SIEM Logs

SIEM Logging – Event Logs

Introduction

Security Information and Event Management (SIEM) system logs allow you to record and transport event data.

How to Access SIEM Logs

Users have the option to download logs from the UI. Access logs using the steps below.

• Click on "Profiles" to access the "Session Information."

• Click on the “Session Information” tab to access the “Activity” button.

• Click on the “Activity Log” to access user activity.

• On “Activity Logs”, click on the “Download” dropdown to access the available options.

• Click any of the options available to download the logs.

APIs

The following APIs are available for SIEM logs.

View or Download Event Logs as a Single File:

Use the API below to view or download event logs as a single file. Ensure you minimize the date range if a large amount of data is present within the given date range. You can use the date parameters to manipulate the response per the requirement and increment the data accordingly to fetch the next set of records.

GET: {{url}}/ARVault/eventlogs?from=2023-10-09&to=2023-10-10

• The from and to parameters are optional.

• If the to parameter is not provided, it downloads the logs up to the current date. If the from parameter is not provided, it will download the logs from today up to the current time.

• If the from value is greater than the to value, the API will consider the from value as the to value and vice versa.

• If you request a file with the same from and to parameters, it will download the log file for that day.

• The API will prepare a single user file for the given date range without loading the files into Java memory.

• It will save the consolidated file in the file system.

• If the user is an admin, it will consolidate all user logs for that organization within the date range.

To download the zip:

Two APIs are involved: one to prepare the zip file and the other to download the zip file. Details are given below:

1. GET: {{url}}/ARVault/eventlogs/prepare-zip?from=2023-10-09&to=2023-10-10

Output: A temporary token for the file, which is valid for a minute.

• The API works in the same manner as described above, with the same from and to parameter validation and process.

• It will prepare a consolidated zip file for the user.

• File names are the user's email for that day, with special characters in the email replaced by '_'.

• It returns a temporary token cached for the file for a minute.

1. GET: {{url}}/ARVault/eventlogs/download/code/{token}

• The token is mandatory and should be sent as input to the API.

• If the token is invalid/expired, the API will respond with a forbidden message.

• If the token is valid, it will download the zip file, and the token cannot be used again.

To download the consolidated file:

Two APIs are involved: one to prepare the consolidated file and the other to download the zip file. Details are given below:

1. GET: {{url}}/ARVault/eventlogs/prepare-log?from=2023-10-09&to=2023-10-10

Output: A temporary token for the file, which is valid for a minute.

• The API works in the same manner as described above, with the same validation and process.

• It will prepare a consolidated file for the user. All validations are the same as the above API.

• It returns a temporary token cached for the file for a minute.

1. GET: {{url}}/ARVault/eventlogs/download/code/{token}

• The token is mandatory and should be sent as input to the API.

• If the token is invalid/expired, the API will respond with a forbidden message.

• If the token is valid, it will download the consolidated log file.

SIEM Log Structure

The following is the structure of the log.

Date (ISO Format) SIEM:Version|Device Vendor|Device Product|Device Version|Thread Id|Name|Severity|Extension

Example: 2024-06-17T06:37:44.145Z CEF:0|AutoRabit|Vault|23.2|http-nio-8081-exec-1|ArchivalReport|Low|sessionId=<sessionid> username=example@example.com customerId=<customer id> action=<user loggedin> ip=0:0:0:0:0:0:0:1 userAgent=Chrome

The following table describes the fields of the SIEM log structure.

Custom Keys

The custom keys or extensions will have the following tracked in the event logs.

Vault Event Type

Messages

Following are the audit log messages

• Storage

  • Storage configuration request has been submitted."

  • "Storage configuration update request has been submitted.”

• User Management

  • "User addition request has been submitted."

  • "User activation request has been submitted."

  • "Create password request has been submitted."

  • "Reset password request has been submitted."

  • "Change password request has been submitted."

  • "Delete user request has been submitted."

  • "Deactivate user request has been submitted."

  • "Create user request has been submitted."

  • "Update user request has been submitted."

  • "User profile update request has been submitted."

  • "User logged in with details: "

  • "User logged out with details: "

  • "Session terminated by: "

  • "User got blocked with details: "

  • "MFA verification code validated successfully for user."

  • "MFA is enabled for user."

  • "MFA is disabled for user."

  • "MFA is reset for user."

  • "MFA device is successfully registered by user.”

• Setup

  • "Backup schedule disable request has been submitted."

  • "Backup schedule enable request has been submitted.”

• Customer Management

  • "Customer activation request has been submitted."

  • "Customer deactivation request has been submitted."

  • "Customer deletion request has been submitted.”

  • "Enable/disable org access control request has been submitted."

• Salesforce Operations

  • "Salesforce org creation request has been submitted."

  • "Salesforce org update request has been submitted."

• Vault Connect

  • "Sforg Odata Connector Config creation/update request has been submitted."

Backup

• "Backup configuration creation request has been submitted."

• "Backup configuration update request has been submitted."

• "Backup configuration delete request has been submitted."

• "Backup download operation has been initiated."

• "Backup has been downloaded."

• "Object has been downloaded from backup."

• "Backup has been initiated."

• "Stop backup process has been initiated."

Restore

• "Restore operation has been initiated.”

• "Restore deletion request has been submitted."

• Hierarchial

  • "Hierarchical backup process has been initiated."

  • "Hierarchical backup configuration creation request has been submitted."

  • "Hierarchical backup configuration update request has been submitted."

  • "Hierarchical backup configuration delete request has been submitted.”

  • "Stop hierarchical process has been initiated.”

  • "Hierarchical backup download operation has been initiated."

• Archive

  • "Archive process has been initiated."

  • "Archive backup configuration creation request has been submitted."

  • "Archive backup configuration update request has been submitted."

  • "Archive backup delete request has been submitted."

  • "Stop archive process has been initiated."

  • "Archive download operation has been initiated."

• Replication

  • "Replicate operation has been initiated."

  • "Replicate configuration creation request has been submitted."

  • "Replicate configuration update request has been submitted."

  • "Replicate deletion request has been submitted."

• Alert rules

  • "Create alert rule request has been submitted."

  • "Delete alert rule request has been submitted."

  • "Anomaly detection process has been initiated."

  • "Object has been downloaded for anomaly detection."

  • "All records have been downloaded for anomaly detection."

• GDPR

  • "Create GDPR request has been submitted."

  • "Delete GDPR request has been submitted."

  • "Object has been downloaded from GDPR."

  • "Upload search file for GDPR request has been initiated."