Skip to main content
All CollectionsGain Insights
Audit Logs & APIs: Streamline Auditing with Torq
Audit Logs & APIs: Streamline Auditing with Torq

Collect and analyze Torq audit logs for enhanced security and compliance.

Updated over a month ago

Retrieve and analyze audit logs in your SIEM or bucket using Torq workflows and steps or API, thereby enhancing the security and oversight of your workspace. Efficiently manage your logs, tailored to your organization's unique requirements. Torq provides several templates to ensure ease of use and flexibility - if a template doesn't precisely fit your stack, you can easily change to the appropriate vendor step.

Audit logs serve as a comprehensive record of events within a workspace.

Generally, log entries are created and available immediately after an action is taken. On some occasions, it could take up to five minutes to create an entry.

The Torq API key determines the workspace from which logs are collected, ensuring data security and relevance. A user with the Owner role must create the API key to access the Audit Logs.

Events that Generate Log Entries

Entries are created for create, update, and delete actions for all the main resources in Torq. This means that log entries are NOT created for read actions.

Users

  • User invited

  • User accepted invitation

  • User role updated

  • User deleted

  • User logged in

  • User logged out

  • User switched accounts

Workflows

  • Workflow created

  • Workflow deleted

  • Workflow updated

  • Workflow published

  • Workflow unpublished

  • Workflow edited

  • Workflow reverted

  • Workflow enabled

  • Workflow disabled

The workflow tags will be available in the tags array under extra_data for every log entry created for a workflow-related action. You can export the log data to filter, aggregate, and use it for automation according to the tags. If the workflow has no tags, the tags array won't exist in the log entry.

Workspace Variables

  • Workspace variable created

  • Workspace variable updated

  • Workspace variable deleted

Workflow Notifications

  • Email address added

  • Email address removed

  • Webhook added

  • Webhook removed

  • Webhook authentication headers added

  • Webhook authentication headers removed

  • Webhook authentication headers updated

API Keys

  • API key enabled

  • API key deleted

Secrets

  • Secret created

  • Secret deleted

  • Secret updated

Integrations

  • Integration created

  • Integration deleted

  • Integration updated

Custom Steps

  • Custom step created

  • Custom step deleted

Runners

  • Runner created

  • Runner deleted

IdP Connections

  • IdP connection created

  • IdP connection updated

  • IdP connection enabled

  • IdP connection disabled

IdP Claims Mappings

  • IdP claims mapping created

  • IdP claims mapping updated

  • IdP claims mapping deleted

SSO

  • User login failed

Cases

  • Case Created

  • Case Updated

  • Case Deleted

  • Observable Created

  • Observable Updated

  • Observable Associated with Case

  • Observable Dissociated from Case

  • Attachment Added to Case

  • Attachment Removed from Case

  • Workspace Configuration Updated

  • Cases Linked

  • Link Between Cases Updated

  • Cases Unlinked

  • Case Context Updated

  • Note Created

  • Note Updated

  • Note Removed

Scenario_ID

The following are values that the Scenario_ID from Audit and Activity logs can take.

[ "ASSOCIATED_OBSERVABLE_CREATED", 
"ATTACHMENT_CREATED", 
"CASE_ASSIGNEE_UPDATED", 
"CASE_CATEGORY_UPDATED", 
"CASE_CREATED", 
"CASE_EVENT_UPDATED", 
"CASE_SEVERITY_UPDATED", 
"CASE_STATE_UPDATED", 
"CASE_TAGS_UPDATED", 
"CASE_UPDATED", 
"CASE_VIEW_CHANGED", 
"COMMENT_CREATED", 
"CUSTOM_FIELD_UPDATED", 
"LINK_UPDATED", 
"NOTE_UPDATED", 
"OBSERVABLE_CREATED", 
"OBSERVABLE_UPDATED", 
"REQUEST_FOR_REVIEW", 
"SHARE_REQUEST_CREATED", 
"STEP_FAILURE", 
"USER_MENTIONED", 
"WORKFLOW_FAILURE" ]

Sample Log Entry

{ "account_id": "1d8*****-****-4f2a-****-*****fe50a57",    
"account_name": "mrsactor",    
"action": "Workflow updated",    
"actor_name": "Mrs. Actor ",    
"actor_type": "web_app",    
"email": "mrs.actor@torqy.io",    
"extra_data": {      
"revision_id": "f31bb***-f5**-48**-a1**-749cca80f2**",      
"tags": [        "tag1",        "tag2",        "tag3"      ]    },    
"id": "8aa*****-****-40a8-b1b1-40811*******",    
"ip": "77.***.***.237",    
"resource_id": "a0f5b***-****-****-****-***7d91d38**",    
"resource_name": "Audit log (step)",    
"timestamp": "2022-05-15T08:51:11.900970Z",    
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)    \t\t Chrome/101.0.****.5* Safari/537.36" }

Use a Template to Collect Torq Audit Logs

Torq’s Collect Torq audit logs template creates a nested workflow that gathers a workspace's audit or activity logs and returns the logs to the parent workflow. After importing the template to your workspace and customizing it as necessary, call it within a parent workflow. The nested workflow will return a JSON array of the requested logs from within the desired timeframe.

Use a Template to Search Torq Audit Logs

Torq's Search in Torq Audit Logs Based on Query creates an interactive workflow to search audit events based on action, email, source, etc.

Related Articles
Torq Glossary
Collect Torq Audit or Activity Logs - Workflow Template
Send Torq Audit and Activity Logs to Snowflake - Workflow Template
Send Torq Audit or Activity Logs on a Schedule to Splunk - Workflow Template
Gather Torq Audit or Activity Logs - Workflow Template
Did this answer your question?