SA Cfg: Global Audit Logging Operation Reference

Document created by RSA Information Design and Development on Jul 29, 2016Last modified by RSA Information Design and Development on Dec 2, 2016
Version 2Show Document
  • View in full screen mode
  

After you create a global audit logging configuration, audit logs automatically go to the external syslog system in the format specified in the selected audit logging template. The message types being logged by the various Security Analytics components are shown in the following tables.

CARLOS

The following table lists the operations logged by CARLOS.

                                         
Serial #Operation NameMeaning
1SetProviderConfigurationA new notification server (for example, SMTP server) was added or updated
2SetInstanceConfigurationA new notification type (for example, email
  destination) was added or updated
3SetTemplateDefinitionA new template was added or updated
4RemoveProviderConfigurationA notification server was removed
5RemoveInstanceConfigurationA notification type was removed
6RemoveTemplateDefinitionA template definition was removed
7CommitA configuration bean change was committed
8SetA JMX property value was set via Security Analytics Explore view

ESA

The following table lists the operations logged by the Event Stream Analysis (ESA).

                                                     
Serial #Operation NameMeaning
9SetSourceRequestA concentrator was added or updated to ESA as source
10RemoveSourceRequestA concentrator was removed from ESA as source
11SetEplModuleAn EPL module was deployed or updated to ESA
12RemoveEplModuleAn EPL module was removed from ESA
13SetEnrichmentSourceRequestAn ESA enrichment source was added/updated
14RemoveEnrichmentSourceRequestAn ESA enrichment source was removed 
15SetDatabaseReferenceAn enrichment database reference was made to ESA
16UpdateEnrichmentDataData rows added to an ESA enrichment source
17SetEnrichmentConnectionA connection was made between an EPL module and an enrichment source
18RemoveEnrichmentConnectionA connection between an EPL module and an enrichment source was removed
19DisableTrialModuleESA Trial rules were disabled

Investigation

The following table lists the operations logged by Investigations.

                                                                                                                                                                          
Serial #Operation NameMeaning
1VisualizePreferencesOperations related to Informer Visualization Request.
2ParallelCoordinatesOperations related to Loading of Co-Ordinate View Navigation.
3TimeLineOperations related to Loading of Timeline View Navigation.
4ExteralQueryOperation when a Direct Query is fired via URL.
5PrintViewOperations to open Investigation in Print View.
6submitExtractFilesOperation to submit a Request to Extract files from Sessions.
7submitExtractLogsOperation to submit a Request to Extract Logs from Sessions.
8submitExtractPcapOperation to submit a Request to Extract Sessions from Sessions.
9DataScienceDrillOperation to investigate from Data Science Report.
10breadCrumbsOperation to access the Query Breadcumbs.
11CreateOperation when a new Investigation Query is being saved as a predicate to be used for URL Integration.
12userPredicatesOperation to access Recent Queries of a user.
13chartDefaultMetasOperation to access last used Meta for generating Coordinate Chart.
14defaultDeviceOperation to access the Default Investigation Device.
15deleteDefaultDeviceOperation to delete the Default Investigation Device.
16chartPreferencesOperation to edit an Investigation Navigation Chart Parameters such as Height.
17devicePreferencesOperation to save the preferences about the Investigation Device such asTime Range, Profile, Meta Groups etc.
18topValuesOperation to get the Top Values for Metas. Normally called from Top Values Dashlet.
19MetaLanguagesOperation to read the Meta Languages from a Device.
20MetaGroupsOperations related to Investigation Meta Groups.
21DefaultMetaKeysOperations related to Investigation Default Meta Keys.
22UpdateDefaultMetaKeysOperations to update Investigation Default Meta Keys.
23UpdateMetaGroupOperations to update Investigation Meta Groups.
24ApplyMetaGroupOperations to use Investigation Meta Groups.
25DeactivateMetaGroupOperations to reset Investigation Meta Groups in UI.
26DeleteMetaGroupOperations to remove Investigation Meta Group.
27DeleteMetaGroupsOperations to remove multiple Investigation Meta Groups.
28ImportMetaGroupsOperations to import Investigation Meta Groups.
29ExportMetaGroupOperations to export multiple Investigation Meta Groups.
30GeoMapOperation to access the Geo Map View of Investigation.
31deleteEndpointCacheOperation to clear Reconstruction Cache of a Device.
32deleteOperation to delete Alert Templates.
33CustomColumnGroupOperation to apply or read Custom Column Group.
34ImportOperation related to Import of Column Group or Profiles.
35ExportOperation related to Export of Column Group or Profiles.
36SaveProfileOperation to save an Investigation Profile.
37ApplyProfileOperation to apply an Investigation Profile.
38DeactivateProfileOperation to deactivate an Investigation Profile.
39DeleteProfileOperation to delete an Investigation Profile.
40DeleteProfilesOperation to delete multiple Investigation Profiles.

