Audit and Core Modules

Audit actions 

Energy Logserver logs audit events for security-relevant operations across the platform. Audit actions are grouped by module.

Authorization Plugin 

Action Type	Path	From Request
`LOGIN`	`/_logserver/login`	username
`LOGOUT`	`/_logserver/logout`	username
`FAILED_LOGIN`	`/_logserver/login`	username
`USER_CREATE`	`/_logserver/accounts`	created user content
`USER_UPDATE`	`/_logserver/accounts`	whole body with diff
`USER_DELETE`	`/_logserver/accounts`	deleted user content
`ROLE_CREATE`	`/_logserver/constraints`	whole body with diff
`ROLE_UPDATE`	`/_logserver/constraints`	whole body with diff
`ROLE_DELETE`	`/_logserver/constraints`	whole body with diff
`BULK`	`_bulk`	whole body if enabled
`QUERY`	`*`	whole body if enabled
`OBJECTS`	`/.kibana*`	whole body if enabled

Paths excluded from auditing

The following paths are excluded from audit logging:

/
/_nodes*
/_stats*
/.auth
/.authconfig*
/_logserver/configuration/trustedhost
/_logserver/resolve_token
/_logserver/reports/checkpass
/_logserver/tasksList
/_logserver/configuration/domains
/_logserver/license
/_logserver/license/repo_access
/_logserver/license/mssp
/_logserver/mssp/*

Config 

Action Type	Path	From Request
`TOKENS DELETED`	`post:/api/setting/job/deletealltokens`	—
`SETTINGS TOKENDELETE`	`put:/api/setting/tokendelete`	`payload.value`
`SETTINGS TIMEOUT`	`put:/api/setting/ttl`	`payload.value`
`SETTINGS AUDIT SELECTION`	`put:/api/setting/auditselection`	`payload.value1`
`SETTINGS AUDIT EXCLUSION`	`put:/api/setting/auditexclusion`	`payload`
`SETTINGS ALERT EXCLUDE FIELDS`	`put:/api/setting/alert_exclude_fields`	`payload.value1`
`SETTINGS AUTH DOMAINS`	`put:/api/setting/auth_domains`	`payload.default_domain`
`MSSP PERMISSIVE MODE`	`put:/api/setting/mssp_permissive`	`payload.value2`
`MSSP SOURCES ALLOWED`	`post:/api/mssp/sources/allow`	`payload.sourcesIds`
`MSSP SOURCE DESCRIPTION EDITED`	`put:/api/mssp/source`	`payload.description`
`MSSP SOURCES DELETED`	`delete:/api/mssp/sources`	`payload.sourcesIds`

Reports 

Action Type	Path	From Request
`DATA EXPORT CREATED`	`post:/api/reports/data/export`	`payload.taskName`
`MANUAL DATA EXPORT CREATED`	`post:/api/reports/data/export_manual`	`payload.user`
`DATA EXPORT EDITED`	`put:/api/reports/data/export`	`payload.taskName`
`DASHBOARD REPORT EXPORT CREATED`	`post:/api/reports/dashboard/export`	`payload.taskName`
`DASHBOARD REPORT EXPORT EDITED`	`put:/api/reports/dashboard/export`	`payload.taskName`
`DATA TABLE REPORT EXPORT CREATED`	`post:/api/reports/table/export`	`payload.taskName`
`DATA TABLE REPORT EXPORT EDITED`	`put:/api/reports/table/export`	`payload.taskName`
`SCHEDULED TASK ENABLED`	`put:/api/reports/scheduler/enable`	`payload.id`
`SCHEDULED TASK DISABLED`	`put:/api/reports/scheduler/disable`	`payload.id`
`TASKS DELETED`	`delete:/api/reports`	`payload.objs`
`SETTINGS PDF_EXPIRY`	`post:/api/reports/settings/pdf`	`payload.pdfExpiry`
`SETTINGS CSV_EXPIRY`	`post:/api/reports/settings/csv`	`payload.csvExpiry`
`REPORT UPLOAD LOGO`	`post:/api/reports/settings/logos`	`payload.fileName`
`ONGOING TASK STOP`	`post:/api/reports/stop/`	`params.taskId`

