Monitoring

Query audit logs.

The Monitoring page allows you to build advanced queries for the audit logs that DataDefender ingests from your linked accounts. We ingest data from your audit logs every 5 minutes. Monitoring consists of 2 parts: Query Builder to pull data and Activity Data to show the data.

Query Builder

This tool allows you to pull information from audit logs. Query Builder offers the ability to slice by time, attribute, condition, and value.

Attributes

  • User Name: searches by IAM Role or other IAM Entity.

  • Event Name: searches by IAM action like GetObject, ListBucket, etc.

  • Resource Name: searches by resource ARN.

  • Resource Type: searches by type of resource like Blob.

  • Location: searches by region like us-east-1, ap-northeast-1, etc.

  • Account ID: searches by account id like 012345678901.

Conditions

  • Contains: matches if part of the value is in the log

  • Equals: matches if the value given matches the log attribute exactly

  • NotEquals: matches if the value given does not match the log attribute

Value

  • The value to search by. Keep in mind it is not case-sensitive

Filter Behavior

Multiple filters can be stacked and operates according to AND logic. For example, a query looking for CONTAINS 'Get' and CONTAINS 'Object' will pull all logs whose Event Name includes both 'Get' and 'Object'.

Query Builder Page

Export Data

We provide the results of the search in a CSV format. Select 'Export Data' and a menu will pop up with the option to download the report now or save the link for later. The link is valid for 12 hours.

Export to CSV

Activity Data

After Query Builder is run, we return Activity Data by providing the relevant logs. Note that we'll group logs that show the same action. Information provided includes all of the Attributes as well as location of request origin and identity type.

Activity Data
PreviousChecksNextFile Access Report

Last updated