Audit Logs

The Audit Logs section provides a detailed history of the actions taken on the objects associated with the alert. It displays a timeline of events, including the Time & Date of each action, the number of Objects involved, the specific Action performed (e.g., Muted, Permit List, No Scan List, Reassigned, Resolved), and the user(Action Taken By) who performed the action. The Audit Logs enable users to track and review the complete lifecycle of the alert, from its creation to the various actions taken to manage and resolve it. This information is crucial for auditing, compliance, and accountability purposes.

Audit Log Enhancements

The audit logs in LightBeam Playbooks Alerts 2.1 have been enhanced to provide a more comprehensive and user-friendly view of the actions performed on sub-alerts.

Workflow:

1. Whenever an action is performed on a sub-alert (e.g., resolving, reassigning, adding to permit list), LightBeam Playbooks captures the relevant details in the audit log.

2. The audit log now includes the following information for each action:

   • User: The name or email address of the user who performed the action.

   • Timestamp: The date and time when the action was performed.

   • Action: The specific action that was taken (e.g., resolved, reassigned, added to permit list).

   • Objects Affected: The number of objects impacted by the action.

3. Administrators and authorized users can access the audit log from the alert details page in LightBeam Playbooks.

4. The audit log provides a chronological view of all the actions performed on sub-alerts within a specific alert.

5. Users can review the audit log to understand the history of actions taken, who performed them, and when they occurred.

6. The enhanced audit log details facilitate accountability, traceability, and compliance reporting.

The audit log enhancements in Alerts 2.1 provide a more granular and informative view of the actions performed on sub-alerts. By capturing key details such as the user, timestamp, action, and affected objects, the audit log enables effective tracking and monitoring of alert-related activities. This information is valuable for security investigations, compliance audits, and understanding the lifecycle of sub-alerts within the system.

Enhanced Filtering in Audit Logs (Alerts 2.1.2)

LightBeam Playbooks Alerts 2.1.2 introduces enhanced filtering capabilities for audit logs, making it easier to find specific actions and track the lifecycle of alerts and sub-alerts.

User vs. System Actions Filter

The audit logs now include a filter to distinguish between user-initiated and system-initiated actions:

• User: Actions performed manually by users, such as resolving alerts, changing states, or adding to permit list

• System: Actions performed automatically by the system, such as auto-resolving alerts when a file is modified or deleted

Figure 42: User vs. System Actions Filter

To use this filter:

1. Navigate to the Audit Logs section

2. Locate the "Action taken by" filter dropdown

3. Select "User" to view only user-initiated actions

4. Select "System" to view only system-initiated actions

Tracking Sub-alert State Changes

The audit logs now capture and display all sub-alert state transitions, providing a complete history of how sub-alerts move through different workflow states.

For each state change, the audit log records:

• The previous state

• The new state

• The user who performed the change

• The timestamp of the change

• The number of objects affected

Figure 43: Sub-alert State Change in Audit Log

Action Type Filter

You can now filter audit logs by specific action types, including:

• State changes (e.g., from Open to In Progress)

• Resolution actions (e.g., Resolved, Muted)

• Permission changes (e.g., added to Permit List)

• Assignment changes (e.g., Reassigned)

This filtering capability helps administrators and security teams track specific types of actions across the system.

Bulk Action Tracking

When bulk actions are performed on multiple sub-alerts, the audit log captures:

• The specific action performed

• The number of objects affected

• The user who performed the bulk action

• The timestamp of the action

Figure 44: Bulk Action Entry in Audit Log

This provides accountability and traceability for mass actions taken on sub-alerts.

Exporting Audit Logs

Audit logs can be exported for external analysis and compliance reporting. To export audit logs:

1. Apply any desired filters to focus on specific actions or timeframes

2. Click the "Export" button

3. Choose the desired format (CSV, PDF)

4. The filtered audit log data will be downloaded to your device

The enhanced audit logging capabilities in Alerts 2.1.2 provide greater visibility into the lifecycle of alerts and sub-alerts, supporting better governance, compliance, and security incident response.