Reporting Engine

The following table lists the operations logged by the Reporting Engine.

                                                                                                 
Serial #Operation NameMeaning
1TEMPLATEFor all operations related to template
2CHARTFor all operations related to chart
3REPORTFor all operations related to report
4RULEFor all operations related to rule
5IMAGEFor all operations related to Logo Images used in Reports.
6LISTFor all operations related to list
7ALERTFor all operations related to alert
8CONFIGFor all operations related to configuration change
9SCHEDULEFor all operations related to schedule
10ROLEFor all operations related to role/authorization
11BATCH_JOBFor all operations related to batch jobs
12SCHEDULERFor all operations related to scheduler
13QUERYPROCESSORFor all operations related to queryprocessor
14FORMATTERFor all operations related to formatter
15OUTPUTACTIONFor all operations related to outputaction
16STATUSMANAGERFor all operations related to statusmanager
17BATCH_RUNDEFFor all operations related to batch rundef
18CHARTGROUPFor all operations related to chart group
19REPORTGROUPFor all operations related to report group
20RULEGROUPFor all operations related to rule group
21LISTGROUPFor all operations related to list group
22DISKSPACEFor all operations related to disk space

Warehouse Connector

The following table lists the operations logged by the Warehouse Connector.

                                                                          
Serial #Operation NameMeaning
1LockBox Password CreateFor all operations related to Logo Images used in Reports.
2LockBox Password UpdateOperation to update LockBox Password.
3LockBox Password RefreshOperation to refresh LockBox Password.
4Adding StreamOperation to add a Stream.
5Adding SourceOperation to add a Source.
6Adding DestinationOperation to add a Destination.
7RemovingOperation to remove a Source, Stream, or Destination.
8Changing PasswordOperation to change the Password.
9Updating SourceOperation to update a Source.
10Adding Source to StreamOperation to add a Source to a Stream.
11Deleting Source from StreamOperation to delete a Source from a Stream.
12Setting Destination to StreamOperation to set a Destination to a Stream.
13Finalizing StreamOperation to finalize a Stream and initiate the aggregation.
14Stopping StreamOperation to stop a Stream.
15Starting StreamOperation to start a Stream.
16Reloading StreamOperation to reload a Stream.

Health & Wellness

The following table lists the operations logged by Health & Wellness.

                 
Serial #Operation NameMeaning
1SavePolicyRequestOperation while adding or modifying a Policy.
2RemovePolicyRequestOperation while removing a Policy.

Security Analytics Core Services

The following table lists the operations logged by Security Analytics Core Services.

