Audit Logs
Overview
Abnormal Security's behavioral AI detects audit logs which can be sent via HTTP Listeners.
Configuration
Parameters
No parameters needed.
Secrets
Authorization (
abnormalToken)
Open the Secret fields and click New secret to create a new one:
Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.
You can now select the secret you just created in the corresponding fields.
After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML:
Toggle this ON to enable a free text field where you can paste your YAML.
Temporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Duration - 5 minutes (
5m) as default, adjust based on your needs.Offset - initial offset should be
5mFormat -
RFC3339
Enumeration Phase
OFF
Collection Phase
Pagination Type* -
PagePage Size* -
100Zero Index* -
falseRequest
Method* -
GETURL* -
https://api.abnormalplatform.com/v1/auditlogsHeaders -
Name -
AuthorizationValue -
Bearer ${secrets.abnormalToken}
Query Params
Name -
pageNumberValue -
${pagination.pageNumber}Name -
pageSizeValue -
${pagination.pageSize}Name -
filterValue -
timestamp gte ${temporalWindow.from} lte ${temporalWindow.to}
Output
Select -
.auditlogsMap -
.Output Mode -
element
This HTTP Pull Listener now uses the data export API to extract alert events.
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?