The Audit Report represents a chronological history of the system activities that users have performed through the Clumio UI or REST API. Use the Audit Report to find out who made what changes in the Clumio product and ensure that everything is in compliance as per your business requirements.
Note: Clumio supports integration with AWS CloudTrail Lake, see Sending Clumio Audit Logs to AWS CloudTrail Lake on the Clumio Support site
The Audit Report will never store data that is older than ninety (90) days. By default, the report (named Default Report) is filtered to display data for the full ninety (90) days. Specify a different interval to view the report details over another date range.
Each line in the table is called an event, and the events in the table are organized in chronological descending order by when the event occurred in the system (timestamp). A single user-generated event may create additional internal events in the Audit Report; each user-generated event displays the IP address, interface, and email details for the user while any associated internal events appear with dashes in those columns.
The table in the Audit Report displays the following columns:
- Timestamp: The date and time when the event occurred.
- IP Address: The IP address of the user/device where the event was generated from. A dash (-) appears if the event was system generated.
- Interface:The interface where the user performed the operation from. Examples include UI and API. A dash (-) appears if the event was system generated.
- User: The email address of the user who was logged in to Clumio . A dash (-) appears if the event was system generated.
- Action: The type of activity that was performed. See the Audit Report actions table for a list of actions that the audit report tracks.
- Category: The category that the action belongs to. See the Audit Report categories table for a list of categories that the audit report tracks.
- Asset Type: The entity type that was affected by the action. Examples of asset types include AWS EBS Volume (for any SecureVault Backup, Snap, or restore actions performed on an AWS EBS volume), User (for when a new user is invited to or registers into Clumio or logs out of Clumio), and Policy (for policy-related changes). A dash (-) symbol displays if the event did not impact a specific entity.
- Asset: The specific entity within the entity type that was affected by the action. Examples of assets include AWS EBS volumes, AWS EC2 instances, and Clumio policy names. A dash (-) symbol displays if the event does not impact an entity. For example, system-wide events such as user logins do not impact a specific entity.
- Details: The REST API request that was sent to the server. Click View JSON to see and copy the body of the request. Refer to the API reference to learn more about the Clumio REST API.
- Result: The outcome of the action, such as success, failure or partial success. Partial success is logged if a password is valid, but part of multi-factor authentication (MFA), which requires the user to enter additional login credentials that have not yet been entered.
Set any of the following filters to narrow down report data:
- Action: select one or more actions from the list that displays when you select this filter
- Asset: select the asset or assets from the list that displays when you select this filter
- Category: select one or more categories from the list that displays when you select this filter
- Date Range: select from the list of options, or select a custom date or range
- Triggered By: to view which user triggered an action, type that user's email ID ,press enter to type multiple IDs.
- Result: select from Success, Partial success , Failed
The following table describes all possible actions that can appear in the Audit Report:
|Apply a policy to protect assets.
|Activate a policy. As a result, all assets with tags that have this policy applied become protected.
|Deactivate a policy causing all of its protected assets to become unprotected.
|Browse through the system for assets, such as AWS EBS volume backups.
|Create or add a new entity, such as a policy or asset.
|Delete an existing entity, such as an AWS environment, policy, user, or setting.
|Disable a feature, such as single sign-on (SSO) or multi-factor authentication (MFA).
|Download retrieved files and folders after a user has entered the passcode to access the content. This action is part of the Transparent Data Access (TDA) feature.
|Enable a feature, such as single sign-on (SSO), or multi-factor authentication settings.
|Full restore of an asset, such as an AWS EBS volume.
|Grant download access
|Users granted access to retrieved files or folders through direct download from the Clumio UI.
|Grant email access
|Users granted access to retrieved files or folders via an email link and passcode. This action is part of the Transparent Data Access (TDA)feature.
|Retrieve files or folders from within an assets. This more granular than a full restore
|Invite someone to register an account with Clumio.
|Log in to Clumio. Login events only appear if a user logs in with an email address that is registered with Clumio. If a user tries to log in to Clumio with an invalid email address, the attempt will not appear in the Audit Report.
|Log out of Clumio manually.
|Redirected to the IdP login page during the Clumio login process because single sign-on (SSO) is enabled.
|Regenerate TDA passcode
|Regenerate a passcode, which is sent to someone to access and download retrieved files and folders. TDA stands for Transparent Data Access.
|Register a new data source or user, or register a user for multi-factor authentication.
|Remove policy protection from an asset.
|Search for assets, such as files or folders.
|Delete a data source or user, or unregister a user from multi-factor authentication.
|Update something in the system, such as a policy, setting, or password.
|Validate TDA passcode
|Validates the person who entered the passcode as someone who can access the retrieved files and folders using the provided link and passcode. TDA stands for Transparent data access.
The following table describes all possible categories that can appear in the Audit Report:
|Authentication operations. These include authenticating into Clumio through the UI or through the REST API. Examples include logging in to and out of Clumio, and logging in through single sign-on (SSO).
|Backup operations, such as searching for a backup or restoring a backup.
|Bandwidth configuration operations.
|Cloud connector template
|Cloud connector template operations, such as updating the CloudFormation or Terraform version.
|Operations that impact a data source.
|Operations related to key management service (KMS).
|Operations related to multi-factor authentication.
|Operations that impact a policy, such as creating or activating and policy.
|Protection operations, such as applying policy protection to an asset.
|Restore operations, such as restoring from a SecureVault Backup or granular retrieval.
|Operations related to single sign-on (SSO).
|User related operations, such as inviting, registering, or suspending a user.
Note that certain actions apply to certain categories. In other words, some actions don't apply to some categories, so if you apply a filter on actions and categories that are totally unrelated, Clumio will return "No data". For example, the filter combination Action:Full Download and Category:Users will return "No data" because you can't download a user! On the other hand, the filter combination Action:Invite and Category:Users will return data if users have been invited to create a Clumio account in the past 90 days.
Updated 14 days ago