Audit Service

📘

The audit service is only available as a S3 bucket replication and therefore requires organization to have AWS and a S3 bucket created for this purpose. Please see Setup Requirements below.

The Audit Service provides organizations with a way to keep track of what actions have occurred within the Unit21 platform. For example, audited actions may look like:

  • agent.login - when an agent logs in
  • team.create - when a team is created
  • team.add_permission - when team permissions are changed
  • team.remove_permission - when team permissions are changed

Currently, there are over 100 actions tracked by the Audit Service: Action Types

Examples of Audited Actions

{
  "actor": "146",
  "action": "agent.login",
  "asset": "146",
  "org_id": "11",
  "ip": "13.89.202.10",
  "metadata": {
    "actor_type": "agent",
    "asset_type": "agent",
    "action_details": []
  },
  "created_at": 1.656407774456435e9,
  "id": "bac507ae-9ec5-477f-b829-eb7ad73d705f",
  "submitted_at": 1.65640777447856e9,
  "env": "dev"
}
{
  "actor": "146",
  "action": "team.create",
  "asset": "2",
  "org_id": "11",
  "ip": "13.89.202.10",
  "metadata": {
    "actor_type": "agent",
    "asset_type": "team",
    "action_details": [
      { "detail_id": "146", "detail_type": "agent" },
      { "detail_id": "134", "detail_type": "agent" }
    ]
  },
  "created_at": 1.656407774456435e9,
  "id": "bac507ae-9ec5-477f-b829-eb7ad73d705f",
  "submitted_at": 1.65640777447856e9,
  "env": "dev"
}

Field Descriptions for the Actions

FieldDescription
actorThe id of who performed/initiated the action (an agent for Unit21)
actionThis is what was done, we should codify this to match our APIs.
assetWhat was acted against
org_idAll actions take context within an organization, this is the organization id where the action took place
ipIf we have it, the ip address of the actor
metadataAdditional information about the action.
metadata.actor_typeThe type of actor
metadata.asset_typeThe type of the asset
metadata.action_detailsOptional. If applicable, a list of what was impacted by the action
metadata.action_details.detail_typeThe type of asset impacted by the action
metadata.action_details.detail_idThe id of the asset impacted by the action
created_atThe time the action took place
submitted_atWhen the action was submitted to the service
idUnit21 action id
envEnvironment

Setup Requirements

Note: AWS is required, and only top-level bucket replication is supported.

  1. Create a new S3 bucket with versioning enabled.
  2. Log a support ticket with Unit21 -
    1. Mention your AWS account ID
    2. Mention the S3 bucket name
    3. Request the policy.
  3. Once you have received the policy, add it to the S3 bucket.
  4. Reach out to Unit21 informing us that you have added the policy, and asking us to turn on replication.
  5. Watch our audit service replicate to your bucket!