SA Cfg: Global Audit Logging Operation Reference

Document created by RSA Information Design and Development on Jul 22, 2016Last modified by RSA Information Design and Development on Dec 2, 2016
Version 4Show Document
  • View in full screen mode
  

This topic lists message types being logged by the various Security Analytics components. Most messages plainly state the operation being logged; when necessary the meaning of the message is explained.

After you create a global audit logging configuration, audit logs automatically go to the external syslog system in the format specified in the selected audit logging template. The message types being logged by the various Security Analytics components are shown in the following tables.

CARLOS

The following table lists the operations logged by CARLOS.

                                                     
Serial #Operation NameMeaning
1SetProviderConfigurationA new notification server (for example, SMTP server) was added or updated
2SetInstanceConfigurationA new notification type (for example, email
  destination) was added or updated
3SetTemplateDefinitionA new template was added or updated
4RemoveProviderConfigurationA notification server was removed
5RemoveInstanceConfigurationA notification type was removed
6RemoveTemplateDefinitionA template definition was removed
7CommitA configuration bean change was committed
8SetA JMX property value was set via Security Analytics Explore view

ESA

The following table lists the operations logged by the Event Stream Analysis (ESA).

                                                                    
Serial #Operation NameMeaning
9SetSourceRequestA concentrator was added or updated to ESA as source
10RemoveSourceRequestA concentrator was removed from ESA as source
11SetEplModuleAn EPL module was deployed or updated to ESA
12RemoveEplModuleAn EPL module was removed from ESA
13SetEnrichmentSourceRequestAn ESA enrichment source was added/updated
14RemoveEnrichmentSourceRequestAn ESA enrichment source was removed 
15SetDatabaseReferenceAn enrichment database reference was made to ESA
16UpdateEnrichmentDataData rows added to an ESA enrichment source
17SetEnrichmentConnectionA connection was made between an EPL module and an enrichment source
18RemoveEnrichmentConnectionA connection between an EPL module and an enrichment source was removed
19DisableTrialModuleESA Trial rules were disabled

Investigation

The following table lists the operations logged by Investigations.

                                                                                                                                                                                                                      
Serial #Operation NameMeaning
1VisualizePreferencesOperations related to Informer Visualization Request.
2ParallelCoordinatesOperations related to Loading of Co-Ordinate View Navigation.
3TimeLineOperations related to Loading of Timeline View Navigation.
4ExteralQueryOperation when a Direct Query is fired via URL.
5PrintViewOperations to open Investigation in Print View.
6submitExtractFilesOperation to submit a Request to Extract files from Sessions.
7submitExtractLogsOperation to submit a Request to Extract Logs from Sessions.
8submitExtractPcapOperation to submit a Request to Extract Sessions from Sessions.
9DataScienceDrillOperation to investigate from Data Science Report.
10breadCrumbsOperation to access the Query Breadcumbs.
11CreateOperation when a new Investigation Query is being saved as a predicate to be used for URL Integration.
12userPredicatesOperation to access Recent Queries of a user.
13chartDefaultMetasOperation to access last used Meta for generating Coordinate Chart.
14defaultDeviceOperation to access the Default Investigation Device.
15deleteDefaultDeviceOperation to delete the Default Investigation Device.
16chartPreferencesOperation to edit an Investigation Navigation Chart Parameters such as Height.
17devicePreferencesOperation to save the preferences about the Investigation Device such asTime Range, Profile, Meta Groups etc.
18topValuesOperation to get the Top Values for Metas. Normally called from Top Values Dashlet.
19MetaLanguagesOperation to read the Meta Languages from a Device.
20MetaGroupsOperations related to Investigation Meta Groups.
21DefaultMetaKeysOperations related to Investigation Default Meta Keys.
22UpdateDefaultMetaKeysOperations to update Investigation Default Meta Keys.
23UpdateMetaGroupOperations to update Investigation Meta Groups.
24ApplyMetaGroupOperations to use Investigation Meta Groups.
25DeactivateMetaGroupOperations to reset Investigation Meta Groups in UI.
26DeleteMetaGroupOperations to remove Investigation Meta Group.
27DeleteMetaGroupsOperations to remove multiple Investigation Meta Groups.
28ImportMetaGroupsOperations to import Investigation Meta Groups.
29ExportMetaGroupOperations to export multiple Investigation Meta Groups.
30GeoMapOperation to access the Geo Map View of Investigation.
31deleteEndpointCacheOperation to clear Reconstruction Cache of a Device.
32deleteOperation to delete Alert Templates.
33CustomColumnGroupOperation to apply or read Custom Column Group.
34ImportOperations related to Import of Column Group or Profiles.
35ExportOperations related to Export of Column Group or Profiles.
36SaveProfileOperation to save an Investigation Profile.
37ApplyProfileOperation to apply an Investigation Profile.
38DeactivateProfileOperation to deactivate an Investigation Profile.
39DeleteProfileOperation to delete an Investigation Profile.
40DeleteProfilesOperation to delete multiple Investigation Profiles.

