Audit log report

The Audit log report represents a chronological history of the system activities that users have performed through the Clumio UI or REST API. Use the Audit Report to find out who made what changes in the Clumio platform and ensure that everything is in compliance as per your business requirements.

Note: Clumio supports integration with AWS CloudTrail Lake, see Sending Clumio Audit Logs to AWS CloudTrail Lake on the Clumio Support site.

The Audit report will never store data that is older than ninety (90) days. By default, the report (named Default Report) is filtered to display data for the full ninety (90) days. Specify a different interval to view report details over another date range.

Each line in the table is called an event, and the events in the table are organized in chronological descending order by when the event occurred in the system (timestamp). A single user-generated event may create additional internal events in the Audit Report; each user-generated event displays the IP address, interface, and email details for the user while any associated internal events appear with dashes in those columns.

The table in the Audit report displays the following columns:

Timestamp: The date and time when the event occurred.
IP Address: The IP address of the user/device where the event was generated from. A dash (-) appears if the event was system generated.
Interface:The interface where the user performed the operation from. Examples include UI and API. A dash (-) appears if the event was system generated.
User: The email address of the user who was logged in to Clumio . A dash (-) appears if the event was system generated.
Action: The type of activity that was performed. See the Audit Report actions table for a list of actions that the audit report tracks.
Category: The category that the action belongs to. See the Audit Report categories table for a list of categories that the audit report tracks.
Asset Type: The entity type that was affected by the action. Examples of asset types include AWS EBS Volume (for any SecureVault Backup, Snap, or restore actions performed on an AWS EBS volume), User (for when a new user is invited to or registers into Clumio or logs out of Clumio), and Policy (for policy-related changes). A dash (-) symbol displays if the event did not impact a specific entity.
Asset: The specific entity within the entity type that was affected by the action. Examples of assets include AWS EBS volumes, AWS EC2 instances, and Clumio policy names. A dash (-) symbol displays if the event does not impact an entity. For example, system-wide events such as user logins do not impact a specific entity.
Details: The REST API request that was sent to the server. Click View JSON to see and copy the body of the request. Refer to the API reference to learn more about the Clumio REST API.
Result: The outcome of the action, such as success, failure or partial success. Partial success is logged if a password is valid, but part of multi-factor authentication (MFA), which requires the user to enter additional login credentials that have not yet been entered.

Set any of the following filters to narrow down report data:

Action: select one or more actions from the list that displays when you select this filter
Asset: select the asset or assets from the list that displays when you select this filter
Category: select one or more categories from the list that displays when you select this filter
Date Range: select from the list of options, or select a custom date or range
Triggered By: to view which user triggered an action, type that user's email ID ,press enter to type multiple IDs.
Result: select from Success, Partial success , Failed

Audit report actions

The following table describes all possible actions that can appear in the Audit report:

Action	Description
Apply	Apply a policy to protect assets.
Batch activate	Activate a policy. As a result, all assets with tags that have this policy applied become protected.
Batch deactivate	Deactivate a policy causing all of its protected assets to become unprotected.
Browse	Browse through the system for assets, such as AWS EBS volume backups.
Create	Create or add a new entity, such as a policy or asset.
Delete	Delete an existing entity, such as an AWS environment, policy, user, or setting.
Disable	Disable a feature, such as single sign-on (SSO) or multi-factor authentication (MFA).
Download	Download retrieved files and folders after a user has entered the passcode to access the content. This action is part of the Transparent Data Access (TDA) feature.
Enable	Enable a feature, such as single sign-on (SSO), or multi-factor authentication settings.
Full restore	Full restore of an asset, such as an AWS EBS volume.
Grant download access	Users granted access to retrieved files or folders through direct download from the Clumio UI.
Grant email access	Users granted access to retrieved files or folders via an email link and passcode. This action is part of the Transparent Data Access (TDA)feature.
Granular retrieval	Retrieve files or folders from within an assets. This more granular than a full restore
Invite	Invite someone to register an account with Clumio.
Login	Log in to Clumio. Login events only appear if a user logs in with an email address that is registered with Clumio. If a user tries to log in to Clumio with an invalid email address, the attempt will not appear in the Audit Report.
Logout	Log out of Clumio manually.
Redirected	Redirected to the IdP login page during the Clumio login process because single sign-on (SSO) is enabled.
Regenerate TDA passcode	Regenerate a passcode, which is sent to someone to access and download retrieved files and folders. TDA stands for Transparent Data Access.
Register	Register a new data source or user, or register a user for multi-factor authentication.
Remove	Remove policy protection from an asset.
Search	Search for assets, such as files or folders.
Unapply	Delete a data source or user, or unregister a user from multi-factor authentication.
Update	Update something in the system, such as a policy, setting, or password.
Validate TDA passcode	Validates the person who entered the passcode as someone who can access the retrieved files and folders using the provided link and passcode. TDA stands for Transparent data access.

Audit report categories

The following table describes all possible categories that can appear in the Audit Report:

Category	Description
Authentication	Authentication operations. These include authenticating into Clumio through the UI or through the REST API. Examples include logging in to and out of Clumio, and logging in through single sign-on (SSO).
Backup	Backup operations, such as searching for a backup or restoring a backup.
Bandwidth config	Bandwidth configuration operations.
Cloud connector template	Cloud connector template operations, such as updating the CloudFormation or Terraform version.
Data source	Operations that impact a data source.
KMS config	Operations related to key management service (KMS).
MFA	Operations related to multi-factor authentication.
Policy	Operations that impact a policy, such as creating or activating and policy.
Protection	Protection operations, such as applying policy protection to an asset.
Restore	Restore operations, such as restoring from a SecureVault Backup or granular retrieval.
SSO	Operations related to single sign-on (SSO).
Users	User related operations, such as inviting, registering, or suspending a user.

Note that certain actions apply to certain categories. In other words, some actions don't apply to some categories, so if you apply a filter on actions and categories that are totally unrelated, Clumio will return "No data". For example, the filter combination Action:Full Download and Category:Users will return "No data" because you can't download a user! On the other hand, the filter combination Action:Invite and Category:Users will return data if users have been invited to create a Clumio account in the past 90 days.