Audit log information: Aurora Focus
The following table lists the information that is added to the audit log for Aurora Focus administrative actions. You can use the filtering options available in the console to filter the audit log results.
|
Category |
Action |
Details |
|---|---|---|
|
Advanced Query |
Execute |
Query: EQL_query |
|
Advanced Query Export |
Add |
Name: name; Description: description; Shared: isShared |
|
Advanced Query Export |
Download |
Name: name; Description: description |
|
Advanced Query Export |
Remove |
Name: name; Description: description; Shared: isShared |
|
Advanced Query Snapshot |
Add |
Name: name; Description: description; Shared: isShared |
|
Advanced Query Snapshot |
Edit |
Name: name; Description: description; Shared: isShared |
|
Advanced Query Snapshot |
Remove |
Name: name; Description: description; Shared: isShared |
|
Advanced Query Template |
Add |
Name: name; Description: description; Shared: isShared; Query: EQL_query |
|
Advanced Query Template |
Edit |
Name: name; Description: description; Shared: isShared; Query: EQL_query |
|
Advanced Query Template |
Remove |
Name: name; Description: description; Shared: isShared |
|
Detections |
Change Status |
Detection: detection label; Detection ID: detection id; Device: device name; Previous Status: previous detection status; New Status: new detection status |
|
Detections |
Remove |
Detection: detection label; Detection ID: detection id; Device: device name |
|
Detection Exception |
Add |
Name: name |
|
Detection Exception |
Edit |
Name: name |
|
Detection Exception |
Remove |
Name: name |
|
Detection Rule |
Add |
Name: name; Description: description; Severity: severity; OS: OS list |
|
Detection Rule |
Edit |
Name: name; Description: description; Severity: severity; OS: OS list |
|
Detection Rule |
Remove |
Name: name; Description: description; Severity: severity; OS: OS list |
|
Detection Rule Set |
Add |
Name: name; Description: description; Device Policy: device policy name |
|
Detection Rule Set |
Edit |
Name: name; Description: description; Device Policy: device policy name |
|
Detection Rule Set |
Remove |
Name: name; Description: description; Device Policy: device policy name |
|
Device |
File Download |
Device: device name; File: file path and name |
|
Device |
Lock |
Device: device name; Configuration Profile: profile name; Lockdown Period: lockdown period |
|
Device |
Unlock |
Device: device name |
|
Device |
Change Lockdown Profile |
Device: device name; Configuration Profile: profile name |
|
Device |
Show Unlock Key |
Device: device name |
|
Focus Data |
Add |
Device: device name; Type: focus view type; Artifact: focus view artifact |
|
InstaQuery |
Add |
Name: IQ name, Artifact: IQ artifact, Facet: IQ facet, Term: IQ term |
|
InstaQuery |
Remove |
Name: IQ name, Artifact: IQ artifact, Facet: IQ facet, Term: IQ term |
|
Job Service |
Stop |
Name: name; Service: parent service type |
|
Lockdown Configuration |
Add |
Configuration Profile: configuration profile; Description: description; Whitelist Definitions: allowed_connections |
|
Lockdown Configuration |
Delete |
Configuration Profile: configuration profile |
|
Lockdown Configuration |
Edit |
Configuration Profile: configuration profile; Description: description; Whitelist Definitions: allowed_connections |
|
Package Deploy |
Add |
Name: name; Packages: packages |
|
Package Deploy |
Remove |
Name: name |
|
Package PlayBook |
Add |
Name: name; Packages: packages |
|
Package PlayBook |
Edit |
Name: name; Packages: packages |
|
Package PlayBook |
Remove |
Name: name; Packages: packages |
|
PlayBook Result |
Remove |
Device: device name; Playbook Name: playbook name; Detection ID: detection id; Status: status |
|
Remote Response |
Connect |
Device: device name |
|
Remote Response |
Disconnect |
Device: device name |
|
Scheduled Advanced Query |
Add |
Name: name; Description: description; Shared: isShared; Schedule: schedule_details |
|
Scheduled Advanced Query |
Edit |
Name: name; Description: description; Shared: isShared; Schedule: schedule_details |
|
Scheduled Advanced Query |
Remove |
Name: name; Description: description; Shared: isShared |
|
Scheduled Advanced Query |
Remove Result |
Name: name; Description: description; Result Timestamp: result_timestamp; Results: result_count |
|
Scheduled Advanced Query |
Start |
Name: name; Description: description; Shared: isShared; Schedule: schedule_details |
|
Scheduled Advanced Query |
Stop |
Name: name; Description: description; Shared: isShared; Schedule: schedule_details |