Reporting Engine

The following table lists the operations logged by the Reporting Engine.

                                                                                                                           
Serial #Operation NameMeaning
1TEMPLATEFor all operations related to template
2CHARTFor all operations related to chart
3REPORTFor all operations related to report
4RULEFor all operations related to rule
5IMAGEFor all operations related to Logo Images used in Reports.
6LISTFor all operations related to list
7ALERTFor all operations related to alert
8CONFIGFor all operations related to configuration change
9SCHEDULEFor all operations related to schedule
10ROLEFor all operations related to role/authorization
11BATCH_JOBFor all operations related to batch jobs
12SCHEDULERFor all operations related to scheduler
13QUERYPROCESSORFor all operations related to queryprocessor
14FORMATTERFor all operations related to formatter
15OUTPUTACTIONFor all operations related to outputaction
16STATUSMANAGERFor all operations related to statusmanager
17BATCH_RUNDEFFor all operations related to batch rundef
18CHARTGROUPFor all operations related to chart group
19REPORTGROUPFor all operations related to report group
20RULEGROUPFor all operations related to rule group
21LISTGROUPFor all operations related to list group
22DISKSPACEFor all operations related to disk space

Warehouse Connector

The following table lists the operations logged by the Warehouse Connector.

                                                                                              
Serial #Operation NameMeaning
1LockBox Password CreateOperation to create LockBox Password.
2LockBox Password UpdateOperation to update LockBox Password.
3LockBox Password RefreshOperation to refresh LockBox Password.
4Adding StreamOperation to add a Stream.
5Adding SourceOperation to add a Source.
6Adding DestinationOperation to add a Destination.
7RemovingOperation to remove a Source, Stream, or Destination.
8Changing PasswordOperation to change the Password.
9Updating SourceOperation to update a Source.
10Adding Source to StreamOperation to add a Source to a Stream.
11Deleting Source from StreamOperation to delete a Source from a Stream.
12Setting Destination to StreamOperation to set a Destination to a Stream.
13Finalizing StreamOperation to finalize a Stream and initiate the aggregation.
14Stopping StreamOperation to stop a Stream.
15Starting StreamOperation to start a Stream.
16Reloading StreamOperation to reload a Stream.

Health & Wellness

The following table lists the operations logged by Health & Wellness.

                       
Serial #Operation NameMeaning
1SavePolicyRequestOperation while adding or modifying a Policy.
2RemovePolicyRequestOperation while removing a Policy.

