CASB Audit Logs

Audit logs provide visibility when changes are made to the CASB settings and configurations. Audit logs include information about the time, actor, resource and settings changed. This allows you to monitor and investigate recent administrative changes in your environment.

The retention period for audit logs is consistent with other events and alerts, set at 180 days by default. This can be extended up to one year with the purchase of an add-on.

Currently CASB provides audit logs for:

• Audit Logs for Rules: Lets you see activity on rules, see Rule Editor.

• Audit Logs for Connected Apps: Lets you see initial connections or degradation in existing connected apps. see Connected Apps.

You can view and filter audit logs from Explorations in the Analytics application. To access the audit logs, you must turn on Audit Events in the Region and Time filter.

Audit Logs for Rules

Exporting a rule does not generate an audit log since it does not modify existing rules.

Performing bulk rule operations (import or reorder) triggers individual audit events for each rule involved.

The following actions generate an audit log:

• Create Rule: Creating, duplicating or importing a rule.

• Modify Rule: Renaming, reordering or changing any of the rule’s settings, such as  description, applications, activities, attributes, severity, remediations, notifications templates, etc.

• Delete Rule

• Disable Rule

• Enable Rule

Viewing Audit Logs for Rules

You can view and filter the audit logs in the Analytics application.

1. In an Exploration, filter by the Region and Time you want. In the Data Source area, turn on Audit Events.

   

2. Select the activity you want, Activity > Categories.

   Use "rule" to filter for rule activity.

   

   You can filter for all CASB audit logs, Activity > Categories > Trigger > Cloud Audit.

3. In the Exploration you see the Audit logs, as shown in the example.

   

4. For more detailed visibility into the rule, select the rule and review the Details tab.

   In the example, The Modify Rule audit event shows the current and previous rule setting values in the Resource Attributes Transition.

   

Audit Logs for Connected Apps

The following actions generate an audit log:

• Connect cloud applications: Connecting a new cloud application

• Remove Cloud Application: Removing or disconnecting a cloud application

• Connectivity Change: Changes in the connectivity status of a connected cloud application

Viewing Audit Logs for Connected Apps

1. In an Exploration, filter by the Region and Time you want. In the Data Source area, turn on Audit Events.

   

2. Select the connected app action you want, Activity > Categories.

   Use "cloud application" to filter for connected app activity.

   

   You can filter for all CASB audit logs, Activity > Categories > Trigger > Cloud Audit.

3. In the Exploration you see the Connection App logs, as shown in the example.

   

4. For more detailed visibility into the rule, select the rule and review the Details tab.

   

Audit Event Notification

To receive notifications about changes in cloud application connectivity status or updates to your rules, you need to create a rule in the Information Protection platform and link it to a notification policy.

1. Navigate to the Administration app, select Policies > Rules > New Rule.

2. In the General tab, name the rule.

3. In the Setting tab, select Fields and choose Categories. Specify the categories you want to get notified about such as connectivity degradation, delete rules and more.

   

4. In Notification Polices area, click Add Notification Policy and select an existing notification policy for the rule.