ‘name’, (if RM present on export) risk_meter_id: 1,(if RM present on export) query: {status: ‘open’}(if no RM present) } } |
UI
API
|
RequestActivity |
{ name: "RequestActivity", occurred_at: "2018-12-07 10:16:21 +0000", kenna_user_id: 43, user_email: "user@example.com", impersonator_id: 1, ip_address: 1.2.3.4, uuid: 'uuid', client_id: 1, details: { http_method: "GET", url: "/assets/1", source: "API|Website" } } |
UI
API
|
InactiveAssetsDeleted |
{ "details": { "assets": [ { "id": 16153527, "inactive_at": "2021-06-14 15:27:18 +0000", "last_seen_time": "2020-12-16 15:27:18 +0000", "locator_value": "SIMONS-MBP", "primary_locator": "netbios" }, { "id": 16153528, "inactive_at": "2021-08-02 16:32:55 +0000", "last_seen_time": "2021-02-03 16:32:55 +0000", "locator_value": "02:6E:FD:98:53:06", "primary_locator": "mac_address" } ] } } |
Background Job
|
Comments
Please sign in to leave a comment.