Security Analytics Core Services

The following table lists the operations logged by Security Analytics Core Services.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
Serial #Operation NameMeaning
1FILE-CommandOperation to list, retrieve and delete files from approved directories on this device.
2SERVICE-StartService started
3SERVICE-StopService stopped
4REDIRECT-SyslogOperation for syslog forwarding.
5ADD-MonitorIssuing a filesystem monitor operation
6DELETE-MonitorIssuing a filesystem monitor deletion operation
7SHUTDOWN-Service/shutdown.serviceShutting down appliance service
8REBOOT-ServiceRestarting appliance service
9CONFIGURE-NetworkIssuing Network Configuration change
10SET-NTPIssuing NTP set operation
11STOP-NTPIssuing NTP stop operation
12NTP-TimesyncIssuing NTP time sync operation
13SET-SNMPIssuing SNMP set
14UPGRADE/upgradeIssuing upgrade operation
15create.collectionOperation to create an empty collection.
16restoreIssuing restore
17session.aggregationIssuing aggregation start/stop
18add.deviceAdding a device for aggregation
19edit.deviceEditing a device used for aggregation
20delete.deviceDeleting a device used for aggregation
21capture.startStarting capture operation
22capture.stopStopping capture operation
23select.interfaceSelecting capture interface
24exportOperation to export packets or sessions.
25reloadIssuing a parser reload
26schemaIssuing a schema request for loaded parsers
27upload/file.uploadIssuing file upload
28notifyIssuing feed notify
29deleteIssuing file deletion
30edit.configConfiguration change operation
31parsers.transformsPerform a language key transformation
32data.resetData reset operation
33timeoutREST request timeout
34cancelCancel a running query
35timerollOperation to delete the database files that exceed a given limit.
36dumpOperation to dump information out of the database in nwd formatted files.
37session.wipeIssuing a session wipe operation
38REPLACE-RuleIssuing a rule replace operation
39MERGE-RuleIssuing a rule merge operation
40ERASE-RuleIssuing deletion of a set of all rules
41ADD-RuleIssuing a rule addition operation
42DELETE-RuleIssuing deletion of a set of rules
43sdk.infoIssuing SDK summary info.
44sdk.sessionIssuing SDK session info.
45sdk.languageIssuing SDK language
46sdk.aliasesIssuing SDK alias request
47sdk.transformIssuing SDK transformation request
48sdk.searchIssuing session content search request
49sdk.cacheOperation related to session content cache
50sdk.contentIssuing session content request
51check.authorizationOperation to check user roles for permissions to execute an operation.
52close.connectionIssuing a connection close operation
53handshakeIssuing an SSL handshake
54logon/loginOperation to login from SA to the other services, mostly to privileged users.
55STOREDPROCOPIssuing file upload cancel/start
56ADD-TaskAdded scheduled task
57DELETE-TaskDeleted scheduled task
58logoffIssuing logout operation
59list.cacertsIssuing list trusted CA certificate operation 
60delete.cacertsIssuing delete trusted CA certificate operation
61add.cacertsIssuing addition of trusted CA certificate operation
62restart.commandIssuing restart command line option
63delete.file/file.deleteOperation to delete system configuration files.
64update.file/file.updateOperation to update system configuration file.
65create.fileIssuing file creation operation
66queryIssue a database query
67unlockIssuing unlock user account operation
68user.addOperation to create user accounts on individual devices.
69user.deleteOperation to delete a user on individual devices.
70group.createOperation to add a new group to the system.
71user.removeRemove a user account from a group
72group.deleteDelete a group from the /users/groups tree
73add.userIssuing add user command to collection
74delete.userIssuing delete user command to collection
75remove.userRemoving an user from collection
76collection.openIssuing an open command for a collection
77collection.closeIssuing a close command for a collection 
78collection.deleteIssuing collection deletion command
79reingest.startOperation to start reingesting of packet data in collection.
80feed.notifyIssuing a feed notify command
81collectIssuing a collect command
82collect.startIssuing a data collection start
83collection.globalIssuing import parser command
84parser.reloadIssuing parser reload command
85reingestOperation to reingest packet data in collection.
86collection.createIssuing a create collection command
87collection.restoreIssuing a restore collection command
88collection.cloneIssuing a clone collection command
89parser.reloadIssuing parser reload command
90sdk.queryPerforms a query against the meta database
91sdk.msearchSearch for pattern matches in many sessions or packets
92sdk.valuesPerforms a value count query and returns the matching values for a report
93sdk.timelineReturns the count of sessions/size/packets in discrete time intervals

Malware Analysis

The following table lists the operations logged by the Malware Analysis (MA) component.

                                                                                                                                                                                                                                                                                                                                                                 
Serial #Operation NameMeaning
1 GetDashBoardSummaryRequest Get dashboard analysis statistics
2GetFileScoreSummaryRequest Get aggregated file scores by score type and risk level
3CountEventsAndFilesRequest Get count of events and files over a time frame
4GetAvVendorDetectionRequestGet AV vendor analysis results
5GetAVVendorsRequestGet list of AV Vendors supported
6SetInstalledAVVendorsRequest Update list of installed AV Vendors in config
7CountEventByCriteriaRequestCount events by criteria
8FindEventByIdRequestGet event by id

