Additional question and feature about activity log
I have a couple questions about the current iteration of activity log feature.
- I read from other threads related to auditing about being hard to implement "capturing detail specific item within a vault that user would 'see'", however do you guys see similar challenges on user updating specific item?
ie. right now in activity log I would see entries like "so and so updated items in a vault", is it possible to have the audit on the actual item that's being updated?
- On the same topic, I notice sometimes activity entries stated the specific vault (which is good) but other time it doesn't.
ie.
User A updated items in a vault
versus
User A updated items in the team A vault
Why do I see this kind of discrepancies? is that related to a particular user action or access right?
- Do you have some type of API so I can pull the activity log into my own SIEM backend (or log server, ELK, splunk what have you) for proper processing?
Thanks, you guys are great, keep up the good work!
--KL
1Password Version: 6.3.5
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: kb-search:audit, kb:undefined, kb-search:1password team audit, kb:undefined, kb-search:audit
Comments
-
Hi @klops! Thanks for asking about the activity log. :) I'd be happy to answer your questions.
I read from other threads related to auditing about being hard to implement "capturing detail specific item within a vault that user would 'see'", however do you guys see similar challenges on user updating specific item?
ie. right now in activity log I would see entries like "so and so updated items in a vault", is it possible to have the audit on the actual item that's being updated?With the way things are currently built, it's not possible. In one of the other threads you read, I may have answered similarly. The issue is that we built that feature of the log to receive all the details in one request and the item itself is not included. One way to implement it may be linking the item UUID. I suggested this to the team and it's something we're considering. I let them know you're interested as well.
On the same topic, I notice sometimes activity entries stated the specific vault (which is good) but other time it doesn't.
Why do I see this kind of discrepancies? is that related to a particular user action or access right?Do you have access to those vaults? You'll need access to them to see the logs related to them.
Do you have some type of API so I can pull the activity log into my own SIEM backend (or log server, ELK, splunk what have you) for proper processing?
Right now we don't, but we would like to add one down the road for power users. In the meantime, the web interface is the place to access the activity log.
Hope that helps! Thanks again for the feedback.
ref: B5-1950
0 -
Thanks Jacob:
Regarding activity log details not available to me some of the time I can confirm that it's an access issue.
We're trying to do the right thing with the permission feature you guys provided (ie. Being an admin does not automatically granted right to all vaults). Again, this is a good practice.
That said though, with the purpose of auditing, it would probably be a good idea to expands the role/access right attribute such that I CAN have an audit user that can view activities on all vaults but not actual right for reading/managing it.
I'm definitely interested for the API feature once you have it. Thanks again!
0 -
No problem! An audit role is a great idea, especially since "auditor" is a colloquial term. :) I'll put that one in the notes as well.
0