Audit Logs

Audit logs contain information regarding events that happen in the Kenna Application and the Kenna API. This information includes:

  • Date/time stamp
  • User ID
  • Client ID
  • IP Address
  • Action (called event name)
  • API Response Results Pagination
    • The number of records returned by a successful API request can result in the generation of many “pages” of records depending on the size of the resulting response. We provide a method of displaying the number of pages to be expected from the response in the Meta section as shown below.
"meta":{ 
"total_count":1,
"page":1,
"Pages":1
}

Actions are logged with the following information:

  • User login time
    • Important to note that Logout time is currently not logged.
  • Risk meter
    • Add
    • Delete
    • Edit
  • Asset update
  • User account
    • Add
    • Delete
    • Edit
  • Vulnerability status updates
  • Password changes
    • Initiated by the user
  • API Key
    • Change
    • Add/New
  • Connector
    • Change
    • Add
    • Delete

Note:  Due to the variety of connector-specific fields, only core connector fields are tracked.

  • API Key Activity
    • Has a dedicated feature flag.
  • Risk Score Overrides
  • Priority Score
    • Change
    • This information is part of the asset update.

Events that are ignored:

  • MSSP actions
  • When the Kenna system operates on a resource
  • When something takes place in a production console
  • When a customer requests support to change something in Kenna admin\

Important Details:

  • Audit logs are available through the API and are not currently accessible from the Kenna Admin User Interface.
  • The audit log feature only logs events that happen in the Kenna Application UI and the Kenna API. 
  • Events can take up to 24 hours to appear in the search.
  • The output format is raw JSON.
  • Start and End times are required for a GET request.
  • Currently, the only supported filtering option is a date range, which is required to be specified in the API request. 
    • The date range is limited to 365 calendar days from the date of request.
    • Within the allowed date range user may request any date/time slot.

Important: You require your Kenna API token to configure and update the Audit Logs.

Using Audit Logs

Log into Kenna and navigate to API keys menu option. 

Kenna_API_Keys_Menu.png

Locate your API key and click the Copy button to copy the API token.

Settings_-_API_Keys.png

Navigate to the command prompt and enter the following command:

$ curl -k -H “X-Risk-Token: {enter your api token here}” “https://{your base kenna url}/audit_logs?page=1&start_time={enter start time in UTC}&end_time={enter end time in UTC}” -w “\n”

Important: You must use the URL encoded format for the start and end times. This would change the format from human readable to valid URL format for the API call. For example, a start date of 2019-05-08 16:44:47 would need to be encoded to result in a start date format of 2019-05-08%2016%3A44%3A47%20UTC. 

A successful request should return results similar to those shown in the example below. In this example, on 5/8/2019 user 18176 from IP address 127.0.0.1 updated a risk meter.

Note: The response was formatted using a JSON formatter.

Date format: 2019-05-08 16:44:47 UTC
Formatted response:

{  
   "audit_logs":[  
      {  
         "id":1,
         "name":"RiskMeterUpdated",
         "client_id":16649,
         "kenna_user_id":18176,
         "ip_address":"127.0.0.1",
         "details":{  
            "id":"72081",
            "name":"UI group 2",
            "fields":[  
               {  
                  "name":"saved_search",
                  "value":{  
                     "status":[  
                        "active"
                     ],
                     "vulnerability":{  
                        "q":"ip:[10.0.0.0 TO 10.255.255.255]",
                        "status":[  
                           "open"
                        ]
                     }
                  }
               }
            ]
         },
         "occurred_at":"2019-05-08T06:43:43.000Z",
         "impersonator_id":null,
         "user_email":"demo@kennasecurity.com"
      }
   ],
   "meta":{  
      "total_count":1,
      "page":1,
      "pages":1
   }
}

Error Responses

Errors are generated when the API call is unsuccessful and no response is received. 

In the case of a start time that is not older than the end time, the following error message is presented.

Formatted error response: 
{  
   "success":"false",
   "error":"unprocessable_entity",
   "message":"start_time must be further in the past than end_time"
}

When the date time is not in a valid format, the following error message is presented.

