Audit Log

Audit Log

The audit log allows administrators to review important actions that have occurred within Kolide.

Accessing the Audit Log

You can view entries from the Audit Log both in the Kolide admin UI and programmatically via Kolide’s REST API.

Via the Kolide UI

Note:
Only admins with “Full Access” can access the Audit Log in the Kolide UI.

  1. Click your user avatar in the upper-right corner of the Kolide UI.

  2. In the dropdown menu, click Settings.

  3. In the menu on the left, click Audit Log.

Via the Kolide API

If you haven’t already, create an API Key. There are no special permissions required to access audit log entries programmatically.

Refer to Kolide’s API Reference for documentation on how to programmatically access audit logs.

curl --request GET \
     --url https://api.kolide.com/audit_logs \
     --header 'accept: application/json' \
     --header 'authorization: Bearer <TOKEN>' \
     --header 'x-kolide-api-version: 2023-05-26'
{
  "data": [
    {
      "id": "256",
      "timestamp": "2019-10-25T13:25:46.213Z",
      "actor_name": "Jason Meller",
      "description": "user 'jason@kolide.co' accepted invitation to Kolide"
    },
    // SNIP
    {
      "id": "578",
      "timestamp": "2019-11-18T21:24:40.204Z",
      "actor_name": "Fritz Ifert-Miller",
      "description": "Published Live Query Campaign ID 2: AirDrop Discoverability"
    },
  ],
  "pagination": {
    "next": "https://api.kolide.com/audit_logs?cursor=NTg1LDU4NQ==",
    "next_cursor": "NTg1LDU4NQ==",
    "current_cursor": "",
    "count": 25
  }
}

Events

The following is a complete list of audit log events for Kolide Device Trust, including the name of the event, the description used in the audit log, and when Kolide began collecting audit log events of that type.

Checks

Name Description Collected Since
check deleted Deleted Check “{custom_check.name}” Sep-27-2022
check configuration changed Changed Fix Instructions Template Text for Check ‘{name}’ Oct-6-2021
check configuration changed Changed Fix Instructions Template Strategy for Check ‘{name}’ from ‘{original}’ to ‘{new}’ Oct-6-2021
check configuration changed Changed Rationale Template Text for Check ‘{name}’ Oct-6-2021
check configuration changed Changed Rationale Template Strategy for Check ‘{name}’ from ‘{original}’ to ‘{new}’ Oct-6-2021
check configuration changed Reverted Check “{name}” fix instructions custom template to a prior version Oct-6-2021
check configuration changed Reverted Check “{name}” fix instructions template supplement to a prior version Oct-6-2021
check configuration changed Reverted Check “{name}” rationale custom template to a prior version Oct-6-2021
check configuration changed Reverted Check “{name}” rationale template supplement to a prior version Oct-6-2021
check reverted Reverted Check “{name}” to a prior version Sep-27-2022
check updated Updated existing Check “{name}” Sep-27-2022
check published Published new Check “{name}” Sep-27-2022
check configuration options changed Check Configuration options were changed Oct-20-2022
updated check device trust settings Updated device trust settings for ‘{name}’ from: {old_settings} to: {new_settings} Nov-7-2022
updated check device trust settings Updated run targets for ‘{name}’ from: {old_targets} to: {new_targets} Aug-25-2023
Check marked as out of scope Exempted all future issues for “{check}” for device: “{name}”. Feb-9-2023

Devices

Name Description Collected Since
device display name changed Changed device name from ‘{original}’ to ‘{new}’ Nov-20-2022
canceled device removal Cancelled pending deletion for ‘{device}’ Apr-16-2023

Device Registrations

Name Description Collected Since
device registration removed Removed device registration for “{device.name}” that was registered to {email} Mar-20-2023
tofu device registration re-enabled TOFU device registration re-enabled for ‘{name}’ Jun-6-2023
device registration configuration changed Changed ‘Allows {platform} device registration’ from {old} to {new} Jun-6-2023
device registration configuration changed Changed ‘Allows {platform} device registration’ from {old} to {new} May-22-2023
device registration configuration changed Set ‘Required {platform} checks’ to {check_names} May-22-2023

