Current ThreatQ Version Filter

Audit Log Entries

Authentication/User Activity Logging

Action	Message(s)	Information Logged
Local OAuth2 Authentication	Login Success Login Fail	Username (authentication type) Login fail reason: User credentials are not valid Account Locked Account Disabled Incorrect auth type Timestamp
Client Credential Authentication	Login Success Login Fail	Username (authentication type) Login fail reason: Connector is disabled Timestamp
LDAP Authentication	Login Success Login Fail User conversion from local to LDAP	Username (authentication type) Login fail reason: User credentials are not valid Invalid authentication method User credentials are not valid The User Certificate has not been selected User credentials are not valid Invalid authentication method No user groups found in LDAP search No LDAP to TQ group mappings found The account has been temporarily locked due to too many consecutive failed login attempts Maintenance accounts are prohibited to log in using SSO LDAP User does not belong to any mapped TQ groups Timestamp
SAML Authentication	Login Success Login Fail User conversion from local to SAML LDAP maintenance user was converted to SAML Local login attempt after conversion to SAML Only allowed for Maintenance users.	Username (authentication type) Login fail reason: SAML Single-Logout-Service error(s) Invalid authentication method Timestamp
SSL Client Certificate Authentication (CAC)	Login Success Login Fail User fingerprint saved	Username (authentication type) Login fail reason: User credentials are not valid The User Certificate has not been selected The account has been temporarily locked due to too many consecutive failed login attempts Timestamp
Account Lock	Account Locked Account Unlocked	Username Timestamp
Logout	Logout Success Logout Failure	Username Timestamp

User Management Logging

Action	Message(s)	Information Logged
Add/Delete User	New User added to platform User Deleted	Username that made the change User information such as name and role Timestamp
Updates to User Information	New Custom Role created User Role changed by administrator Listed if users were added to the Role as part of the creation process. Changes have been made to a Custom Role User Role changed by administrator Listed if users were added to the role as part of the creation process. Custom Role has been removed LDAP has been enabled LDAP has been disabled LDAP configuration has been updated LDAP connection tested LDAP Groups listed LDAP Users listed SAML has been enabled SAML has been disabled SAML configuration has been updated User profile updated by User	Username that made the change Username that was changed User profile changes Timestamp
Updates to Multifactor Authentication (MFA) Settings	MFA enabled by User MFA disabled by User	Username that made the change Username that was changed Timestamp

Integration Configuration Logging

Applies to feeds and operations.

Action	Message(s)	Information Logged
Installing/uninstalling an integration	<integration type> has been installed <integration type> has been uninstalled	Username that made the change Integration name Timestamp
Enabling/disabling an integration	<integration type> has been disabled <integration type> has been enabled	Username that made the change Integration name Timestamp
Updating integration settings	<integration type> configuration has been updated	Username that made the change Integration name Configuration changes Timestamp

Data Retention Policy Logging

Action	Message(s)	Information Logged
Enable/Disable Data Retention Policy	Data Retention Policy has been enabled Data Retention Policy has been disabled	Username that made the change Timestamp
Update Data Retention Policy	Data Retention Policy has been updated	Username that made the change Data collection name Timestamp

ThreatQ Data Exchange (TQX) Logging

Action	Message(s)	Information Logged
Install a TQX transport via new install or upgrade	Integration has been installed	Username Timestamp
Update a TQX transport	Integrations setting has been updated	Username Feed name Timestamp
Create/delete an OpenDXL transport node	TQX - OpenDXL integration configuration has been created TQX - OpenDXL integration configuration has been removed	Transport UUID and name Timestamp
Update an OpenDXL transport node	TQX - OpenDXL integration configuration has been updated	Transport UUID and name Configuration updates Timestamp
Create/Delete OpenDXL data feed	TQX - OpenDXL integration configuration has been created TQX - OpenDXL integration configuration has been removed	Feed name Feed settings Timestamp
Update OpenDXL data feed	TQX - OpenDXL integration configuration has been updated	Feed name Updates to feed settings Timestamp

TAXII Server Logging

Action	Message(s)	Information Logged
Install a TAXII transport via an install or upgrade that includes a TQX license	Integration has been installed	Username that installed the TAXII transport TAXII Collection Name Timestamp
Create a TAXII collection	TQX - TAXII integration configuration has been created	Username that created the TAXII collection TAXII Collection Name Timestamp
Delete a TAXII collection	TQX - TAXII integration configuration has been removed	Username that deleted the TAXII collection TAXII Collection Name Timestamp
Update a TAXII collection	TQX - TAXII integration configuration has been updated	Username that updated the TAXII collection’s configuration Configuration changes TAXII Collection Name Timestamp
Create a TAXII user –	TQX - TAXII integration configuration has been created	Username that created a TAXII user TAXII username Timestamp
Delete a TAXII user	TQX - TAXII integration configuration has been removed	Username that removed a TAXII user TAXII username Timestamp
Update a TAXI user	TQX - TAXII integration configuration has been updated	Username that updated a TAXII user’s username, password, and/or TAXII collection access Configuration changes TAXII username Timestamp
Create a TAXII collection user	TQX - TAXII integration configuration has been created	Username that added a TAXII user to a TAXII collection TAXII username
Delete a TAXII collection user	TQX - TAXII integration configuration has been removed	Username that removed a TAXII user from a TAXII collection TAXII username

ThreatQ TDR Orchestrator (TQO) Configuration Logging

Applies to configuration driven workflows (CDWs), TQO workflows, and TQO actions.

Action	Message(s)	Information Logged
TQO Component: CDW
Install/Uninstall a CDW	Integration has been installed Integration has been uninstalled	Username that made the change CDW name Timestamp
Enable/Disable a CDW	Integration has been enabled Integration has been disabled	Username that made the change CDW name Timestamp
Update a CDW’s configuration	Integrations setting has been updated	Username that made the change CDW name Configuration changes Timestamp
Delete a CDW’s configuration	Advanced workflow integration configuration has been removed	Username that deleted the configuration CDW name Timestamp
TQO Component: Workflows
Install/Uninstall a workflow	Integration has been installed Integration has been uninstalled	Username that made the change Workflow name Timestamp
Enable/Disable a workflow	Integration has been enabled Integration has been disabled	Username that made the change Workflow name Timestamp
Update a workflow	Integrations setting has been updated	Username that made the change Workflow name Configuration change Timestamp
Create a workflow	Workflow builder integration configuration has been created	Username that created the workflow Workflow name Configuration settings Timestamp
Update a workflow’s configuration	Workflow builder integration configuration has been updated	Username that updated the workflow’s configuration Workflow name Configuration changes Timestamp
Delete a workflow’s configuration	Workflow builder integration configuration has been removed	Username that deleted the workflow’s configuration Timestamp
TQO Component: TQO Action
Configure a TQO action	Workflow builder action integration configuration has been created	Username that configured the action TQO action name Timestamp
Update a TQO action’s configuration	Workflow builder action integration configuration has been updated	Username that updated the action’s configuration TQO action name Configuration changes Timestamp
Delete a TQO action’s configuration	Workflow builder action integration configuration has been removed	Username that deleted the action’s configuration TQO action name Configuration changes Timestamp
Install/Uninstall a TQO action	Integration has been installed Integration has been uninstalled Action integration configuration has been removed	Username that installed/uninstalled the action Uninstall - Includes the message and data for an action configuration deletion TQO action name Timestamp
Update a TQO action	Integrations setting has been updated Action integration configuration has been updated	Username that updated the action Configuration settings TQO action name Timestamp
Create a TQO action	Action integration configuration has been created	Username that updated the action Configuration settings TQO action name Timestamp