Solved

Administration - Audit Logs: Not able to view comments/notes in the Audit log module

  • 7 February 2024
  • 6 replies
  • 75 views

Hi,

Not sure if there's already a similar question posted somewhere, 

In the Administration > Audit Log section:

When clicking on the gear, the options to select are "User, Severity, Activity" .  There is no option to show comments/notes entered for a specific activity logged. 

Is there a way to add another column in the Audit Log that can show the comments that were entered when adding/modifying a policy/persona/rule?  

It seems odd that while add/changing/modify/removing a rule/policy, you're prompted to add (which is optional) a comment/note before saving/applying a change to an activity performed but never can locate or view the comments in the Audit log.

Are the comments details located in another section of Netskope? Are they retrievable?  if yes, will the notes/comments still be linked to the very activity event that was performed at the time when the comments were entered? 

or

If not, could this be a consideration as an additional enhancement in the next release/upgrade/patch to the console platform to view this data in the view in the audit log section? 

icon

Best answer by nduda 7 February 2024, 11:17

View original

6 replies

Userlevel 3
Badge +11

Note that if you EXPORT, the comments are then available.

 

Netskope is very specific about their User Interface, stating there isn't a lot of space to display information on various screens and so make it available in alternative methods.


Speak to your Technical Account Manager or Customer Service Manager.  We have a software enhancement on a similar topic, I can dig up the JIRA ticket up so you can see if it contains what you are looking for.   Our request focused in a lot more of the inconsistency of logging actions in general and in some areas where you could put comments, like Steering Configuration Exceptions, comments aren't in the logs.

Userlevel 4
Badge +12

comments aren't in the logs.

They are if you are using a SIEM.

 

Example of the last 24 hour admin log in our SIEM (masked out most data) but you get the idea.

 

Userlevel 4
Badge +12

Just here to say if you are using a SIEM (i.e. Splunk) you can build whatever you want. What we did with our siem is take all the audit log data that comes in, build a correlation search with an action to sent to a Webhook such as Tines (you could probably use the CE for this also). The webhook sends the admin activity to an internal Slack channel which has all the data in the attached screenshot, including the comment. This is great for us since we can watch what admins are doing in real-time and then question/discuss if needed.

 

Userlevel 3
Badge +11

A SIEM reasonable approach is the concern is to react in real-time.

Our use case functions as audit, as in, did the person document the change correctly.   Our analysis has concluded that the operations teams are altering in accordance to their authorization, but there are isolated cases where they don't justify in the comments what problem they were attempting to solve.  Example, yes, they committed to a URL change, but who requested it and why?  Our requirement it to document with a ticket # or change control # so that someone can see the provenance.

Userlevel 4
Badge +12

This can also we easily solved with SIEM but will require that all admins enter a ticket URL in the comment field. If they enter say a Jira/SNOW ticket (either full URL or ticket identifier) then you can use the SIEM and/or SOAR (i.e. Tines) to check the ticketing system for that ticket. 

We do something very similar for our priv management systems (Delinea Server Server). When someone accesses credentials it requires them to enter a Jira ticket number. In real time we do a look-up in Jira for if that ticket exists (or not). We also auto stamp a comment into the Jira ticket. Our internal audit team loves us for this.

Thanks for input, I'll look at both options recommended and go from there. 

Reply