Download PDF
Download page Auditing.
Auditing
Auditing enables Tenant Administrators monitor and review user actions, identify potential security risks, adhere to compliance standards, gain insight into user behavior, and troubleshoot issues. The Tenant Administrator uses the Cisco AppDynamics Query Service API with the Unified Query Language (UQL) to query audit logs.
Common Audit Use Cases
Tenant Administrators can use auditing to perform the tasks below. The list is far from exhaustive.
- View audit history for end users for customer support.
- Generate weekly audit reports for all administrative changes made to management.
- Compare end-user behavior over the past six months.
- Search for all actions performed by end users within the last 24 hours.
- Submit annual audit reports of administrators to the Audit team.
- Analyze an audit event for troubleshooting.
- Provide audit reports to the internal Security team for all users who have logged in via their personal devices.
Requirements
To use auditing, you will need to do the following:
- Call the Cisco Cloud Observability APIs
- Obtain an access token
- Use the Cisco AppDynamics Query Service API
Limitations
The Auditing feature has the following limitations:
- Tenant-level audit events only (Account-level audit events are unavailable.)
- Audit events are available only through the Cisco AppDynamics Query Service API. (The UI is unavailable.)
- Audit events are stored for 30 days. (The retention period is not configurable.)
Query Audit Records
Auditing is available via a REST API that uses a Unified Query Language (UQL), a Cisco AppDynamics domain-specific language used to observe data in Cisco AppDynamics. Some of its features are:
UQL Primer
Unified Query Language (UQL) is a domain-specific and declarative language used to query data. To query data, you append UQL statements to the Cisco AppDynamics Query Service API. The syntax of UQL is similar to SQL in that you form statements in blocks, fetching fields from data sources and adding filters if needed.
Before making audit queries with UQL, let's look at a simple UQL query and brief description:
UQL Query | Explanation |
---|---|
|
|
Audit Object
You can access audit events through the audit
object audit:record.
FETCH events(audit:record)
Resource Types
The resource types describe the original source of the audit events. For example, the user_principal
is a source for a certain subset of the available audit events.
Resource Type | Description |
---|---|
user_principal | Logged-in users interact with the Cisco Cloud Observability and click UI components that in turn make calls to APIs. |
agent_principal | Cisco AppDynamics software (e.g., agents or collectors) is installed in the customer's environment and makes calls to APIs. |
service_principal | Tenant Administrators create Service Principals from the Cisco AppDynamics Accounts Portal and use the Service Principal credentials to make calls to APIs. |
token | The access token of the principal that authorizes REST calls. |
api | The API that is being called. |
Audit Events
The following table describes the supported values and what each combination represents:
Valid Resource Type(s) | Event Type | Description |
---|---|---|
agent_principal , service_principal | created | A new agent principal or service principal has been created. |
updated | An agent principal or service principal has been updated. | |
deleted | An agent principal or service principal has been deleted. | |
secret_rotated | A client secret for an agent principal or a service principal has been rotated. | |
secret_revoked | The client secret for an agent principal or a service principal has been revoked. | |
api | authorized | A principal has been successfully authorized to access an API. |
unauthorized | A principal's request to access an API was denied. | |
user_principal | tenant_assigned | A user is assigned to a tenant. |
tenant_removed | A user is removed from a tenant | |
user_principal , service_principal | role_changed | The role of a user or service principal has changed. |
Auditing Basics with UQL
You can fetch all of the audit events with this simple query, shown as a query statement and in a call to the Cisco AppDynamics Query Service API:
FETCH events(audit:record){attributes} SINCE -1d
curl -X POST https://<customer_tenant>.observe.appdynamics.com/monitoring/v1/query/execute \
-H 'Authorization: Bearer {accessToken}' \
-d '{
"query": "FETCH events(audit:record){attributes} SINCE -1d"
}'
Example Auditing Queries
You following examples show you how to use UQL and the Cisco AppDynamics Query Service API to query common audit events.
New and Removed Users
The query below returns the audit records for users who were created or removed in the last 10 days.
FETCH events(audit:record)[attributes('audit.record.type') IN ['created', 'deleted']]{attributes} SINCE -10d
curl -X POST https://<customer_tenant>.observe.appdynamics.com/monitoring/v1/query/execute \
-H 'Authorization: Bearer {accessToken}' \
-d '{
"query": "FETCH events(audit:record)[attributes('audit.record.type') IN ['created', 'deleted']]{attributes} SINCE -10d"
}'
Users Added to or Removed from a Tenant
The query below returns the audit records for users who were added or removed from a tenant in the last 10 days.
FETCH events(audit:record)[attributes('audit.record.type') IN ['tenant_assigned', 'tenant_removed']]{attributes} SINCE -10d
curl -X POST https://<customer_tenant>.observe.appdynamics.com/monitoring/v1/query/execute \
-H 'Authorization: Bearer {accessToken}' \
-d '{
"query": "FETCH events(audit:record)[attributes('audit.record.type') IN ['tenant_assigned', 'tenant_removed']]{attributes} SINCE -10d"
}'
Changed Roles
The query below returns the audit records for users who changed roles in the last 30 days.
FETCH events(audit:record)[attributes('audit.record.type') IN ['role_changed']]{attributes} SINCE -30d
curl -X POST https://<customer_tenant>.observe.appdynamics.com/monitoring/v1/query/execute \
-H 'Authorization: Bearer {accessToken}' \
-d '{
"query": "FETCH events(audit:record)[attributes('audit.record.type') IN ['role_changed']]{attributes} SINCE -10d"
}'
View Changes to Agent or Service Principals
This query returns the audit records where agent or service principals that were updated in the last 30 days.
FETCH events(audit:record)[attributes('audit.record.type') IN ['updated'] && attributes('audit.record.principal.properties.id') IN ['agent', 'service']]{attributes} SINCE -30d
curl -X POST https://<customer_tenant>.observe.appdynamics.com/monitoring/v1/query/execute \
-H 'Authorization: Bearer {accessToken}' \
-d '{
"query": "FETCH events(audit:record)[attributes('audit.record.type') IN ['updated'] && attributes('audit.record.principal.properties.id') IN ['agent', 'service']]{attributes} SINCE -30d"
}'
Rejected Access Attempts
This query returns the audit records of rejected access attempts in the last 30 days.
FETCH events(audit:record)[attributes('audit.record.type') IN ['unauthorized', 'login_failed', 'token_denied', 'secret_revoked]]{attributes} SINCE -30d
curl -X POST https://<customer_tenant>.observe.appdynamics.com/monitoring/v1/query/execute \
-H 'Authorization: Bearer {accessToken}' \
-d '{
"query": "FETCH events(audit:record)[attributes('audit.record.type') IN ['unauthorized', 'login_failed', 'token_denied', 'secret_revoked]]{attributes} SINCE -30d"
}'