Formatted error response: 
{  
   "success":"false",
   "error":"unprocessable_entity",
   "message":"start_time is invalid"
}

 

Appendix A - Reference

Events (Serialized by Auditor)

This table outlines all the standard events that are logged:

Name

Event (returned by API)

Trigger (user activity)

RiskMeterCreated

{

  id: 12345,

  name: "RiskMeterCreated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    id: 12345,

    name: 'A Risk Meter'

    fields: {

      saved_search: {

        "status": [ "active"],

        "vulnerability":  {

          "status": ["open"],

          "top_exploit": ["true"]

       }

    }

  }

}

UI

  • On the Explore page, you can enter a query string. 
  • You can also group different vulnerability filters:
  1. Select the vulnerability filters.
  2. Give the group a name.
  3. Click Save Group in the pop-up that displays below the Search bar.
  • On the Dashboard page, click Add Risk Meter

API

POST  /asset_groups

RiskMeterUpdated

{

  id: 12345,

  name: "RiskMeterUpdated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    id: 12345,

    name: 'A Risk Meter'

    fields: {

      saved_search: {

        "status": [ "active"],

        "vulnerability":  {

          "status": ["open"],

          "top_exploit": ["true"]

       }

    }

  }

}

UI

  • On the Explore page, highlight the group name and click the Pencil icon to edit. 

Note: The name of the group and the saved search query can be edited. 

  • On the Dashboard page: 
    • Hover over a risk meter and click the top left triangle that appears. 
    • Click Edit Name to change the name of the group.

API

PUT /asset_groups/:id

RiskMeterDeleted

{

  id: 12345,

  name: "RiskMeterDeleted",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4

  details: {

     id: 12345,

    name: 'A Risk Meter'

  }

}

UI

On the Explore page, highlight the group name and click the Trash Can icon.


API

DELETE /asset_groups/:id

UserCreated

{

  name: "UserCreated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    target_user_id: 1,

    target_user_email: user@example.com,

    fields: [

      {

        name: first_name,

        value: John

      },

      {

        name: last_name,

        value: Smith

      },

      {

        name: email,

        value: john.smith@example.com

      },

      {  

        name: phone,

        value: 1234567890

      },

      {

        name: role,

        value: administrator

       }  

    ]

  }

}

https://your_company.kennasec.com/users/new - Through the UI

https://api.kennasecurity.com/users-docs - Through the API

UserUpdated

{

  name: "UserUpdated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    target_user_id: 1 

    fields: [

      {

        name: first_name,

        value: John

      },

      {

        name: last_name,

        value: Smith

      },

      {

        name: email,

        value: john.smith@example.com

      },

      {  

        name: phone,

        value: 1234567890

      },

      {

        name: role,

        value: administrator

       }  

    ]

  }

}

https://api.kennasecurity.com/users-docs - Through the API

https://your_company.kennasec.com/profile - My Profile page

https://your_company.kennasec.com/users - Clicking the Pencil button. 

UserPasswordUpdated

{

  name: "UserPasswordUpdated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    target_user_id: 1

  }

}

Through the API doing a user update call: https://api.kennasecurity.com/users-docs

Through the User Update page: https://your_company.kennasec.com/users/ID/edit

Through the My Profile page: https://your_company.kennasec.com/profile

UserDeleted

{

  name: "UserDeleted",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    target_user_id: 1

    fields: [

      {

        name: first_name,

        value: John

      },

      {

        name: last_name,

        value: Smith

      },

      {

        name: email,

        value: john.smith@example.com

      },

      {  

        name: phone,

        value: 1234567890

      },

      {

        name: role,

        value: administrator

       }  

    ]

  }

}

https://api.kennasecurity.com/users-docs - Through the API

https://your_company.kennasec.com/users - By clicking the Trash Can icon in the UI.

