Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to View Endpoint LogsHow to Use Audit LogsHow to Use Agent LogsWhere to Find PostgreSQL LogsAdvanced Log and Log Location Information for Power UsersWhat are common errors shown in the Agent Log and how do I fix them?Can I Export Agent Log Data for External Analysis?Can I export Audit Log data for External Analysis?How do I export Audit Log data via the Web API?Can I customize which events appear in the Audit Log?Can I schedule automated exports of Audit Log data?Is there a sample script for API-based audit log export?Guide to Analyzing Logs and Generating Graphs in Time IntervalsIs There a Sample Script for Exporting Agent Log Data?What are Best Practices for Managing Large Log Exports?Is There an Example of Filtering Logs by Severity?What are best practices for storing and securing exported log data?What Tools Integrate Well with Spirion for Log Integrity VerificationIs There a Sample Script for Hash Verification?
PowerBI
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

How to Use Audit Logs

The Audit Log page table displays activities taken in the system such as policy changes, playbook changes, etc., and enables you to view and filter this information.

Overview

In the Spirion Sensitive Data Platform (SDP), the Audit Log page is the central repository for tracking all administrative and operational actions performed within the console. It serves as the "system of record" for accountability and governance.

The Audit Log page is found under Reports > Audit Log.

What is Audit Log Page?

The Audit Log page is the "Memory" of the Spirion platform. It transforms administrative actions into a transparent, auditable narrative, ensuring that your data discovery and protection program remains secure, compliant, and accountable.

The Audit Log page provides a chronological, immutable record of who did what, and when within the Spirion environment. It is designed to ensure that every change to the system's configuration or security posture is documented and attributable to a specific user or automated process.

What Does the Audit Log Page Contain?

The Audit Log page captures a wide range of events, typically including the following:

  • User Activity: Logins, logouts, and failed authentication attempts.
  • Configuration Changes: Creation, modification, or deletion of Policies, Data Types, SDDs, and Playbooks.
  • Scan Management: When scans are created, scheduled, manually started, or stopped.
  • Target Management: Adding or removing scan targets (e.g., file shares, databases, cloud repositories) and changes to target credentials.
  • Remediation Actions: A record of manual remediation steps taken by console operators (e.g., "User X manually shredded File Y").
  • System Settings: Changes to global console settings, logging levels, and integration configurations (like SIEM or SMTP settings).
  • Access Control: Changes to user roles, permissions, and group memberships.

What are Audit Logs Used For?

The Audit Log is a critical tool for several key organizational functions:

  1. Compliance and Auditing:
    • It provides the necessary evidence for regulatory frameworks like GDPR, PCI DSS, HIPAA, and CMMC. Auditors use these logs to verify that only authorized personnel are managing sensitive data policies and that remediation actions are being tracked.
  3. Accountability and Governance:
    • If a policy is accidentally deleted or a scan is misconfigured, the Audit Log allows administrators to identify the individual responsible and understand the timing of the change.
  5. Security Monitoring:
    • Security teams monitor the Audit Log for suspicious activity, such as multiple failed login attempts or unauthorized changes to high-impact playbooks (e.g., a playbook that automatically deletes files).
  7. Troubleshooting:
    • When the system behaves unexpectedly, the Audit Log can help determine if a recent configuration change (like a modified regex pattern or a new target credential) is the root cause.
  9. Incident Response:
    • In the event of a data breach or "spillage," the Audit Log helps investigators reconstruct the timeline of events and determine if any security controls were bypassed or altered.

Audit Log Table

The table on the Audit Log page displays activities taken in the system such as policy changes, playbook changes, etc., and enables you to view and filter this information.

  • Audit logs enable traceability across the platform for your environment
  • Review audit log events to see exactly which changes were made in Spirion, by whom, and at what time

What are Audit Events?

  • An Audit “Event” is one discrete action the platform records, such as a user log-in, changing a role, editing a policy, or running a scan
  • Audit Log events queue in PostgreSQL for Agents v13.6+ (Agents v13-13.5 use RabbitMQ) and then move to the database
  • The event then continues to Audit Log table
  • The Audit Log does not retain non-functional event types
  • The event state must be successful to be recorded
  • Any event that fails is removed from the Audit Log
  • When the Type filter uses only event types triggered in Spirion Sensitive Data Platform, they are displayed on the Audit Log screen
    • See the How to Use Filters to Find an Audit Log section

Spirion Recommendations

  • Regular Reviews: Don't wait for an audit. Periodically review the Audit Log to ensure that administrative actions align with your organization's change management policies.
  • Forward to SIEM: For maximum security, use the Spirion Web API to forward Audit Log events to a centralized SIEM (like Splunk). This ensures that the logs are preserved even if the console itself is compromised and allows for correlation with other enterprise security events.
  • Restrict Access: Access to the Audit Log page should be restricted to a very small number of high-level administrators to prevent "self-auditing" or unauthorized clearing of the logs.