Alerts 

Action Type	Path	From Request
`ALERT RULE CREATED`	`post:/api/alerts/alertrule`	`payload.alertrulename`
`ALERT RULE EDITED`	`put:/api/alerts/alertrule`	`payload.alertrulename`
`ALERT RULES SAVED`	`post:/api/alerts/alertrule/saverules`	—
`ALERT RULE ENABLED`	`put:/api/alerts/alertrule/switch`	`payload.alertsList`
`ALERT RULE DISABLED`	`put:/api/alerts/alertrule/switch`	`payload.alertsList`
`ALERT RULE RAN ONCE`	`post:/api/alerts/alertrule/runonce`	`payload.id`
`ALERT RULE DELETED`	`delete:/api/alerts/alertrule/`	`params.id`
`ALERT GROUP CREATED`	`post:/api/alerts/groups`	`payload.newGroupName`
`ALERT GROUP RENAMED`	`put:/api/alerts/groups`	`payload.groupName`, `payload.rename`
`ALERT GROUP DELETED`	`delete:/api/alerts/groups`	`payload.groupName`
`ALERTS ADDED TO GROUP`	`put:/api/alerts/updatealerts`	`payload`
`ALERT CHANGED ROLES`	`put:/api/alerts/alertrules/changeroles`	`payload.alertsList`
`ALERT MANUAL INCIDENT CREATED`	`post:/api/alerts/incidents/create_manual`	`payload.data.rule_name`
`ALERT RULE INCIDENT EDITED`	`put:/api/alerts/incidents`	`payload.id`

Index Management 

Action Type	Path	From Request
`ACTION CREATED`	`post:/api/index_management/action`	`payload.name`
`ACTION EDITED`	`put:/api/index_management/action`	`payload.name`
`ACTION START NOW`	`post:/api/index_management/action/run_action`	`payload.id`
`ACTION DELETED`	`delete:/api/index_management/action/`	`params.name`
`SYSTEM INDEX ROLLOVER CONFIGURE`	`post:/api/index_management/settings/rollover/`	`payload`

Archive 

Action Type	Path	From Request
`ARCHIVAL TASK CREATED`	`post:/api/archive/archive_task`	`payload.id`
`ARCHIVAL TASK UPDATED`	`put:/api/archive/archive_task/`	`params.taskId`
`ARCHIVAL TASK START NOW`	`post:/api/archive/archive_task/run/`	`params.taskId`
`TASKS DELETED`	`delete:/api/archive/tasks`	`payload.objs`
`SEARCH TASK CREATED`	`post:/api/archive/search_task/run`	`payload.searchtext`
`RESTORE TASK CREATED`	`post:/api/archive/restore_task/run`	`payload.destinationIndex`
`ARCHIVE(S) DELETED`	`post:/api/archive/retention/archives`	`payload.archives`
`ARCHIVE POLICY EXECUTED`	`post:/api/archive/retention/execute/`	`params.archiveTaskId`
`ARCHIVE RETENTION POLICY DELETED`	`delete:/api/archive/retention/policies`	`payload.archiveTaskIds`

Sync 

Action Type	Path	From Request
`SYNC PROFILE CREATED`	`post:/api/sync/clusterprofile`	`payload.host`
`SYNC PROFILE DELETED`	`post:/api/sync/syncTask/delete`	`payload.id`
`SYNC SYNCHRONISED`	`put:/api/sync/syncTask`	`payload.destination`
`SYNC COPIED`	`post:/api/sync/copyTask`	`payload.destination`
`SYNC JOB DELETED`	`post:/api/sync/syncTask/delete`	`payload.id`
`SYNC JOB RAN`	`post:/api/sync/runTask`	`payload.id`
`SYNC ACTION ENABLED`	`*:/api/sync/scheduler/`	`payload.id`
`SYNC ACTION DISABLED`	`*:/api/sync/scheduler/`	`payload.id`