                                                                                                                                                                                                                                                                                                                                                                                             
Serial #Operation NameMeaning
1FILE-CommandOperation to list, retrieve and delete files from approved directories on this device.
2SERVICE-StartService started
3SERVICE-StopService stopped
4REDIRECT-SyslogOperation for syslog forwarding.
5ADD-MonitorIssuing a filesystem monitor operation
6DELETE-MonitorIssuing a filesystem monitor deletion operation
7SHUTDOWN-Service/shutdown.serviceShutting down appliance service
8REBOOT-ServiceRestarting appliance service
9CONFIGURE-NetworkIssuing Network Configuration change
10SET-NTPIssuing NTP set operation
11STOP-NTPIssuing NTP stop operation
12NTP-TimesyncIssuing NTP time sync operation
13SET-SNMPIssuing SNMP set
14UPGRADE/upgradeIssuing upgrade operation
15create.collectionOperation to create an empty collection.
16restoreIssuing restore
17session.aggregationIssuing aggregation start/stop
18add.deviceAdding a device for aggregation
19edit.deviceEditing a device used for aggregation
20delete.deviceDeleting a device used for aggregation
21capture.startStarting capture operation
22capture.stopStopping capture operation
23select.interfaceSelecting capture interface
24exportOperation to export packets or sessions.
25reloadIssuing a parser reload
26schemaIssuing a schema request for loaded parsers
27upload/file.uploadIssuing file upload
28notifyIssuing feed notify
29deleteIssuing file deletion
30edit.configConfiguration change operation
31parsers.transformsPerform a language key transformation
32data.resetData reset operation
33timeoutREST request timeout
34cancelCancel a running query
35timerollOperation to delete the database files that exceed a given limit.
36dumpOperation to dump information out of the database in nwd formatted files.
37session.wipeIssuing a session wipe operation
38REPLACE-RuleIssuing a rule replace operation
39MERGE-RuleIssuing a rule merge operation
40ERASE-RuleIssuing deletion of a set of all rules
41ADD-RuleIssuing a rule addition operation
42DELETE-RuleIssuing deletion of a set of rules
43sdk.infoIssuing SDK summary info.
44sdk.sessionIssuing SDK session info.
45sdk.languageIssuing SDK language
46sdk.aliasesIssuing SDK alias request
47sdk.transformIssuing SDK transformation request
48sdk.searchIssuing session content search request
49sdk.cacheOperation related to session content cache
50sdk.contentIssuing session content request
51check.authorizationOperation to check user roles for permissions to execute an operation.
52close.connectionIssuing a connection close operation
53handshakeIssuing an SSL handshake
54logon/loginOperation to login from SA to the other services, mostly to privileged users.
55STOREDPROCOPIssuing file upload cancel/start
56ADD-TaskAdded scheduled task
57DELETE-TaskDeleted scheduled task
58logoffIssuing logout operation
59list.cacertsIssuing list trusted CA certificate operation 
60delete.cacertsIssuing delete trusted CA certificate operation
61add.cacertsIssuing addition of trusted CA certificate operation
62restart.commandIssuing restart command line option
63delete.file/file.deleteOperation to delete system configuration files.
64update.file/file.updateOperation to update system configuration file.
65create.fileIssuing file creation operation
66queryIssue a database query
67unlockIssuing unlock user account operation
68user.addOperation to create user accounts on individual devices.operation
69user.deleteOperation to delete a user on individual devices.
70group.createOperation to add a new group to the system.
71user.removeRemove a user account from a group
72group.deleteDelete a group from the /users/groups tree
73add.userIssuing add user command to collection
74delete.userIssuing delete user command to collection
75remove.userRemoving an user from collection
76collection.openIssuing an open command for a collection
77collection.closeIssuing a close command for a collection 
78collection.deleteIssuing collection deletion command
79reingest.startOperation to start reingesting of packet data in collection.
80feed.notifyIssuing a feed notify command
81collectIssuing a collect command
82collect.startIssuing a data collection start
83collection.globalIssuing import parser command
84parser.reloadIssuing parser reload command
85reingestOperation to reingest packet data in collection.
86collection.createIssuing a create collection command
87collection.restoreIssuing a restore collection command
88collection.cloneIssuing a clone collection command
89parser.reloadIssuing parser reload command
90sdk.queryPerforms a query against the meta database
91sdk.msearchSearch for pattern matches in many sessions or packets
92sdk.valuesPerforms a value count query and returns the matching values for a report
93sdk.timelineReturns the count of sessions/size/packets in discrete time intervals

Malware Analysis

The following table lists the operations logged by the Malware Analysis (MA) component.

