Audit Logs

Audit logs contain information regarding user-initiated events that happen in Cisco Vulnerability Management and the API. This information includes:

  • Date/Timestamp

  • User ID

  • User Email

  • Client ID

  • Impersonator ID

  • IP Address

  • Action (called event name)

  • Details

The following actions are logged: 

  • User login time

Important: Logout events are currently not logged. Sessions expire after a period without any activity from the user and logout time should be considered as the time of the last event including the inactivity period.

  • Risk meter
    • Created
    • Deleted
    • Updated
  • Asset updates 

Important: User-initiated priority score changes are logged as part of the asset updated event.

  • User account
    • Created
    • Deleted
    • Updated
  • Vulnerability status changes
  • Password updates 
  • API Key
    • Created
    • Revoked
  • Connector
    • Created
    • Deleted
    • Updated
  • Request Activity
  • Risk Score Overrides
  • Export
    • Created
    • Downloaded

Events that are not logged:

  • When Cisco Vulnerability Management operates on a resource (such as any non-human changes).
  • When a customer requests that Cisco Support makes changes in the UI.
  • When an administrator creates, edits, or deletes a user while logged in an MSSP.

Important Details:

  • Audit logs are available through the API and are not currently accessible from the Cisco Vulnerability Management UI.
  • The audit log feature only logs events that happen in the Cisco Vulnerability Management UI and the API. 
  • Events can take up to 24 hours to appear in the output.
  • The API output format is a gzipped JSON lines file.
  • Start and End dates are required for a GET request.
  • Currently, the only supported filtering option is a date range, which you must specify in the API request. 
    • The date range is limited to 365 calendar days from the date of request.

Important: Event logging began on December 11, 2020 for most customers.

  • Within the allowed date range user may request any date/time slot.
  • A file with no content is returned if there are no audit logs for the specified period.
  •  

Important: A valid API token from an administrator account is required to request audit logs.

Use Audit Logs

1. In Cisco Vulnerability Management, click the Settings icon (Settings-icon.png).

2. Click API Keys

Audit-logs.png

3. Locate your API key and click Copy. You token is copied to your clipboard.

Settings_-_API_Keys.png

4. In a command prompt, enter the following command:

curl -H "X-Risk-Token: <enter your token here>" -H "Content-type: application/gzip" "https://{your base kenna url}/audit_logs?start_date={enter start date}&end_date={enter end date}" -o {enter your file name here}.json.gz

Important: You must use the YYYY-MM-DD format for the start and end dates.

A successful request returns a compressed gzip results file with contents similar to those shown in the example below. The file can contain multiple lines with each being an independent JSON object. In this example, on December 2, 2020  user 18176 from IP address 172.18.0.22  created an API Key.

Note: The response was formatted using a JSON formatter.

Date format: 2020-12-02 20:59:42 UTC
Formatted response:

{  
  "audit_log_event":{  
     "details":{
       "target_user_id":33536
    },
    "ip_address":"172.18.0.22",
"client_id":16649,
"impersonator_id":null,
"kenna_user_id":18176,
"user_email":"demo@kennasecurity.com",
"name":"ApiKeyCreated",
"uuid":"13af44f3-72f8-49f6-ae1d-fcf6177fbb06",
"occurred_at":"2020-12-02 20:59:42 UTC"
}
      

Error Responses

Errors are generated when the API call is unsuccessful and no response is received. 

In the case of a start time that is not older than the end time, the following error message displays.

Formatted error response: 
{  
   "success":"false",
   "error":"unprocessable_entity",
  "message":"start_time must be less than or equal to end_date"
}

When an unauthorized request is made, the following error message displays.

Formatted error response: 
{  
   "success":"false",
  "error":"unauthorized",
  "message":"401 Unauthorized. Incorrect API key format."
}

Appendix A - Reference

Events (Serialized by Auditor)

This table outlines all the standard events that are logged.

