Audit Service

The audit service provides organizations with a way to keep track of what actions have occurred within the Unit21 platform.

Currently the actions available for audit are:

  • agent.login - when an agent logs in
  • team.create - when a team is created

Unit21 will be adding additional actions in the future.

The audit service is only available as a S3 bucket replication and therefore requires organization to have AWS and a S3 bucket created for this purpose. Please see additional requirements below.

Examples of audited actions:

{
  "actor": "146",
  "action": "agent.login",
  "asset": "146",
  "org_id": "11",
  "ip": "13.89.202.10",
  "metadata": {
    "actor_type": "agent",
    "asset_type": "agent",
    "action_details": []
  },
  "created_at": 1.656407774456435e9,
  "id": "bac507ae-9ec5-477f-b829-eb7ad73d705f",
  "submitted_at": 1.65640777447856e9,
  "env": "dev"
}
{
  "actor": "146",
  "action": "team.create",
  "asset": "2",
  "org_id": "11",
  "ip": "13.89.202.10",
  "metadata": {
    "actor_type": "agent",
    "asset_type": "team",
    "action_details": [
      { "detail_id": "146", "detail_type": "agent" },
      { "detail_id": "134", "detail_type": "agent" }
    ]
  },
  "created_at": 1.656407774456435e9,
  "id": "bac507ae-9ec5-477f-b829-eb7ad73d705f",
  "submitted_at": 1.65640777447856e9,
  "env": "dev"
}

Field descriptions for the actions:

Field

Description

actor

The id of who performed/initiated the action (an agent for Unit21) — set to system possibly if it’s something like bulk actions happening on a cron

action

This is what was done, we should codify this to match our APIs.

asset

What was acted against

org_id

All actions take context within an organization, this is the organization id where the action took place

ip

If we have it, the ip address of the actor

metadata

Additional information about the action.

  • actor_type

The type of actor

  • asset_type

The type of the asset

  • action_details

Optional. If applicable, a list of what was impacted by the action

-- detail_type

The type of asset impacted by the action

-- detail_id

The id of the asset impacted by the action

created_at

The time the action took place

submitted_at

When the action was submitted to the service

id

Unit21 action id

env

Environment

Setup requirements:

  1. AWS is required.
  2. Create a new S3 bucket.
  3. Ask Unit21 for the policy.
  4. Add the policy to the bucket.
  5. Enable versioning.
  6. Watch our audit service replicate to your bucket.

Did this page help you?