logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

CB Response: Is There An Audit Log Entry Which Indicates What User Enabled/Disabled A Threat Report?

CB Response: Is There An Audit Log Entry Which Indicates What User Enabled/Disabled A Threat Report?

Environment

  • CB Response Server: All Versions

Question

Is there an audit log entry which indicates what user enabled/disabled a threat report?

Answer

While there isn't a way to find this in the UI, there is a roundabout way to determine who enabled/disabled a threat report using the NGINX access.log. It will be a POST entry, followed by /api/v1/threat_report, and starting with the IP Address of the endpoint where the change was being made. This will indicate a threat_report changed status, but not which feed, which report, or what was done to it. Please note this method may be inaccurate if the user logged in over a proxy.

Additional Notes

Enabling verbose audit logging will allow capture API calls being made within the console to provide further information: CB Response: How to enable verbose audit logging

Related Content

Feature Request for improving audit logging in CB Response: Better Auditing within the GUI

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎02-21-2020
Views:
755
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.