9

FindEventByCriteriaRequest

Get event by criteria

10DeleteEventRequestDelete event

11

CommentOnEventRequest

Add comment to event

12ReSubmitEventRequestResubmit event for analysis

13

FindEventScoreByIdRequest

Get event score by event id

14FindEventScoreByCriteriaRequestGet event score by criteria

15

FindMetaByIdRequest

Get meta by id

16FindMetaByCriteriaRequestGet meta by criteria

17

FindMetaValueByCriteriaRequest

Get meta value by criteria

18CountByDistinctMetaValueRequestCount distinct meta values

19

CountByMetaNameAndValueWithDate RangeIntervalRequest

Count meta and values with interval for charting

20CountByValueAndAverageOverallScore RequestCount meta and map to overall scores for events

21

CountByValueAndAverageGroupScore Request

Count meta and map to group scores for events

22CountFileEntryByCriteriaRequestCount files by criteria

23

FindFileEntryByIdRequest

Get file by id

24FindFileEntryByCriteriaRequestGet file by criteria

25

ReSubmitFileEntryRequest

Resubmit file for analysis

26FileDownloadRequestDownload file from repository

27

FileUploadRequest

Upload file for analysis

28FindFileScoreByIdRequestGet file score by id

29

FindFileScoreByCriteriaRequest

Get file score by criteria

30FindHashValueByIdRequestGet whitelist/blacklist Hash value by id

31

FindHashValueByCriteriaRequest

Get whitelist/blacklist Hash value by criteria

32AddHashValueRequestAdd whitelist/blacklist Hash value

33

UpdateHashValueRequest

Update whitelist/blacklist Hash value

34DeleteHashValueRequestDelete whitelist/blacklist Hash value

35

FindHashValueByMd5Request

Find whitelist/blacklist Hash value by md5

36AddHashValueInFileRequestAdd File to repository as well as hash value

37

GetDefaultRulesRequest

Get default IOC Rules configuration

38ResetToDefaultRulesRequest Reset IOC Rules configuration to default

39

GetAllOverrideRulesRequest

Get IOC Rules user created override configuration

40FindOverrideRuleByIdRequestFind IOC override rule by id

41

AddOverrideRuleRequest

Add IOC override rule

42UpdateOverrideRuleRequest Update IOC override rule

43

DeleteOverrideRuleRequest

Delete IOC override rule

44SubmitOnDemandNextGenRequestSubmit new ondemand nextgen scan

45

FindOnDemandJobEntryByIdRequest

Get ondemand job entity by id

46FindOnDemandJobEntryByCriteria RequestGet ondemand job entity by criteria

47

GetOnDemandJobInfoRequest

Get ondemand job reference entity by id

48GetOnDemandDefaultConfigurationRequest Get ondemand default configuration

49

CancelOnDemandJobRequest

Cancel ondemand job in progress

50DeleteOnDemandJobRequestDelete ondemand job

51

ReSubmitOnDemandJobRequest

Resubmit ondemand job

52SubscriptionRequest Subscribe to MA Cloud communication

53

UnSubscribeRequest

Unsubscribe from MA Cloud communication

54GetTopEventInfluencesRequestGet Top N event influences

55

GetServerInfoRequest

Get server info, such as server time

56DataResetRequestReset database

57

OnDemandJobStatusNotification

Report ondemandjob progress to subscribers

58LicenseStatusNotificationReport license status - num samples analyzed

59

DataResetNotification

Report that data was reset

60GetIocSummaryRequest Get IOC rules aggregated by event/file scores

61

FindAlertTemplatesByCriteriaRequest

Get rabbitmq alert templates by criteria

62SaveAlertTemplateRequest Update alert template

63

DeleteAlertTemplateRequest

Delete alert template

64GetJobStatusRequest Get in progress job analysis thread status

65

GetEventTypeCountSummaryRequest

Get event analysis counts by date chart

66LogonLogon to the MA Service

67

Modified

Modifying config changes

68GetNextGenSummaryRequestGet nextgen dashboard summary statistics

Security Analytics User Interface

The following table lists the operations logged by the Security Analytics User Interface component.