How to Grant User Access to the Audit Log

  • Access to the Audit Log page is limited to users of specific roles.
  • To access Audit Logs, an Administrator must apply the Manage privilege in the Manage Administrative Settings area for the user. From the left side navigation menu, navigate to Settings > User Management.
  • The Audit Log page is available only to users who are members of a role which contain the Manage privilege.

How to View Audit Logs

Use the following steps to view Audit Logs:

  1. From the left side navigation menu, click Reports.

  2. Next, click Audit Log.

  3. The Audit Log page appears.

Audit Log Table Columns

The Audit Log table displays these columns:

Field

Description

Date/Time

The timestamp of when the action occurred.

Type

The action that was logged:

  • Application Setting - Written when an app setting is changed. Within Sensitive Data Platform, see Settings>Application Settings.
  • Cloud Provider Authenticated - Written when Sensitive Data Platform console authenticates with a cloud provider.
  • Global Ignore List - Written a global ignore list is added or deleted. Within Sensitive Data Platform, see Settings>Application Settings>Global Ignore List.
  • Global Ignore List Item - Written when items are added to a given Ignore list.
  • Playbook Override - Written when the override action is performed on the location details dialog.
  • Policy - Written when a policy is created, updated (changed), or deleted using edit mode.
  • Remote Result Action - Written when a Shred, Quarantine, or Ignore action initiated from the Console Results tab is scheduled for processing by an endpoint
  • Sensitive Data Type - Written when custom data types are created, modified, deleted, etc.. These are called sensitive data types in Sensitive Data Manager. Within Sensitive Data Platform, see Settings>Global Data Types>Custom Data Types tab.
  • Sensitive Data Type Export - Written when row menu on the page above is used and an item is exported.
  • Spirion Support User - Not logged.
  • Tag - Written when a tag is changed, created, or deleted.
  • Targets Merge - Written when Targets are merged.
  • User - Written each time a user logs in to the Console and permissions are synchronized.

Action Type

The type of action that was taken:

  • Accessed
  • Cloned
  • Created
  • Deleted
  • Updated

Location

The location within Sensitive Data Platform where the action occurred:

  • Agents And Endpoints
  • Analytics
  • Analytics Dashboard
  • Audit Log
  • Change Password
  • Classifications
  • Compliance
  • Dashboard
  • Discovery Teams
  • Endpoints
  • Excluded Rows
  • Identity Requests
  • Identity Results
  • Incidents Management
  • Incidents Results
  • Installation
  • Map Data
  • Notifications
  • Playbooks
  • Policies
  • Privacy Manager
  • Profile
  • Results
  • Roles
  • Scans
  • Scans Dashboard
  • Schedules
  • Script Repository
  • Sensitive Data Types
  • Spirion Support User
  • Tag Management
  • Tags
  • Unknown
  • Users

Description

Includes Action Type, Name, and Type

More Options menu (3 vertical dots)

View Details

How to Sort Table Columns

Sort your Audit Logs by table column to instantly bring your desired focus area to the top of the Audit Log table. For example, sort by date to view the oldest or the most recent Audit logs.

Use the following steps to sort table columns:

  1. Click a column to sort ascending.

  2. Click the column again to sort descending.

How to Search for an Audit Log

You can search for an Audit log by Account Name, Action Type, or Location.

Use the following steps to search for an audit log:

  1. Enter the name of the log in the Search entry field.

  2. Click the magnifying glass (search) icon or press Enter.
  3. The result displays.
  4. Click the x to clear the search.

How to View Audit Log Details

Use the following steps to view the details of an Audit log:

  1. From the Audit Log page locate the log you want to view in the Audit Log list.
  2. Click the More Options menu at the end of the column.

  3. Click View Details.

  4. The Log Details window opens.

  5. Click Close to close the window and return to the previous screen.

How to Use Filters to Find an Audit Log

Note: The Type filter only uses and displays event types triggered in Sensitive Data Platform.

To use the filter feature to find an Audit Log based on specific criteria:

  1. In the upper left of the screen, go to the Filters.
  2. For the selection criteria, select one or more items from the list of filters.
    • IP Address
    • For audits, the user's IP Address is preferred.
    • Date/Time
    • Type
    • Action Type
    • Location
    • Description

  4. Click Apply to apply the filter to the Audit Log list.

  5. Click Clear and then click Apply to remove the filter.


Was this article helpful?

Powered by Product Fruits