Audit Logs

Audit logs contain information regarding user-initiated events that happen in the Kenna Application and the Kenna API. This information includes:

  • Date/Timestamp

  • User ID

  • User Email

  • Client ID

  • Impersonator ID

  • IP Address

  • Action (called event name)

  • Details

The following actions are logged: 

  • User login time

Important: Logout events are currently not logged. Sessions expire after a period without any activity from the user and logout time should be considered as the time of the last event including the inactivity period.

  • Risk meter
    • Created
    • Deleted
    • Updated
  • Asset updates 

Important: User-initiated priority score changes are logged as part of the asset updated event.

  • User account
    • Created
    • Deleted
    • Updated
  • Vulnerability status changes
  • Password updates 
  • API Key
    • Created
    • Revoked
  • Connector
    • Created
    • Deleted
    • Updated
  • Request Activity
  • Risk Score Overrides
  • Export
    • Created
    • Downloaded

Events that are not logged:

  • When the Kenna system operates on a resource (i.e. any non-human changes).
  • When a customer requests that support makes changes in the Kenna Admin User Interface (UI).
  • When an admin creates, edits, or deletes a user while logged in an MSSP.

Important Details:

  • Audit logs are available through the API and are not currently accessible from the Kenna Admin User Interface.
  • The audit log feature only logs events that happen in the Kenna Application UI and the Kenna API. 
  • Events can take up to 24 hours to appear in the output.
  • The API output format is a gzipped JSON lines file.
  • Start and End dates are required for a GET request.
  • Currently, the only supported filtering option is a date range, which is required to be specified in the API request. 
    • The date range is limited to 365 calendar days from the date of request.

Important: Event logging began on December 11, 2020 (for both AWS and GCP environments).

    • Within the allowed date range user may request any date/time slot.
    • A file with no content is returned if there are no audit logs for the specified period.

Important: A valid Kenna API token from an administrator account is required to request audit logs.

Using Audit Logs

Log into Kenna and navigate to API keys menu option. 

Kenna_API_Keys_Menu.png

Locate your API key and click the Copy button to copy the API token.

Settings_-_API_Keys.png

Navigate to the command prompt and enter the following command:

curl -H "X-Risk-Token: <enter your token here>" -H "Content-type: application/gzip" "https://{your base kenna url}/audit_logs?start_date={enter start date}&end_date={enter end date}" -o {enter your file name here}.json.gz

Important: You must use the YYYY-MM-DD format for the start and end dates.

A successful request returns a compressed gzip results file with contents similar to those shown in the example below. The file can contain multiple lines with each being an independent JSON object. In this example, on December 2, 2020  user 18176 from IP address 172.18.0.22  created an API Key.

Note: The response was formatted using a JSON formatter.

Date format: 2020-12-02 20:59:42 UTC
Formatted response:

{  
  "audit_log_event":{  
     "details":{
       "target_user_id":33536
    },
    "ip_address":"172.18.0.22",
"client_id":16649,
"impersonator_id":null,
"kenna_user_id":18176,
"user_email":"demo@kennasecurity.com",
"name":"ApiKeyCreated",
"uuid":"13af44f3-72f8-49f6-ae1d-fcf6177fbb06",
"occurred_at":"2020-12-02 20:59:42 UTC"
}
      

Error Responses

Errors are generated when the API call is unsuccessful and no response is received. 

In the case of a start time that is not older than the end time, the following error message is presented.

Formatted error response: 
{  
   "success":"false",
   "error":"unprocessable_entity",
  "message":"start_time must be less than or equal to end_date"
}

When an unauthorized request is made, the following error message is presented.

