Audit¶
Overview¶
Afi implements comprehensive and detailed audit for sensitive user and system activities, including data access, configuration settings changes, and system events. For centralized audit event management across your company, you can configure automatic audit event ingestion to a third-party SIEM system of your choice (Splunk, Datadog, Microsoft Sentinel, etc.).
Info
Afi retains audit events for 3 years. Audit events older than 3 years are purged automatically.
Navigation¶
You can view audit event history on the Activity tab in the Afi portal, with organization-level audit events displayed on the Admin tab and tenant-level audit events on the Audit tab.
Info
Afi employs multi-tenant organizational model which allows you to manage multiple tenants (data sources) under a single Afi account (referred to as an organization). Tenant-level audit events concern a particular tenant (for example, data access operations in this tenant), while organization-level audit events are related to global account-wide configuration changes (for example, administrator access or billing details changes).
For organizations with multiple tenants, you can switch between audit events related to different tenants by changing the tenant context in the context selection dropdown on top of the screen. To view organization-level audit events for such organizations, please select the All data sources context (All customers context in case of a partner organization).
For convenient audit history browsing, you can select a time range within which you want to view the events as well as select a specific event type (Operation) if you are looking for any particular events:
Audit event details¶
You can view audit event details by clicking on the corresponding row in the audit event table. Each user-generated audit event contains information about a user (Actor) who triggered this event as well as their IP address and location.
System-generated audit events (for example, ones which are related to resource changes after periodic resource synchronizations with Google Workspace or Microsoft 365) have System account as an Actor.
Audit event export¶
You can export audit events in CSV format to review them locally by selecting a time range and clicking on the Download button.
Organization-level audit¶
This section provides a list of organization-level audit event types and the corresponding event details available for each event type.
Organization and tenant management events¶
Event type | Description | Details |
---|---|---|
Tenant Added | A tenant has been added under the organization. | Object: The tenant which was added. |
Tenant Deleted | A tenant that belongs to the organization has been deleted. | Object: The tenant which was deleted. |
Tenant Transfer | A tenant has been transfered under the organization or outside of the organization. |
Object: The tenant which was transfered. Details: The destination organization to where the tenant was transfered and the source organization from where it was transfered. |
Org Attached |
A child organization has been added under the current organization. This event is specific for partner organizations. |
Object: The organization which was added. |
Org Detached |
A child organization has been moved from under the current organization. This event is specific for partner organizations. |
Object: The organization which was moved out. |
Access management events¶
Event type | Description | Details |
---|---|---|
Access Group Changed | An access group has been created or modified. |
Name: The name of the access group which was created or modified. Expires: The access group expiration time (if specified). Access scope: Access scope provided by the access group. Permissions: Permissions granted through the access group. Group members: Access group membership changes. |
Access Group Deleted | An access group has been deleted. | Object: The access group which was deleted. |
Invitation Sent | An invitation has been sent to join an access group. |
Object: The access group to which the invitation was sent. Details: The email address of the user who was invited to the group. |
Invitation Accepted | An invitation to join an access group has been accepted. |
Actor: The user who accepted the invitation. Object: The access group to which the invitation was accepted. |
Invitation Deleted | An invitation to join an access group has been deleted. |
Object: The access group from which the invitation was deleted. Details: The email address of the user whose invitation was deleted. |
License management events¶
Event type | Description | Details |
---|---|---|
Customer Updated | A customer organization billing info or payment mode (by card or invoice) has been updated. |
Payment Method: New payment mode (auto-pay by credit card or manual invoice payments). Billing info: New billing details (billing email, address, and tax ID). |
Payment Method Updated | A new credit card has been added to the customer organization. | Details: The new credit card details (card brand, last 4 digits, and expiration date). |
Subscription Updated | A subscription item (user, storage, etc.) quantity or auto-licensing settings have been changed. |
Object: The subscription which was updated. Details: The new quantity and auto-licensing settings for each updated subscription item. |
Settings management events¶
Event type | Description | Details |
---|---|---|
Org Config Updated | Organization configuration has been updated. | Details: Organization configuration settings which were updated (for example, sharing of anonymous diagnostics reports with Afi). |
App Installed | An App has been installed in the organization. | Object: The application which was installed in the organization. |
App Uninstalled | An App has been uninstalled from the organization. | Object: The application which was uninstalled from the organization. |
Notification Group Updated | A notification group has been updated. |
Object: The notification (billing , system , ransomware , or audit ) group which was updated.Details: The list of new and old notification group members. |
Notification Group Deleted | A notification group has been deleted. |
Object: The notification (billing , system , ransomware , or audit ) group which was deleted.
|
Update Report Settings | Report settings have been updated. |
Object: Report kind (org.overview for organizations).Details: Report frequency and recipients. |
SAML Provider Created | SAML authentication configuration created. | Object: SAML configuration which was created. |
SAML Provider Updated | SAML authentication configuration updated. | Object: SAML configuration which was updated. |
Tenant-level audit¶
This section provides a list of tenant-level audit event types and the corresponding event details available for each event type.