Name

Event (returned by API)

Trigger (user activity)

RiskMeterCreated

{

  name: "RiskMeterCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    id: 12345,

    name: 'A Risk Meter'

    fields: [{

   name: 'saved_search',

      value: {

        "status": [ "active"],

        "vulnerability":  {

          "status": ["open"],

          "top_exploit": ["true"]

       }

    }]

  }

}

UI

  • On the Explore page, you can enter a query string. 
  • You can also group different vulnerability filters:
  1. Select the vulnerability filters.
  2. Give the group a name.
  3. Click Save Group in the pop-up that displays below the Search bar.
  • On the Dashboard page, click Add Risk Meter

API

  • POST  /asset_groups

RiskMeterUpdated

{

  name: "RiskMeterUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    id: 12345,

    name: 'A Risk Meter'

fields: [{

   name: 'saved_search',

      value: {

        "status": [ "active"],

        "vulnerability":  {

          "status": ["open"],

          "top_exploit": ["true"]

       }

    }]

  }

}

UI

  • On the Explore page, highlight the group name and click the Pencil icon to edit.

  • On the Dashboard card view, hover over a risk meter and click the top left triangle that appears. Click Edit to change the name and associated roles of the group.

  • On the Dashboard list view, hover over a risk meter and click the top pencil icon that appears to change the name and associated roles of the group.

API

  • PUT /asset_groups/:id

RiskMeterDeleted

{

  name: "RiskMeterDeleted",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

     id: 12345,

    name: 'A Risk Meter'

  }

}

UI

  • On the Explore page, highlight the group name and click the Trash Can icon.
  • On the Dashboard card view, hover over a risk meter and click the top left triangle that appears. Click Delete.
  • On the Dashboard list view, hover over a risk meter and click the top trash can icon that appears.

API

  • DELETE /asset_groups/:id

UserCreated

{

  name: "UserCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1,

    fields: {

      email: john.smith@example.com,

      first_name: John

      last_name: Smith

      phone: 1234567890

      role: administrator

    }

  }

}

 

UI

  • In the Settings menu, click Users and select New user.

API

  • POST /users

UserUpdated

{

  name: "UserUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1 

    fields: {

      email: john.smith@example.com,

      first_name: John

      last_name: Smith

      phone: 1234567890

      role: administrator

    }

  }

}

UI

  • In the Settings menu, click Profile and select Save.
  • In the Settings menu, click the Edit Pencil next to the specific user and select Save.

API

  • PUT /users/:id

UserPasswordUpdated

{

  name: "UserPasswordUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1

  }

}

UI

  • In the Settings menu, click Profile and select Save if the password is changed.
  • In the Settings menu, click the Edit Pencil next to the specific user and select Save if the password is changed.

API

  • PUT /users/:id (if the password is changed)

UserDeleted

{

  name: "UserDeleted",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

      target_user_id: 1,

      target_user_email: john.smith@example.com,

  }

}

UI

  • In the Settings menu, click Users and select the Trash Can next to the specific user.

API

  • DELETE /users/:id

ConnectorCreated

{

  name: "ConnectorCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    connector_id: 1

    fields: {

      name: ‘name’,

      host: ‘example.com’,

      scan_list: ‘1,2,3’

    }

  }

}

UI

  • On the Connectors screen, click Add Connector then click Save.

ConnectorUpdated

{

  name: "ConnectorUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    connector_id: 1

    fields: {

      name: ‘name’,

      host: ‘example.com’,

      scan_list: ‘1,2,3’

    }

  }

}

UI

  • On the Connectors screen, click the Edit Pencil icon for a specific connector then click Save.

 

API

  • PUT /connectors/:id

ConnectorDeleted

{

  name: "ConnectorDeleted",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    connector_id: 1

    name: 'name',

  }

}

UI

  • On the Connectors screen, click the Trash Can icon for a specific connector.

ApiKeyCreated

{

  name: "APIKeyCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1

  }

}

UI 

  • In the Settings menu, click API Keys then select Create Token or Change Token.
  • In the Settings menu, click Users then select the username. Click Generate New Key.
  • In the Admin menu under the Users Edit page, click Generate New Key.
ApiKeyRevoked

{

  name: "APIKeyRevoked",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1

  }

}

UI 

  • In the Settings menu, click API Keys then select Revoke Token.
  • In the Settings menu, click Users then select the username. Click Revoke Key.