Formatted error response: 
{  
   "success":"false",
  "error":"unauthorized",
  "message":"401 Unauthorized. Incorrect API key format."
}

Appendix A - Reference

Events (Serialized by Auditor)

This table outlines all the standard events that are logged:

Name

Event (returned by API)

Trigger (user activity)

RiskMeterCreated

{

  name: "RiskMeterCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    id: 12345,

    name: 'A Risk Meter'

    fields: [{

   name: 'saved_search',

      value: {

        "status": [ "active"],

        "vulnerability":  {

          "status": ["open"],

          "top_exploit": ["true"]

       }

    }]

  }

}

UI

  • On the Explore page, you can enter a query string. 
  • You can also group different vulnerability filters:
  1. Select the vulnerability filters.
  2. Give the group a name.
  3. Click Save Group in the pop-up that displays below the Search bar.
  • On the Dashboard page, click Add Risk Meter

API

  • POST  /asset_groups

RiskMeterUpdated

{

  name: "RiskMeterUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    id: 12345,

    name: 'A Risk Meter'

fields: [{

   name: 'saved_search',

      value: {

        "status": [ "active"],

        "vulnerability":  {

          "status": ["open"],

          "top_exploit": ["true"]

       }

    }]

  }

}

UI

  • On the Explore page, highlight the group name and click the Pencil icon to edit.

  • On the Dashboard card view, hover over a risk meter and click the top left triangle that appears. Click Edit to change the name and associated roles of the group.

  • On the Dashboard list view, hover over a risk meter and click the top pencil icon that appears to change the name and associated roles of the group.

API

  • PUT /asset_groups/:id

RiskMeterDeleted

{

  name: "RiskMeterDeleted",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

     id: 12345,

    name: 'A Risk Meter'

  }

}

UI

  • On the Explore page, highlight the group name and click the Trash Can icon.
  • On the Dashboard card view, hover over a risk meter and click the top left triangle that appears. Click Delete.
  • On the Dashboard list view, hover over a risk meter and click the top trash can icon that appears.

API

  • DELETE /asset_groups/:id

UserCreated

{

  name: "UserCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1,

    fields: {

      email: john.smith@example.com,

      first_name: John

      last_name: Smith

      phone: 1234567890

      role: administrator

    }

  }

}

 

UI

  • In the Settings menu, click Users and select New user.

API

  • POST /users

UserUpdated

{

  name: "UserUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1 

    fields: {

      email: john.smith@example.com,

      first_name: John

      last_name: Smith

      phone: 1234567890

      role: administrator

    }

  }

}

UI

  • In the Settings menu, click Profile and select Save.
  • In the Settings menu, click the Edit Pencil next to the specific user and select Save.

API

  • PUT /users/:id

UserPasswordUpdated

{

  name: "UserPasswordUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1

  }

}

UI

  • In the Settings menu, click Profile and select Save if the password is changed.
  • In the Settings menu, click the Edit Pencil next to the specific user and select Save if the password is changed.

API

  • PUT /users/:id (if the password is changed)

UserDeleted

{

  name: "UserDeleted",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

      target_user_id: 1,

      target_user_email: john.smith@example.com,

  }

}

UI

  • In the Settings menu, click Users and select the Trash Can next to the specific user.

API

  • DELETE /users/:id

ConnectorCreated

{

  name: "ConnectorCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    connector_id: 1

    fields: {

      name: ‘name’,

      host: ‘example.com’,

      scan_list: ‘1,2,3’

    }

  }

}

UI

On the Connectors screen, click Add Connector then click Save.

ConnectorUpdated

{

  name: "ConnectorUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    connector_id: 1

    fields: {

      name: ‘name’,

      host: ‘example.com’,

      scan_list: ‘1,2,3’

    }

  }

}

UI

On the Connectors screen, click the Edit Pencil icon for a specific connector then click Save.

 

API

PUT /connectors/:id

ConnectorDeleted

{

  name: "ConnectorDeleted",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    connector_id: 1

    name: 'name',

  }

}

UI

On the Connectors screen, click the Trash Can icon for a specific connector.

ApiKeyCreated

{

  name: "APIKeyCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1

  }

}

UI 

  • In the Settings menu, click API Keys then select Create Token or Change Token.
  • In the Settings menu, click Users then select the username. Click Generate New Key.
  • In the Admin menu under the Users Edit page, click Generate New Key.
ApiKeyRevoked

{

  name: "APIKeyRevoked",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    target_user_id: 1

  }

}

UI 

  • In the Settings menu, click API Keys then select Revoke Token.
  • In the Settings menu, click Users then select the username. Click Revoke Key.