ConnectorCreated

{

  name: "ConnectorCreated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    connector_id: 1

    fields: [

      {

         name: 'name',

         value: 'name'

      },

    fields: [

      {

         name: 'host',

         value: 'example.com'

      },

    fields: [

      {

         name: 'scan_policy',

         value: 'External Network Scan'

      },

    fields: [

      {

         name: 'scan_list',

         value: '1,2,3'

      }

    ]

  }

}

UI

User created a new connector from the Connectors page (https://your_company.kennasecurity.com/connectors)

ConnectorUpdated

{

  name: "ConnectorUpdated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    connector_id: 1

    changes: [

      {

         field: "name",

         to: "Cherwell"

      },

      {

         field: "host",

         to: "example.com"

      },

      {

         field: "scan_policy",

         to: "External Network Scan"

      },

      {

         field: "scan_list",

         to: "1,2,3"

      }

    ]

  }

}

UI

User updated the name of a connector from the Connectors page. (https://your_company.kennasecurity.com/connectors)

API

Endpoint was called to update the name of a connector (PUT https://api.kennasecurity.com/connectors/143049).

ConnectorDeleted

{

  name: "UserDeleted",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    connector_id: 1

    name: 'name',

    host: 'example.com',

    scan_policy: 'External Network Scan',

    scan_list: '1,2,3'

  }

}

UI

User deleted a connector from the Connectors page. (https://your_company.kennasecurity.com/connectors)

ApiKeyUpdated

{

  name: "APIKeyUpdated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    target_user: "user2@example.com"

  }

}

UI 

Clicking Change in this page: https://your_company.kennasec.com/api_keys

AssetUpdated

{

  name: "AssetUpdated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    asset_id: 1

    fields: [

      {

       name: priority,

       value: 5

      },

      {

       name: inactive,

       value: true

      }

    ]

  }

}

UI

  • On the Explore page when selecting one or multiple assets.
  • On the Asset Edit page.

API https://api.kennasecurity.com/assets-docs

VulnerabilityStatusChange

{

  name: "VulnerabilityStatusChange",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    vulnerability_id: 1

    fields: [

      {

        field: 'status',

        value: 'closed'

      }

    ]

  }

}

UI

On the Vulnerability Show page (https://your_company.kennasecurity.com/vulnerabilities/1234567), there is a Vulnerability Actions sidebar where the following buttons will hit these routes:

Close Vulnerability: https://your_company.kennasecurity.com/vulnerabilities/1234567/close

Reopen Vulnerability: https://your_company.kennasecurity.com/vulnerabilities/1234567/reopen

Accept Risk: https://your_company.kennasecurity.com/vulnerabilities/1234567/mark_risk_accepted

False Positive: https://your_company.kennasecurity.com/vulnerabilities/1234567/mark_false_positive

On the Explore page, Vulnerabilities tab, when you click the checkbox for one or more vulnerabilities and then click Set Status, all of the buttons (Open, Closed, Risk Accepted, False Positive) will hit:

https://your_company.kennasecurity.com/vulnerabilities/1234567/update_multiple

API

Status can be passed as a value to Update Vulnerability or Bulk Update Vulnerabilities using the following routes:

  • put 'vulnerabilities/bulk'
  • patch 'vulnerabilities/:id'
  • put 'vulnerabilities/:id'

RiskScoreOverridden

{

  name: "RiskScoreOverridden",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {

    vulnerability_id: 1

    fields: [

      {

        name: 'risk_score',

        value: 400

      }

    ]

  }

}

UI

On the Vulnerability Show page (https://your_company.kennasecurity.com/vulnerabilities/1234567), when you click Edit in the Score box, an 'Override Score' modal will pop up. Changing the score and clicking Save Changes will hit the update route on the vulnerabilities controller.

On the Explore page, Vulnerabilities tab, when you click the checkbox for one or more vulnerabilities and then click Edit, then select Score, it brings up the same modal as above, but it will hit:

https://your_company.kennasecurity.com/vulnerabilities/1234567/update_multiple


API

override_score can be passed as a value to Update Vulnerability or Bulk Update Vulnerabilities using the following routes:

  • put 'vulnerabilities/bulk'
  • patch 'vulnerabilities/:id'
  • put 'vulnerabilities/:id'

SessionCreated

{

  name: "SessionCreated",

  time: "2018-12-07 10:16:21 +0000",

  user: "user@example.com",

  ip_address: 1.2.3.4,

  details: {}

}

When a user logs in through the UI

 

 

 

 

 

Powered by Zendesk