 

AssetUpdated

{

  name: "AssetUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    asset_id: 1

    fields: {

      ec2_locator

      mac_address_locator      

      netbios_locator      

      ip_address_locator      

      hostname_locator      

      url_locator      

      file_locator      

      fqdn_locator      

      application_locator      

      external_id_locator      

      database_locator      

      priority      

      notes      

      operating_system      

      last_booted_at      

      ipv6      

      inactive  

      last_seen_time      

      owner

    }

  }

}

UI

  • On the Explore page when selecting one or multiple assets and making a change.
  • On the Asset Detail screen, click the Edit Pencil icon then click Save.

API

  • PUT /assets/:id
  • PUT /assets/bulk

VulnerabilityStatusChange

{

  name: "VulnerabilityStatusChange",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    vulnerability_id: 1

    fields: [

      {

        status: 'closed'

      }

    ]

  }

}

UI

  • On the Vulnerability Show page, there is a Vulnerability Actions sidebar with the following buttons to change the status of a vulnerability:
    • Close Vulnerability 
    • Reopen Vulnerability
    • Accept Risk
    • False Positive
  • On the Explore page, Vulnerabilities tab, when you click the checkbox for one or more vulnerabilities and then click Set Status, all of the buttons (Open, Closed, Risk Accepted, False Positive) will change the selected vulnerabilities' status.

API

status can be passed as a value to update vulnerability or bulk update vulnerabilities using the following routes:

  • PUT 'vulnerabilities/bulk'
  • PUT 'vulnerabilities/:id'

RiskScoreOverridden

{

  name: "RiskScoreOverridden",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    vulnerability_id: 1

    fields: [

      {

        risk_score: 400

      }

    ]

  }

}

UI

  • On the Vulnerability Show page, when you click Edit in the Score box, an 'Override Score' modal pops up. Changing the score and clicking Save Changes hits the update route on the vulnerabilities controller.
    Note: If you manually override this score, the vulnerability will no longer be updated dynamically. This change cannot be reverted to display the Cisco Security Risk Score, and the change will be logged for audit purposes.
  • On the Explore page, Vulnerabilities tab, when you click the checkbox for one or more vulnerabilities and then click Edit, then select Score, it brings up the same modal as above.

 

API

override_score can be passed as a value to update vulnerability or bulk update vulnerabilities using the following routes:

  • PUT 'vulnerabilities/bulk'
  • PUT 'vulnerabilities/:id'

SessionCreated

{

  name: "SessionCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {}

}

UI

  • When a user logs in.

ExportCreated

{

  name: "ExportCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    export_type: "Asset",

    export_format: "json",

    risk_meter_name: ‘name’, (if RM present on export)

    risk_meter_id: 1,(if RM present on export)

    query: {status: ‘open’}(if no RM present)

  }

}

UI

  • On the Explore screen in any tab, click Export This View in the bottom right.

  • On the Application Security Module Explore screen, click Export This View in the bottom right.

API

  • POST /data_exports

ExportRetrieved

{

  name: "ExportRetrieved",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  details: {

    export_type: "Asset",

    export_format: "json",

    risk_meter_name: ‘name’, (if RM present on export)

    risk_meter_id: 1,(if RM present on export)

    query: {status: ‘open’}(if no RM present)

  }

}

UI

  • Downloading a Fix, Vuln, Findings, or Asset export

 

API

  • GET /data_exports

 

RequestActivity

{

  name: "RequestActivity",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    http_method: "GET",

    url: "/assets/1",

source: "API|Website"

  }

}

UI

  • Any time a request is made to the Cisco Vulnerability Management platform.

 

API

  • Any time a request is made to a API.

 

InactiveAssetsDeleted

{
  "name": "InactiveAssetsDeleted",

  "details": {

  "assets": [

  {

    "id": 16153527,

    "inactive_at": "2021-06-14 15:27:18 +0000",

    "last_seen_time": "2020-12-16 15:27:18 +0000",

    "locator_value": "SIMONS-MBP",

    "primary_locator": "netbios"

  },

  {

    "id": 16153528,

    "inactive_at": "2021-08-02 16:32:55 +0000",

    "last_seen_time": "2021-02-03 16:32:55 +0000",

    "locator_value": "02:6E:FD:98:53:06",

    "primary_locator": "mac_address"

 }

  ]

  }

}

Background Job

  • After an Asset has gone inactive and has subsequently been permanently deleted.

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.