 

AssetUpdated

{

  name: "AssetUpdated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    asset_id: 1

    fields: {

      ec2_locator

      mac_address_locator      

      netbios_locator      

      ip_address_locator      

      hostname_locator      

      url_locator      

      file_locator      

      fqdn_locator      

      application_locator      

      external_id_locator      

      database_locator      

      priority      

      notes      

      operating_system      

      last_booted_at      

      ipv6      

      inactive      

      last_seen_time      

      owner

    }

  }

}

UI

  • On the Explore page when selecting one or multiple assets and making a change.
  • On the Asset Detail screen, click the Edit Pencil icon then click Save.

API

  • PUT /assets/:id
  • PUT /assets/bulk

VulnerabilityStatusChange

{

  name: "VulnerabilityStatusChange",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    vulnerability_id: 1

    fields: [

      {

        status: 'closed'

      }

    ]

  }

}

UI

  • On the Vulnerability Show page, there is a Vulnerability Actions sidebar with the following buttons to change the status of a vulnerability:
    • Close Vulnerability 
    • Reopen Vulnerability
    • Accept Risk
    • False Positive
  • On the Explore page, Vulnerabilities tab, when you click the checkbox for one or more vulnerabilities and then click Set Status, all of the buttons (Open, Closed, Risk Accepted, False Positive) will change the selected vulnerabilities' status.

API

status can be passed as a value to update vulnerability or bulk update vulnerabilities using the following routes:

  • PUT 'vulnerabilities/bulk'
  • PUT 'vulnerabilities/:id'

RiskScoreOverridden

{

  name: "RiskScoreOverridden",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    vulnerability_id: 1

    fields: [

      {

        risk_score: 400

      }

    ]

  }

}

UI

  • On the Vulnerability Show page, when you click Edit in the Score box, an 'Override Score' modal pops up. Changing the score and clicking Save Changes hits the update route on the vulnerabilities controller.
  • On the Explore page, Vulnerabilities tab, when you click the checkbox for one or more vulnerabilities and then click Edit, then select Score, it brings up the same modal as above.

 

API

override_score can be passed as a value to update vulnerability or bulk update vulnerabilities using the following routes:

  • PUT 'vulnerabilities/bulk'
  • PUT 'vulnerabilities/:id'

SessionCreated

{

  name: "SessionCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {}

}

UI

When a user logs in.

ExportCreated

{

  name: "ExportCreated",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    export_type: "Asset",

    export_format: "json",

    risk_meter_name: ‘name’, (if RM present on export)

    risk_meter_id: 1,(if RM present on export)

    query: {status: ‘open’}(if no RM present)

  }

}

UI

  • On the Explore screen in any tab, click Export This View in the bottom right.

  • On the AppSec Explore screen, click Export This View in the bottom right.

API

  • POST /data_exports

ExportRetrieved

{

  name: "ExportRetrieved",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  details: {

    export_type: "Asset",

    export_format: "json",

    risk_meter_name: ‘name’, (if RM present on export)

    risk_meter_id: 1,(if RM present on export)

    query: {status: ‘open’}(if no RM present)

  }

}

UI

Downloading a Fix, Vuln, Findings, or Asset export

 

API

GET /data_exports

 

RequestActivity

{

  name: "RequestActivity",

  occurred_at: "2018-12-07 10:16:21 +0000",

  kenna_user_id: 43,

  user_email: "user@example.com",

  impersonator_id: 1,

  ip_address: 1.2.3.4,

  uuid: 'uuid',

  client_id: 1,

  details: {

    http_method: "GET",

    url: "/assets/1",

source: "API|Website"

  }

}

UI

Any time a request is made to Kenna’s platform.

 

API

Any time a request is made to a Kenna API.

 

InactiveAssetsDeleted

{
  "name": "InactiveAssetsDeleted",

  "details": {

  "assets": [

  {

    "id": 16153527,

    "inactive_at": "2021-06-14 15:27:18 +0000",

    "last_seen_time": "2020-12-16 15:27:18 +0000",

    "locator_value": "SIMONS-MBP",

    "primary_locator": "netbios"

  },

  {

    "id": 16153528,

    "inactive_at": "2021-08-02 16:32:55 +0000",

    "last_seen_time": "2021-02-03 16:32:55 +0000",

    "locator_value": "02:6E:FD:98:53:06",

    "primary_locator": "mac_address"

  }

  ]

  }

}

Background Job

After an Asset has gone inactive and has subsequently been permanently deleted.

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.