People

Name Description Collected Since
factor enrollment reset Reset factor enrollment for ‘{username}’ Aug-7-2023
factor enrollment verified Verified factor enrollment for ‘{username}’ Aug-7-2023
A person record was merged Merged the person, {old}, with {new} Jul-12-2023
A person record was unmerged Restored the person, {name}, to it’s original state Jul-12-2023

Groups

Name Description Collected Since
device group memberships removed Mass-Removed members from device group: “{name}”. Device ID(s) removed: {ids} Aug-30-2023
device group memberships removed Mass-Removed members from device group: “{name}”. Device ID(s) removed: {ids} Aug-30-2023
device group created Created device group “{name}” Aug-30-2023
device group deleted %(Deleted device group “{name}” with {count} members) Aug-30-2023
device group deleted %(Deleted device group “{name}” with {count} members) Aug-30-2023

Log Pipeline

Name Description Collected Since
logging pipeline enabled Enabled the logging pipeline Jan-1-2020
logging pipeline disabled Disabled the logging pipeline Jan-1-2020
device property logger added Added device property logger ‘{name}’ Jan-1-2020
device property logger removed Removed device property logger ‘{name}’ Jan-1-2020
enabled log pipeline destination Enabled the log pipeline destination ‘{name}’ Jan-1-2020
disabled log pipeline destination Disabled the log pipeline destination ‘{name}’ Jan-1-2020
deleted log pipeline destination Deleted the log pipeline destination ‘{name}’ Jan-1-2020
updated osquery decorator Updated the osquery decorator ‘{name}’ Jan-1-2020
added osquery decorator Added an osquery decorator ‘{name}’ Jan-1-2020
enabled osquery decorator Enabled osquery decorator ‘{name}’ Jan-1-2020
deleted osquery decorator Deleted osquery decorator ‘{name}’ Jan-1-2020
updated osquery fim category Updated the osquery FIM category ‘{name}’ Jan-1-2020
created osquery fim category Created osquery FIM category ‘{name}’ Jan-1-2020
enabled osquery fim category Enabled osquery FIM category ‘{name}’ Jan-1-2020
disabled osquery fim category Disabled osquery FIM category ‘{name}’ Jan-1-2020
deleted osquery fim category Deleted the osquery FIM category ‘{name}’ Jan-1-2020
updated osquery options Updated osquery options Jan-1-2020
reset osquery options Reset all osquery options to their default value Jan-1-2020
created discovery query Created discovery query ‘{name}’ Jan-1-2020
updated discovery query Updated the osquery discovery query ‘{name}’ Jan-1-2020
deleted discovery query Deleted discovery query ‘{name}’ Jan-1-2020
created osquery pack query Created osquery pack query ‘{name}’ Jan-1-2020
updated osquery pack query Updated the osquery query ‘{name}’ Jan-1-2020
updated osquery pack query Deleted osquery pack query ‘{name}’ Jan-1-2020
created osquery pack Created osquery pack ‘{name}’ Jan-1-2020
updated osquery pack Updated the osquery pack ‘{name}’ Jan-1-2020
enabled osquery pack Enabled osquery pack ‘{name}’ Jan-1-2020
disabled osquery pack Disabled osquery pack ‘{name}’ Jan-1-2020
deleted osquery pack Deleted the osquery pack ‘{name}’ Jan-1-2020
updated log pipeline destination Updated the {type} log destination ‘{name}’ Jan-1-2020
created log pipeline destination Created a {type} log pipeline destination named ‘{name}’ Jan-1-2020

Live Queries

Name Description Collected Since
live query created and run Created Live Query Campaign ID {id} that targets {counts} that uses table(s): {tables} Nov-18-2019
live query updated and run Updated Live Query Campaign ID {id} that targets {counts} that uses table(s): {tables} Nov-18-2019
live query deleted Deleted Live Query Campaign ID {id} : {name} Nov-18-2019
live query single result csv exported CSV Downloaded For Device {name} - Live Query Campaign ID {id} Nov-18-2019
live query unpublished Unpublished Live Query Campaign ID {id} Nov-18-2019
live query csv exported CSV Downloaded For Live Query Campaign ID {id} Nov-20-2020
live query published Published Live Query Campaign ID {id} Nov-20-2020

