Audit Service

The audit service provides organizations with a way to keep track of what actions have occurred within the Unit21 platform.

Currently the actions available for audit are:

  • agent.login - when an agent logs in
  • team.create - when a team is created
  • agent.add_permission - when agent permissions are changed
  • team.add_permission - when team permissions are changed
  • agent.remove_permission - when agent permissions are changed
  • team.remove_permission - when team permissions are changed

Unit21 will be adding additional actions in the future.

The audit service is only available as a S3 bucket replication and therefore requires organization to have AWS and a S3 bucket created for this purpose. Please see additional requirements below.

Examples of audited actions:

{
  "actor": "146",
  "action": "agent.login",
  "asset": "146",
  "org_id": "11",
  "ip": "13.89.202.10",
  "metadata": {
    "actor_type": "agent",
    "asset_type": "agent",
    "action_details": []
  },
  "created_at": 1.656407774456435e9,
  "id": "bac507ae-9ec5-477f-b829-eb7ad73d705f",
  "submitted_at": 1.65640777447856e9,
  "env": "dev"
}
{
  "actor": "146",
  "action": "team.create",
  "asset": "2",
  "org_id": "11",
  "ip": "13.89.202.10",
  "metadata": {
    "actor_type": "agent",
    "asset_type": "team",
    "action_details": [
      { "detail_id": "146", "detail_type": "agent" },
      { "detail_id": "134", "detail_type": "agent" }
    ]
  },
  "created_at": 1.656407774456435e9,
  "id": "bac507ae-9ec5-477f-b829-eb7ad73d705f",
  "submitted_at": 1.65640777447856e9,
  "env": "dev"
}

Field descriptions for the actions:

FieldDescription
actorThe id of who performed/initiated the action (an agent for Unit21) — set to system possibly if it’s something like bulk actions happening on a cron
actionThis is what was done, we should codify this to match our APIs.
assetWhat was acted against
org_idAll actions take context within an organization, this is the organization id where the action took place
ipIf we have it, the ip address of the actor
metadataAdditional information about the action.
- actor_typeThe type of actor
- asset_typeThe type of the asset
- action_detailsOptional. If applicable, a list of what was impacted by the action
-- detail_typeThe type of asset impacted by the action
-- detail_idThe id of the asset impacted by the action
created_atThe time the action took place
submitted_atWhen the action was submitted to the service
idUnit21 action id
envEnvironment

Setup requirements:

  1. AWS is required.
  2. Create a new S3 bucket.
  3. Ask Unit21 for the policy.
  4. Add the policy to the bucket.
  5. Enable versioning.
  6. Watch our audit service replicate to your bucket.