Retrieve and analyze audit logs in your SIEM or bucket using Torq workflows and steps or API, thereby enhancing the security and oversight of your workspace. Efficiently manage your logs, tailored to your organization's unique requirements. Torq provides several templates to ensure ease of use and flexibility - if a template doesn't precisely fit your stack, you can easily change to the appropriate vendor step.
Audit logs serve as a comprehensive record of events within a workspace.
Generally, log entries are created and available immediately after an action is taken. On some occasions, it could take up to five minutes to create an entry.
The Torq API key determines the workspace from which logs are collected, ensuring data security and relevance. A user with the Owner role must create the API key to access the Audit Logs.
Events that Generate Log Entries
Events that Generate Log Entries
Entries are created for create, update, and delete actions for all the main resources in Torq. This means that log entries are NOT created for read actions.
Users
Users
User invited
User accepted invitation
User role updated
User deleted
User logged in
User logged out
User switched accounts
Workflows
Workflows
Workflow created
Workflow deleted
Workflow updated
Workflow published
Workflow unpublished
Workflow edited
Workflow reverted
Workflow enabled
Workflow disabled
The workflow tags will be available in the tags array under extra_data for every log entry created for a workflow-related action. You can export the log data to filter, aggregate, and use it for automation according to the tags. If the workflow has no tags, the tags array won't exist in the log entry.
Workspace Variables
Workspace Variables
Workspace variable created
Workspace variable updated
Workspace variable deleted
Workflow Notifications
Workflow Notifications
Email address added
Email address removed
Webhook added
Webhook removed
Webhook authentication headers added
Webhook authentication headers removed
Webhook authentication headers updated
API Keys
API Keys
API key enabled
API key deleted
Secrets
Secrets
Secret created
Secret deleted
Secret updated
Integrations
Integrations
Integration created
Integration deleted
Integration updated
Custom Steps
Custom Steps
Custom step created
Custom step deleted
Runners
Runners
Runner created
Runner deleted
IdP Connections
IdP Connections
IdP connection created
IdP connection updated
IdP connection enabled
IdP connection disabled
IdP Claims Mappings
IdP Claims Mappings
IdP claims mapping created
IdP claims mapping updated
IdP claims mapping deleted
SSO
SSO
User login failed
Cases
Cases
Case Created
Case Updated
Case Deleted
Observable Created
Observable Updated
Observable Associated with Case
Observable Dissociated from Case
Attachment Added to Case
Attachment Removed from Case
Workspace Configuration Updated
Cases Linked
Link Between Cases Updated
Cases Unlinked
Case Context Updated
Note Created
Note Updated
Note Removed
Scenario_ID
Scenario_ID
The following are values that the Scenario_ID from Audit and Activity logs can take.
[ "ASSOCIATED_OBSERVABLE_CREATED",
"ATTACHMENT_CREATED",
"CASE_ASSIGNEE_UPDATED",
"CASE_CATEGORY_UPDATED",
"CASE_CREATED",
"CASE_EVENT_UPDATED",
"CASE_SEVERITY_UPDATED",
"CASE_STATE_UPDATED",
"CASE_TAGS_UPDATED",
"CASE_UPDATED",
"CASE_VIEW_CHANGED",
"COMMENT_CREATED",
"CUSTOM_FIELD_UPDATED",
"LINK_UPDATED",
"NOTE_UPDATED",
"OBSERVABLE_CREATED",
"OBSERVABLE_UPDATED",
"REQUEST_FOR_REVIEW",
"SHARE_REQUEST_CREATED",
"STEP_FAILURE",
"USER_MENTIONED",
"WORKFLOW_FAILURE" ]
Sample Log Entry
{ "account_id": "1d8*****-****-4f2a-****-*****fe50a57",
"account_name": "mrsactor",
"action": "Workflow updated",
"actor_name": "Mrs. Actor ",
"actor_type": "web_app",
"email": "mrs.actor@torqy.io",
"extra_data": {
"revision_id": "f31bb***-f5**-48**-a1**-749cca80f2**",
"tags": [ "tag1", "tag2", "tag3" ] },
"id": "8aa*****-****-40a8-b1b1-40811*******",
"ip": "77.***.***.237",
"resource_id": "a0f5b***-****-****-****-***7d91d38**",
"resource_name": "Audit log (step)",
"timestamp": "2022-05-15T08:51:11.900970Z",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) \t\t Chrome/101.0.****.5* Safari/537.36" }
Use a Template to Collect Torq Audit Logs
Torq’s Collect Torq audit logs template creates a nested workflow that gathers a workspace's audit or activity logs and returns the logs to the parent workflow. After importing the template to your workspace and customizing it as necessary, call it within a parent workflow. The nested workflow will return a JSON array of the requested logs from within the desired timeframe.
Use a Template to Search Torq Audit Logs
Torq's Search in Torq Audit Logs Based on Query creates an interactive workflow to search audit events based on action, email, source, etc.