Data access events¶
Event type | Description | Details |
---|---|---|
Browse | A backup has been opened for browse. |
Object: The backup which was opened for browse. Show content: This flag indicates if email and chat content preview access was enabled during this browse session. |
Restore | A data recovery operation has been launched. |
Object: The backup from where the data recovery was launched. Target: The resource to where the data recovery was launched. Details: The items or workloads which were selected for recovery as well as recovery parameters. |
Download | A data export operation has been launched. |
Object: The backup from where the data export was launched. Details: The items or workloads which were selected for export. |
Search | A backup search query has been launched. |
Object: The backup or group of backups (in case of a global search) where the search query has been launched. Details: Search query parameters. Show content: This flag indicates if email and chat content preview access was enabled during this search session. |
Access management events¶
Event type | Description | Details |
---|---|---|
Access Group Changed | An access group has been created or modified. |
Name: The name of the access group which was created or modified. Expires: The access group expiration time (if specified). Access scope: Access scope provided by the access group. Permissions: Permissions granted through the access group. Group members: Access group membership changes. |
Access Group Deleted | An access group has been deleted. | Object: The access group which was deleted. |
Invitation Sent |
An invitation has been sent to join an access group. At the moment this tenant-level event is specific for Kubernetes tenants. |
Object: The access group to which the invitation was sent. Details: The email address of the user who was invited to the group. |
Invitation Accepted |
An invitation to join an access group has been accepted. At the moment this tenant-level event is specific for Kubernetes tenants. |
Actor: The user who accepted the invitation. Object: The access group to which the invitation was accepted. |
Invitation Deleted |
An invitation to join an access group has been deleted. At the moment this tenant-level event is specific for Kubernetes tenants. |
Object: The access group from which the invitation was deleted. Details: The email address of the user whose invitation was deleted. |
Backup management events¶
Event type | Description | Details |
---|---|---|
Policy Created | A backup SLA policy has been created. |
Object: The policy that was created. Data to backup: Exceptions (enabled or disabled workloads) to the default workload list. Exclusions: Configured email and file exclusion rules (if specified). Frequency: Backup schedule for the policy. Retention: Configured retention rules. Archiving: Configured archiving rules. Encryption key: The encryption key (Afi- or customer-managed) used by the policy. |
Policy Updated | A backup SLA policy has been updated. |
Object: The policy that was updated. Data to backup: Exceptions (enabled or disabled workloads) to the default workload list. Exclusions: Configured email and file exclusion rules (if specified). Frequency: Backup schedule for the policy. Retention: Configured retention rules. Archiving: Configured archiving rules. Encryption key: The encryption key (Afi- or customer-managed) used by the policy. |
Policy Deleted | A backup SLA policy has been deleted. |
Object: The policy that was deleted. |
Backup Deletion Scheduled | A backup has been scheduled for deletion. | Object: The backup which was scheduled for deleted. |
Delete | A backup has been deleted. | Object: The backup which was deleted. |
Settings management events¶
Event type | Description | Details |
---|---|---|
Tenant Config Updated | Tenant config has been updated. | Details: Config details (status of self-service access to shared resources, latest admin consent grant date, etc) which were updated. |
App Installed | An App has been installed in the tenant. | Object: The application which was installed in the tenant. |
App Uninstalled | An App has been uninstalled from the tenant. | Object: The application which was uninstalled from the tenant. |
Secret Version Created | A new secret (or secret version) has been created. | Object: The secret version which was created. |
Secret Metadata Update | Secret metadata has been updated (ex. secret name or settings have been changed). | Object: The secret for which metadata was updated. |
Secret Deleted | A secret has been deleted. | Object: The secret which was deleted. |
Update Report Settings | Report settings have been updated. |
Object: Report kind (tenant.overview for tenants).Details: Report frequency and recipients. |
System events¶
Event type | Description | Details |
---|---|---|
Resource Added |
Resources have been added after a periodic resource synchronization with the data source (tenant) provider. Example: a new Microsoft 365 user has been created. |
Details: The list of resources which were added. |
Resource Updated |
Resource have been updated after a periodic resource synchronization with the data source (tenant) provider. Example: a new Microsoft 365 user has been deleted on the Microsoft side and archived on the Afi side. |
Details: The list of resources which were updated. |
Resource Moved |
Resources have been added to or removed from resource groups after a periodic resource synchronization with the data source (tenant) provider. Example: a Microsoft 365 user has been added to an Entra ID (Azure Active Directory) group. |
Details: The list of resources which were added to or removed from resource groups together with a list of membership changes for each resource. |
Resource Group Created |
Resource groups have been added after a periodic resource synchronization with the data source (tenant) provider. Example: a new Entra ID (Azure Active Directory) group has been created. |
Details: The list of resource groups which were added together with a list of members for each group. |
Resource Group Updated |
Resource group membership has been updated after a periodic resource synchronization with the data source (tenant) provider. Example: a Microsoft 365 user has been added to an Entra ID (Azure Active Directory) group. |
Details: The list of resource groups where members were added or removed together with a list of membership changes for each group. |
Resource Group Deleted |
Resource groups have been deleted after a periodic resource synchronization with the data source (tenant) provider. Example: an Entra ID (Azure Active Directory) group has been deleted. |
Details: The list of resource groups which were deleted. |
Alert Created | An alert has been issued. | Details: Details of the alert (exceeded license quota, potential ransomware event, etc.) which was created. |
Alert Resolved | An alert has been resolved. | Details: Details of the alert (exceeded license quota, potential ransomware event, etc.) which was resolved. |