Kolide now offers an audit log that records when certain changes have been made by administrators in the app. You can view the audit logs for administrator with full access only, as this excludes limited users, such as Billing-Only, or Restricted Access.
You can see the audit logs by going to Settings, and selecting Audit Log on the left-hand menu of the Settings page.
What actions are logged?
The audit log captures when:
- A device display name is changed manually by an administrator,
- A device is manually assigned, manually reassigned, or manually unassigned
- A device is removed from Kolide
- A device is marked private
- The default privacy setting is changed for new devices
- Global feature restrictions are changed (e.g. Location Data Access)
- Per-User feature restrictions are changed (e.g. whether an individual restricted-access user is allowed to access location data)
- An API token is created or rotated
- External integrations are added, removed or updated
- A webhook endpoint is created, deleted or is updated to point to a new URL
- a webhook endpoint's secret is rolled
- a webhook endpoint is enabled or disabled
- a user enables, disables or changes the notification settings for a check
What data is collected?
When an event is logged, Kolide will collect the following information:
- The user ID of the user that performed the action
- The full name of the user at the time the event was recorded (in case the user was archived or deleted)
- A descriptive action that includes what happened, and the previous value of any data changes.
- The date and time the action was recorded
- The browser's user agent, IP address, and geolocation data associated with that IP address of the web browser that performed the action.
- The SHA1 HASH of the code running on our web servers