Okta Webhooks

Name Description Collected Since
saml_idp_factor_removed Okta event hook received for ‘saml_idp_factor_removed’ Oct-18-2023
saml_idp_factor_setup Okta event hook received for ‘saml_idp_factor_setup’ Oct-18-2023
saml_webhook_verification Okta event hooks verified Oct-18-2023

Billing

Name Description Collected Since
billing email updated Updated billing email to ‘{email}’ from ‘{original_email}’ Jul-30-2021

End User Portal

Name Description Collected Since
privacy center configuration changed Changed ‘Privacy Center Access Restriction Settings’ from ‘{old}’ to ‘{new}’ Sep-1-2021
privacy center configuration changed Changed Privacy Center Custom Resource Section visibility from {old} to {new} Sep-1-2021
privacy center configuration changed Changed Privacy Center Custom Resource Section text Sep-1-2021
privacy center configuration changed Reverted Privacy Center Custom Resource Section to a prior version Sep-1-2021

Automatic Device Removal

Name Description Collected Since
device deletion requested triggered device deletion for inactive device named ‘{name}’ Jun-9-2021

Restrictions

Name Description Collected Since
osquery blocklist updated Osquery Blocklist Updated From: “{old_tables}” To: “{new_tables}” Oct-23-2019
feature restriction changed Changed ‘{feature}’ from ‘{old}’ to {new} Nov-19-2019

Admin Users

Name Description Collected Since
kolide team member created user ‘{email}’ accepted invitation to Kolide Oct-23-2019
kolide team member invited Invited ‘{email}’ to access kolide Oct-23-2019
kolide team member deleted Removed access for Kolide user ‘{name}’ Oct-23-2019
user feature restriction changed Updated {feature} restriction on {name} from ‘{old}’ to ‘{new}’ Nov-19-2019
user access changed Updated access for user ‘{email}’ from ‘{old}’ to ‘{new}’ Aug-3-2023
invitations revoked because inviter access changed Revoked invitations created by ‘{email}’ because admin access was removed. Revoked invitations with email address(es): {emails} Aug-3-2023

SSO Settings

Name Description Collected Since
idp settings changed Kolide IdP settings were updated from: {previous_values} to: {new_values} Jun-29-2023
webhook token generated IdP Proxy webhook token generated for ‘{organization}’ Apr-24-2023
factor sequencing enabled Kolide IdP: Additional Factor Sequencing was ‘disabled’ Aug-10-2023
factor sequencing disabled Kolide IdP: Additional Factor Sequencing was ‘enabled’ Aug-10-2023
updated saml configuration Updated SAML configuration Jan-21-2023

Integrations

Name Description Collected Since
vanta integration created created a Vanta integration Aug-12-2022
vanta integration deleted removed vanta integration Aug-12-2022

Developers

Name Description Collected Since
api key created Created an API key Nov-18-2019
api key secret viewed Revealed full API Key token {name} Nov-18-2019
api key deleted Removed an API key Nov-18-2019
api key secret rotated Rotated API key Nov-24-2021
updated api key API Key {name} from: {previous_permissions} to: {new_permissions} Dec-2-2021
webhook created Created webhook with url ‘{url}’ Dec-31-2019
webhook created Created webhook with url ‘{url}’ Dec-31-2019
webhook deleted Deleted webhook with url ‘{url}’ Dec-31-2019
webhook enabled Enabled webhook with url ‘{url}’ Dec-31-2019
webhook disabled Disabled webhook with url ‘{url}’ Dec-31-2019
webhook signing secret viewed Revealed full webhook signing secret {url} Jan-27-2022
webhook url changed Updated webhook url from ‘{old}’ to ‘{new}’ Oct-25-2023
webhook event subscriptions changed Updated event subscriptions for webhook ‘{url}’ from ‘{previous_subscriptions}’ to ‘{new_subscriptions}’ Oct-25-2023
webhook signing secret rolled Rolled signing secret for webhook with url ‘{url}’ Nov-12-2021