Environment
- CB Response Server: All Versions
Question
Is there an audit log entry which indicates what user enabled/disabled a threat report?
Answer
While there isn't a way to find this in the UI, there is a roundabout way to determine who enabled/disabled a threat report using the NGINX access.log. It will be a POST entry, followed by /api/v1/threat_report, and starting with the IP Address of the endpoint where the change was being made. This will indicate a threat_report changed status, but not which feed, which report, or what was done to it. Please note this method may be inaccurate if the user logged in over a proxy.
Additional Notes
Related Content