Skip to main content

System & User Activity Now Tracked in Audit Log

Omer Kushmirski avatar
Written by Omer Kushmirski
Updated over 3 weeks ago

The Journaling (Audit Log) feature enables secure, structured tracking of all user and system activities across the CYFOX platform. It supports platform-wide visibility for compliance, troubleshooting, and operational transparency, and can be viewed in different contexts depending on the type of action or feature being audited.

Only users with appropriate permissions (system administrators) can access the Audit Log. Access is limited to the environments and features for which you have been granted permission.

How to Access the Audit Log

CYFOX's platform provides two main ways to view audit data:

System Settings > Audit Log

  • This is the centralized overview of all actions across the platform.

  • Initially, this page may be empty until features are loaded for the first time.

Audit Log Tab within Individual Features

  • Most features in CYFOX (e.g., Policies, IDS, Reports, etc.) also include a dedicated “Audit Log” tab.

  • This provides a focused view of changes relevant to that specific feature

    (This view is ideal for admins reviewing policy changes, malware rules, or network configurations.)

🧭 How to find it:
Go to a feature like Policy > Event Response, then click the Audit Log tab.

📌 Example:

This screenshot is also an example of the feature-specific Audit Log, filtered for changes in the Event Response section under Policy.

  • All entries relate to rules applied to IDS and Malware Detection.

  • The filter bar at the top allows narrowing by event, action type, mode, or keyword.

Types of Audit Log Views

CYFOX organizes audit data into multiple view formats depending on the nature of the action or component.

Feature Table View

Used by most modules in CYFOX, the Feature Table View provides a clear timeline of actions performed on configurations within a specific feature:

  • Initialize - Feature tracking started

  • Added - A new item was created

  • Updated - An existing configuration was modified

  • Deleted - An item was removed

  • Applied Changes - A batch of edits was confirmed via “Apply Changes.”

Key Interface Elements

  • User who acted (clickable in On-Prem environments)

  • Timestamp - hover to see localized time and full format

  • Subject Name - identifies the object being changed

  • Action Type - what was done

  • Details Button - expands to show changes, highlighted in orange if updated

Field-Level View

For some configurations, audit records are displayed in a vertical, form-like format:

  • Each property appears on a new line

  • Details section maintains the same format and logic.

This view is especially useful for comparing structured before/after values and fields.

Update Hosts View

Used for features like Assign Group or Whitelist Updates:

  • Lists all devices affected

  • Shows side-by-side values for:

    • Updated from (previous setting)

    • Updated to (new value)

System Settings Audit Table

The System Settings page shows a high-level summary of changes made to configurations and global settings.

Columns include:

  • Main Menu - origin of the action

  • Page – Where in the UI the action occurred

  • Feature – The specific module modified

  • Change – What was changed

Tip: All columns are searchable and filterable for easy navigation.

Agent Mitigations View

This specialized view shows logs related to file mitigations and manual analyst actions.

  • Read-only actions

  • Reflects only what has been done (not editable)

  • Appears in both the Forensics view and System Settings Audit Log

Expanding Details

Clicking on “Details” for any log entry provides a comprehensive breakdown of the change.

What you'll see

  • Previous and current values (if applicable)

  • Fields highlighted in orange if modified

  • Consistent layout matching the source feature

  • Local date/time with timezone-aware tooltip

  • In On-Prem: clickable user links

  • In Single-Tenant: user info is shown in plain text

Search & Filtering

Use the toolbar at the top of the table to:

  • Search by user, feature, action type, or keywords

  • Filter by date, category, or feature

  • Sort by timestamp, alphabetical order, or action

Security and Compliance Notes

  • Only authorized users can view audit logs.

  • Logs cannot be edited once recorded.

  • Each audit entry is also saved to a secure local log file (e.g., audit-2025-05-11.log) in On-Prem environments.

  • Audit data is retained according to your organization’s policy (3 months is the default)

Best Practices

  • Always start from a feature’s Audit Log tab when making a configuration change. This ensures that logs are initialized correctly.

  • Use the System Settings Audit Log for high-level reviews or investigations.

  • Regularly export or back up logs as part of your compliance procedures (Excel/PDF export available)

  • Refer to the Applied Changes action for bulk changes to understand group-level edits.

Glossary

Term

Description

Feature

A functional module in CYFOX (e.g., IDS, Policies, Settings)

Action

A logged user/system activity (e.g., Update, Delete)

Subject

The object being affected by the action (e.g., policy name, hostname)

Details

A breakdown of what changed and when

Transposed View

Vertical detail layout showing field-by-field changes

Forensics Log

Read-only audit records for manual or automated mitigations


Example Use Case

Scenario: A user updates an IDS policy from "Normal" to "Aggressive" mode.

  • Entry appears in Policies > Audit Log tab.

  • Action: Updated

  • Subject: Group: "Finance VLAN"

  • Timestamp: 2025-05-01 12:42:15

  • Details:

    • Mode changed: Normal → Aggressive

    • Actions changed: Send email → Send email + Syslog

    • Modified fields highlighted in orange


Still Have Questions?

Please get in touch with your system administrator or CYFOX support for further assistance with Audit Log access or interpretation.

Did this answer your question?