Agents 

Action Type	Path	From Request
`AGENTS AGENT RELOADED`	`post:/api/agents/reloadagents/`	`params.id`
`AGENTS MASTERAGENT RELOADED`	`post:/api/agents/reloadmasteragent/`	`params.id`
`AGENTS DELETED`	`delete:/api/agents/`	`params.uid`
`AGENTS FILE CREATED`	`post:/api/agents/templates/file`	`payload.file.name`
`AGENTS FILE DELETED`	`delete:/api/agents/files`	—
`AGENTS FILE EDITED`	`put:/api/agents/files`	`payload.name`
`AGENTS TEMPLATE CREATED`	`post:/api/agents/templates`	`payload.template.name`
`AGENTS TEMPLATE EDITED`	`put:/api/agents/templates`	`payload.template.name`
`AGENTS TEMPLATE DELETED`	`delete:/api/agents/templates/`	`params.id`
`AGENTS BEATS STARTED`	`*:/api/agents/manage/`	`params.command`, `params.beatname`
`AGENTS BEATS RESTARTED`	`*:/api/agents/manage/`	`params.command`, `params.beatname`
`AGENTS BEATS STOPPED`	`*:/api/agents/manage/`	`params.command`, `params.beatname`

Intelligence 

Action Type	Path	From Request
`INTELLIGENCE RULE CREATED`	`get:/api/intelligence/intelligence_modelcreation_set_formdata`	`query.rule_name`
`INTELLIGENCE RULE EDITED`	`get:/api/intelligence/intelligence_modelcreation_set_formdata`	`query.rule_name`
`INTELLIGENCE RULE STOPPED`	`get:/api/intelligence/intelligence_airules_set_stoprule`	`query.rule_uid`
`INTELLIGENCE RULE STARTED`	`get:/api/intelligence/intelligence_airules_set_startrule`	`query.rule_uid`
`INTELLIGENCE RULE DELETED`	`get:/api/intelligence/intelligence_airules_set_deleterule`	`query.rule_uid`
`INTELLIGENCE USE CASE DOWNLOADED`	`get:/api/intelligence/intelligence_download_use_case`	`query.rule_uid`, `query.use_case_name`
`INTELLIGENCE USE CASE UPLOADED`	`post:/api/intelligence/intelligence_upload_use_case`	`payload.rule.rule_name`
`ASSISTANT CONNECTION CREATED`	`post:/api/intelligence/connections`	`payload.name`
`ASSISTANT CONNECTION EDITED`	`put:/api/intelligence/connections/`	`params.id`, `payload.name`
`ASSISTANT CONNECTION DELETED`	`delete:/api/intelligence/connections/`	`params.id`
`ASSISTANT PROMPT CREATED`	`post:/api/intelligence/prompts`	`payload.name`, `payload.id`, `payload.type`
`ASSISTANT PROMPT EDITED`	`put:/api/intelligence/prompts/`	`params.id`, `payload.name`
`ASSISTANT PROMPT DELETED`	`delete:/api/intelligence/prompts/`	`params.id`
`ASSISTANT PROMPT EXECUTED`	`post:/api/intelligence/prompt`	`payload.systemPromptID`, `payload.name`
`ASSISTANT LOG EXPLAIN REQUESTED`	`post:/api/intelligence/explain_log`	—
`ASSISTANT THREAT DESCRIPTION REQUESTED`	`post:/api/intelligence/describe_threat`	—
`ASSISTANT ALERT CREATION REQUESTED`	`post:/api/intelligence/create_alert`	—

Network Probe 

Action Type	Path	From Request
`NETWORK-PROBE FILE CREATED`	`post:/api/network-probe/files`	`payload.file.path`
`NETWORK-PROBE FILE DELETED`	`delete:/api/network-probe/files`	`payload.filePath`
`NETWORK-PROBE UNREGISTERED`	`delete:/api/network-probe/host`	`payload.hostId`
`NETWORK-PROBE FILE REREGISTERED`	`post:/api/network-probe/files/register`	`payload.host.ip`
`NETWORK PROBE SERVICES STOPPED`	`post:/api/network-probe/services`	`payload.services.names`
`NETWORK PROBE SERVICES STARTED`	`post:/api/network-probe/services`	`payload.services.names`
`NETWORK PROBE SERVICES RESTARTED`	`post:/api/network-probe/services`	`payload.services.names`
`NETWORK-PROBE PIPELINES ENABLED`	`post:/api/network-probe/pipelines/enable`	`payload.pipelinesIds`, `params.hostId`
`NETWORK-PROBE PIPELINES DISABLED`	`post:/api/network-probe/pipelines/disable`	`payload.pipelinesIds`, `params.hostId`
`NETWORK-PROBE PIPELINES RELOADED`	`post:/api/network-probe/pipelines/reload`	—
`NETWORK-PROBE PIPELINE CREATED`	`post:/api/network-probe/pipeline/`	`params.name`