                                                                                                                                                                                                                                                                                         
Serial #Operation NameMeaning
1GetDashBoardSummaryRequestGet dashboard analysis statistics
2GetFileScoreSummaryRequestGet aggregated file scores by score type and risk level
3CountEventsAndFilesRequestGet count of events and files over a time frame
4GetAvVendorDetectionRequestGet AV vendor analysis results
5GetAVVendorsRequestGet list of AV Vendors supported
6SetInstalledAVVendorsRequestUpdate list of installed AV Vendors in config
7CountEventByCriteriaRequestCount events by criteria
8FindEventByIdRequestGet event by id
9FindEventByCriteriaRequestGet event by criteria
10DeleteEventRequestDelete event
11CommentOnEventRequestAdd comment to event
12ReSubmitEventRequestResubmit event for analysis
13FindEventScoreByIdRequestGet event score by event id
14FindEventScoreByCriteriaRequestGet event score by criteria
15FindMetaByIdRequestGet meta by id
16FindMetaByCriteriaRequestGet meta by criteria
17FindMetaValueByCriteriaRequestGet meta value by criteria
18CountByDistinctMetaValueRequestCount distinct meta values
19CountByMetaNameAndValueWithDate
RangeIntervalRequest
Count meta and values with interval for charting
20CountByValueAndAverageOverallScore
Request
Count meta and map to overall scores for events
21CountByValueAndAverageGroupScore
Request
Count meta and map to group scores for events
22CountFileEntryByCriteriaRequestCount files by criteria
23FindFileEntryByIdRequestGet file by id
24FindFileEntryByCriteriaRequestGet file by criteria
25ReSubmitFileEntryRequestResubmit file for analysis
26FileDownloadRequestDownload file from repository
27FileUploadRequestUpload file for analysis
28FindFileScoreByIdRequestGet file score by id
29FindFileScoreByCriteriaRequestGet file score by criteria
30FindHashValueByIdRequestGet whitelist/blacklist Hash value by id
31FindHashValueByCriteriaRequestGet whitelist/blacklist Hash value by criteria
32AddHashValueRequestAdd whitelist/blacklist Hash value
33UpdateHashValueRequestUpdate whitelist/blacklist Hash value
34DeleteHashValueRequestDelete whitelist/blacklist Hash value
35FindHashValueByMd5RequestFind whitelist/blacklist Hash value by md5
36AddHashValueInFileRequestAdd File to repository as well as hash value
37GetDefaultRulesRequestGet default IOC Rules configuration
38ResetToDefaultRulesRequestReset IOC Rules configuration to default
39GetAllOverrideRulesRequestGet IOC Rules user created override configuration
40FindOverrideRuleByIdRequestFind IOC override rule by id
41AddOverrideRuleRequestAdd IOC override rule
42UpdateOverrideRuleRequestUpdate IOC override rule
43DeleteOverrideRuleRequestDelete IOC override rule
44SubmitOnDemandNextGenRequestSubmit new ondemand nextgen scan
45FindOnDemandJobEntryByIdRequestGet ondemand job entity by id
46FindOnDemandJobEntryByCriteria
Request
Get ondemand job entity by criteria
47GetOnDemandJobInfoRequestGet ondemand job reference entity by id
48GetOnDemandDefaultConfiguration
Request
Get ondemand default configuration
49CancelOnDemandJobRequestCancel ondemand job in progress
50DeleteOnDemandJobRequestDelete ondemand job
51ReSubmitOnDemandJobRequestResubmit ondemand job
52SubscriptionRequestSubscribe to MA Cloud communication
53UnSubscribeRequestUnsubscribe from MA Cloud communication
54GetTopEventInfluencesRequestGet Top N event influences
55GetServerInfoRequestGet server info, such as server time
56DataResetRequestReset database
57OnDemandJobStatusNotificationReport ondemandjob progress to subscribers
58LicenseStatusNotificationReport license status - num samples analyzed
59DataResetNotificationReport that data was reset
60GetIocSummaryRequestGet IOC rules aggregated by event/file scores
61FindAlertTemplatesByCriteriaRequestGet rabbitmq alert templates by criteria
62SaveAlertTemplateRequestUpdate alert template
63DeleteAlertTemplateRequestDelete alert template
64GetJobStatusRequestGet in progress job analysis thread status
65GetEventTypeCountSummaryRequestGet event analysis counts by date chart
66LogonLogon to the MA Service
67ModifiedModifying config changes
68GetNextGenSummaryRequestGet nextgen dashboard summary statistics

Security Analytics User Interface

The following table lists the operations logged by the Security Analytics User Interface component.