                                                                                                                                                                                                                                                                                                                                                               
Serial #Operation NameMeaning
1uploadTrialLicenseUpload Trial License
2LicenseEntitleEntitle License
3LicenseDeactivationDeactivate License
4ExpiredLicense License Expired
5LicenseOutOfComplianceAcknowledgementEULA Acknowledgement
6resetLicenseReset License
7usageDateExportLicense data usage - csv/pdf
8refreshLicenseRefresh LLS license
9LicenseOutOfCompliance Out of Compliance
10OOTBEntitlementOutOfComplianceOOTB Trial license Out of Compliance
11OOTBEntitlementFirstLoginTimeModifiedOOTB time modified
12OOTBEntitlementFileDeletedOOTB File deleted
13OOTBEntitlementDataTamperingOOTB data tampering
14uploadOfflineResponse Upload offline response
15offlineDownloadCapRequestDownload offline request
16movePerpetualToMeteredMove Service-based license to Metered
17moveMeteredToPerpetual Mover Metered to Service-based license
18mapServiceLicenseMap Service to Real license
19deleteOperation to delete Alert Templates.
20HttpRequestOperation for Audit Logging of the accessed URL.
21Page AccessedOperation for Audit Logging of the accessed page.
22NavigateOperation to navigate to the accessed page.
23EventsOperation to view the accessed event page.
24ReconOperation for Event Reconstruction requested.
25ServicesOperation while reading the list of available devices for investigation.
26ServiceOperation for a List of devices requested to be investigated.
27CollectionsOperation to view the list of collections requested.
28ProfilesOperation to apply a Profile.
29ColumnGroupsOperation to apply or read Column Group.
30ParallelCoordinatesOperations related to Loading of co-ordinate view navigation.
31TimelineOperations related to loading of timeline view navigation.
32PrintViewOperations to open investigation in print view.
33PreferencesOperations related to Informer Request.
34importOperations related to Import of Column Group or Profiles.
35exportOperations related to Export of Column Group or Profiles.
36PredicateOperations related to Queries (Predicates) used for Investigation.
37LanguagesOperation for Language requested from a Device.
38CancelLanguageLoadOperation for Language Load Canceled from Navigate Page.
39summaryOperation for a summary requested from a Device.
40languagesOperation for a language requested from a device.
41aliasesOperation for meta aliases requested from a device.
42queryOperation for SDK Query requested from a device.
43msearchOperation for a meta search requested from a device.
44nodeListingNode Listing for a node requested from a Device.
45contentSDK Content call requested from a Device for downloading a PCAP or Log.
46Export FilesFile Listing Requested for a Session in File View or Extraction jobs.
47packetsPackets requested for sessions in Packet View or Extraction Jobs.
48deleteEndpointCacheOperation to clear reconstruction cache of a device.
49LogonOperation for user to sign in to Security Analytics User Interface.
50LogoffOperation for user to sign out of Security Analytics User Interface.
51defaultDeviceOperation to access the Default SA UI Device.
52deleteDefaultDeviceOperation to delete the Default investigation device.
53submitExtractFilesOperation to submit a request to Extract files from Sessions.
54submitExtractLogsOperation to submit a Request to Extract Logs from Sessions.
55submitExtractPcapOperation to submit a Request to Extract Sessions from Sessions.
56MetaGroupOperations related to SA UI Meta Groups.
57ExternalQueryOperation when a Direct Query is fired via URL.
58GeoMapOperation to access the Geo Map View of Investigation.
59SaveProfileOperation to save an Investigation Profile.
60ApplyProfileOperation to apply an Investigation Profile.
61DeleteProfileOperation to apply an Investigation Profile.
62DeactivateProfileOperation to apply an Investigation Profile.
63VisualizePreferencesOperations related to Informer Visualization Request.
64ExportMetaGroupOperations to export multiple SA UI Meta Groups.
65userPredicatesOperations to export multiple SA UI Meta Groups.
66FileViewOperation for reconstruction request for File View.
67resource.updateOperation when Live Subscription State changes.

Incident Management

The following table lists the operations logged by the Incident Management component.

                                                                              
Serial #Operation NameMeaning
1updateUpdate notification setting
2updateUpdate integration settings configuration
3

delete

Delete Alerts
4createCreate new incident
5updateUpdate incident details
6readRead incident details
7deleteDelete incidents
8readRead remediation tasks
9deleteDelete Remediation tasks
10updateUpdate remediation tasks
11createCreate new rule
12updateUpdate existing alert rule
13reorderReorder priority of alert rules
You are here
Table of Contents > References > Global Audit Logging Configurations Panel > Global Audit Logging Operation Reference

Attachments

    Outcomes