How can they see the plain text for user names in Audit logs?
How to decrypt the hashed names?
How to see the plain text for user names in Audit logs:
Audit logs have the username hashed with SHA-1 algorithm which is a one way method.
You can remove the hashing for the Audit log user IDs here: Image description
Uncheck this field and the values should be now plain text from the time you save to the future entries.
The entries should look like this after the change: 2018-03-27 09:54:12,021 -0700 |  | [0ff7-:065234cf161:53ece7c6-] | [test | dummy | 16 | 127.0.0.1 | S4SxW/9u5XlhUklaIw5F49fpR9k= | RISK_ANALYSIS | fef7-:065234cf161:53ece7c6-_TRX | fef7-:065234cf161:53ece7c6-_TRX | SESSION_SIGNIN | [&FORENSIC_EVENT_TYPE=SESSION_SIGNIN&FORENSIC_SCORE=1000&POLICY_OUTCOME=ALLOW]]
How to decrypt the hashed names:
We don’t decrypt the names. There is no way of decrypting SHA-1 since it is a one way encryption method. What we do to find the information for the users, is to encrypt the plain value again and look for it in the logs.