                                                                                                                                                                                                                                                                                        
Serial #Operation NameMeaning
1uploadTrialLicenseUpload Trial License
2LicenseEntitleEntitle License
3LicenseDeactivationDeactivate License
4ExpiredLicense License Expired
5LicenseOutOfComplianceAcknowledgementEULA Acknowledgement
6resetLicenseReset License
7usageDateExportLicense data usage - csv/pdf
8refreshLicenseRefresh LLS license
9LicenseOutOfCompliance Out of Compliance
10OOTBEntitlementOutOfComplianceOOTB Trial license Out of Compliance
11OOTBEntitlementFirstLoginTimeModifiedOOTB time modified
12OOTBEntitlementFileDeletedOOTB File deleted
13OOTBEntitlementDataTamperingOOTB data tampering
14uploadOfflineResponse Upload offline response
15offlineDownloadCapRequestDownload offline request
16movePerpetualToMeteredMove Service-based license to Metered
17moveMeteredToPerpetual Mover Metered to Service-based license
18mapServiceLicenseMap Service to Real license
19deleteOperation to delete Alert Templates.
20HttpRequestOperation for Audit Logging of the accessed URL.
21Page AccessedOperation for Audit Logging of the accessed page.
22NavigateOperation to navigate to the accessed page.
23EventsOperation to view the accessed event page.
24ReconOperation for Event Reconstruction requested.
25ServicesOperation while reading the list of available devices for investigation.
26ServiceOperation for a List of devices requested to be investigated.
27CollectionsOperation to view the list of collections requested.
28ProfilesOperation to apply a Profile.
29ColumnGroupsOperation to apply or read Column Group.
30ParallelCoordinatesOperation related to Loading of co-ordinate view navigation.
31TimelineOperation related to loading of timeline view navigation.
32PrintViewOperation to open investigation in print view.
33PreferencesOperation related to Informer Request.
34importOperation related to Import of Column Group or Profiles.
35exportOperation related to Export of Column Group or Profiles.
36PredicateOperation related to Queries (Predicates) used for Investigation.
37LanguagesOperation for Language requested from a Device.
38CancelLanguageLoadOperation for Language Load Canceled from Navigate Page.
39summaryOperation for a summary requested from a Device.
40languagesOperation for a language requested from a device.
41aliasesOperation for meta aliases requested from a device.
42queryOperation for SDK Query requested from a device.
43msearchOperation for a meta search requested from a device.
44nodeListingNode Listing for a node requested from a Device.
45contentSDK Content call requested from a Device for downloading a PCAP or Log.
46Export FilesFile Listing Requested for a Session in File View or Extraction jobs.
47packetsPackets requested for sessions in Packet View or Extraction Jobs.
48deleteEndpointCacheOperation to clear reconstruction cache of a device.
49LogonOperation for user to sign in to Security Analytics User Interface.
50LogoffOperation for user to sign out of Security Analytics User Interface.
51defaultDeviceOperation to access the Default SA UI Device.
52deleteDefaultDeviceOperation to delete the Default investigation device.
53submitExtractFilesOperation to submit a request to Extract files from Sessions.
54submitExtractLogsOperation to submit a Request to Extract Logs from Sessions.
55submitExtractPcapOperation to submit a Request to Extract Sessions from Sessions.
56MetaGroupOperations related to SA UI Meta Groups.
57ExternalQueryOperation when a Direct Query is fired via URL.
58GeoMapOperation to access the Geo Map View of Investigation.
59SaveProfileOperation to save an Investigation Profile.
60ApplyProfileOperation to apply an Investigation Profile.
61DeleteProfileOperation to delete an Investigation Profile.
62DeactivateProfileOperation to deactivate an Investigation Profile.
63VisualizePreferencesOperation related to Informer Visualization Request.
64ExportMetaGroupOperation to export multiple SA UI Meta Groups.
65userPredicatesOperation to access Recent Queries of a user.
66FileViewOperation for reconstruction request for File View.
67resource.updateOperation when Live Subscription State changes.
You are here
Table of Contents > References > Global Audit Logging Configurations Panel > Global Audit Logging Operation Reference

Attachments

    Outcomes