Activity Logs
Invicti Enterprise lets you access your activity log or view other users' activity/audit logs. The Activity Logs page provides information about which user performed specific actions on a given date and details about the endpoint type, such as the Web UI or API.
This document provides instructions on viewing activity logs and getting them from Invicti Enterprise into a SIEM (Security Information and Event Management) system with API. Users with the necessary permissions can access all members' activity records.
How to view Activity Logs in Invicti Enterprise
- Select Activity > Activity Logs from the left-side menu.
- Scroll down to locate the user or action you want to review or use the filters to refine the information displayed on the page.
NOTE: Filtering by the endpoint type enables you to refine results based on the following:
|
- Download the logs in CSV format by selecting Export to CSV from the Activity Logs page.
The activity logs record users' actions. If desired, you can select a user to edit their information or choose a specific action in the Action column to view more details.
How to get audit data from Invicti Enterprise into a SIEM with API
The most effective way to transfer audit data from Incvicti Enterprise into your preferred SIEM (Security Information and Event Management) system is by utilizing the HTTP Event Collector (HEC).
The process involves three steps:
- Query the ‘/auditlogs/’ endpoint using your unique-built python script. This script will request the audit data from your Invicti Enterprise account.
- Once you have received the response from the endpoint, you need to format it as a JSON file.
- Post the formatted JSON data to your Splunk SIEM via the HEC endpoint. An example HEC endpoint URL is ‘https://<splunk-server>:8088/services/collector/event’.
This will import the audit data into your SIEM, where it can be analyzed and used for security monitoring and incident response.
More information can be found on the official Splunk website.