Audit logs serve as a comprehensive record of user or system events within a workspace.
Retrieve and analyze audit logs in your SIEM or bucket using Torq steps or API, enhancing the security and oversight of your workspace. Efficiently manage your logs, tailored to your organization's unique requirements.
The Torq API key determines the workspace from which logs are collected, ensuring data security and relevance. A user with the Owner role must create the API key, preferably a service API key, to access the Audit Logs.
Events that generate log entries
Entries are created for any event that creates or modifies data (create, update, and delete actions) for all the main resources in the environment.
Generally, log entries are created immediately after the action is taken and are available immediately, but they could up to 5 minutes.
When you send a List audit logs request, the returned log entries are for the workspace on which the API key was created.
Users
User invited
User accepted invitation
User role updated
User deleted
User logged in
User logged out
User switched accounts
Workflows
Workflow created
Workflow deleted
Workflow updated
Workflow published
Workflow unpublished
Workflow edited
Workflow reverted
Workflow enabled
Workflow disabled
Workflow tags will be available in the tags array under extra_data for every log entry created for a workflow-related action. You can export the log data to filter, aggregate, and use it for automation according to the tags. If the workflow has no tags, the tags array won't exist in the log entry.
Workspace variables
Workspace variable created
Workspace variable updated
Workspace variable deleted
Workflow notifications
Email address added
Email address removed
Webhook added
Webhook removed
Webhook authentication headers added
Webhook authentication headers removed
Webhook authentication headers updated
API keys
API key enabled
API key deleted
Secrets
Secret created
Secret deleted
Secret updated
Integrations
Integration created
Integration deleted
Integration updated
Custom steps
Custom step created
Custom step deleted
Runners
Runner created
Runner deleted
IdP connections
IdP connection created
IdP connection updated
IdP connection enabled
IdP connection disabled
IdP claims mappings
IdP claims mapping created
IdP claims mapping updated
IdP claims mapping deleted
SSO
User login failed
Cases
Case Created
Case Updated
Case Deleted
Observable Created
Observable Updated
Observable Associated with Case
Observable Dissociated from Case
Attachment Added to Case
Attachment Removed from Case
Workspace Configuration Updated
Cases Linked
Link Between Cases Updated
Cases Unlinked
Case Context Updated
Note Created
Note Updated
Note Removed
SLA timer updated
Actionplan
Actionplan Created
Actionplan Deleted
Actionplan Updated
Sample log entry
{
"account_id": "1d8*****-****-4f2a-****-*****fe50a57",
"account_name": "mrsactor",
"action": "Workflow updated",
"actor_name": "Mrs. Actor ",
"actor_type": "web_app",
"email": "mrs.actor@torqy.io",
"extra_data": {
"revision_id": "f31bb***-f5**-48**-a1**-749cca80f2**",
"tags": [
"tag1",
"tag2",
"tag3"
]
},
"id": "8aa*****-****-40a8-b1b1-40811*******",
"ip": "77.***.***.237",
"resource_id": "a0f5b***-****-****-****-***7d91d38**",
"resource_name": "Audit log (step)",
"timestamp": "2022-05-15T08:51:11.900970Z",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) \t\t Chrome/101.0.****.5* Safari/537.36"
}
Use a template to collect Torq audit logs
Torq’s Collect Torq audit logs template creates a nested workflow that gathers a workspace's audit or activity logs and returns the logs to the parent workflow. After importing the template to your workspace and customizing it as necessary, call it within a parent workflow. The nested workflow will return a JSON array of the requested logs from within the desired timeframe.
Use a template to search Torq audit logs
Torq's Search in Torq Audit Logs creates an interactive workflow to search audit events based on action, email, source, etc.