Settings
Platform Audit Logging
nano provides comprehensive audit logging for all platform operations, enabling security teams to monitor administrative actions, track changes, build compliance reports, and even create detection rules on platform activity itself.
All platform audit events are stored in ClickHouse with source_type=audit, making them fully searchable using the standard nano query interface. Each event includes a source field indicating which subsystem generated the event.
Full Searchability : Query audit logs using the same interface as security dataDetection Capabilities : Build detection rules on platform activityCompliance : Track all administrative actions for audit trailsDashboards : Create operational dashboards for platform monitoringAlerting : Set up alerts for suspicious administrative activity
Source Description authAuthentication events (login, logout, password reset) detectionDetection rule changes (create, update, delete, enable/disable) userUser management (create, update, delete, lock/unlock) tuningAuto-tuning proposals and settings changes caseCase lifecycle events (see Case Audit Events ) apikeyAPI key management (create, delete, enable/disable) roleRole management (create, update, delete) groupGroup management (create, update, delete, role assignments) credentialsCloud credential management (create, update, delete)
All audit events share these fields:
Field Type Description source_typeString Always "audit" sourceString Subsystem (auth, detection, user, etc.) actionString Specific action performed actor_idUUID User ID who performed the action actor_nameString Display name of the actor api_key_idUUID API key used (if applicable) resource_typeString Type of resource affected resource_idUUID ID of affected resource resource_nameString Name of affected resource ip_addressString Client IP address user_agentString Client user agent successBoolean Whether the action succeeded detailsJSON Additional action-specific data timestampDateTime When the event occurred
Action Description Triggered By login_successUser successfully logged in Login form, SSO login_failedLogin attempt failed Invalid credentials, locked account logoutUser logged out Manual logout token_refreshAccess token refreshed Token refresh endpoint password_reset_requestPassword reset requested Forgot password form password_reset_completePassword reset completed Reset link clicked password_changedPassword changed User settings oidc_loginSSO/OIDC login completed OIDC flow
Action Description Triggered By rule_createdDetection rule created New rule saved rule_updatedDetection rule modified Rule edited rule_deletedDetection rule deleted Rule removed rule_enabledDetection rule enabled Toggle or bulk action rule_disabledDetection rule disabled Toggle or bulk action rule_promotedRule promoted to production Experimental to production rule_demotedRule demoted to experimental Production to experimental rule_duplicatedRule duplicated Clone action
Action Description Triggered By user_createdNew user created Admin creates user user_updatedUser profile updated Admin or self-edit user_deletedUser deleted Admin action user_lockedUser account locked Failed login threshold user_unlockedUser account unlocked Admin action user_disabledUser account disabled Admin action user_enabledUser account enabled Admin action user_groups_updatedUser group memberships changed Admin action
Action Description Triggered By proposal_approvedTuning proposal approved Manual approval proposal_rejectedTuning proposal rejected Manual rejection settings_updatedRule tuning settings changed Settings edit version_revertedRule reverted to previous version Revert action
Action Description Triggered By apikey_createdNew API key created Key generation apikey_deletedAPI key deleted Key deletion apikey_enabledAPI key enabled Admin action apikey_disabledAPI key disabled Admin action
Action Description Triggered By role_createdNew role created Admin action role_updatedRole modified Permission changes role_deletedRole deleted Admin action
Action Description Triggered By group_createdNew group created Admin action group_updatedGroup modified Admin action group_deletedGroup deleted Admin action group_roles_updatedGroup role assignments changed Admin action
Action Description Triggered By credential_createdCloud credential added Admin action credential_updatedCloud credential modified Admin action credential_deletedCloud credential removed Admin action
source_type=audit source=auth source_type=audit source=auth action=login_failed source_type=audit source=detection source_type=audit actor_name="admin@example.com" source_type=audit source=apikey source_type=audit ip_address="192.168.1.100" source_type=audit | stats count by source, action | sort -count source_type=audit | stats count by actor_name | sort -count | head 10 source_type=audit | bucket timestamp span=1d | stats count by timestamp, source source_type=audit success=false | stats count by source, action source_type=audit source=auth action=login_failed | stats count by actor_name, ip_address | where count > 5 source_type=audit source=auth action=login_success | stats earliest(timestamp) as first_seen by actor_name, ip_address | where first_seen > now() - 24h source_type=audit source=auth action=login_success | eval hour = hour(timestamp) | where hour < 6 OR hour > 20 source_type=audit source=role action=role_updated | table timestamp, actor_name, resource_name, details source_type=audit source=user action=user_groups_updated | table timestamp, actor_name, resource_name, details source_type=audit source=apikey action=apikey_created | table timestamp, actor_name, resource_name source_type=audit source=detection action=rule_deleted | table timestamp, actor_name, resource_name source_type=audit source=detection action=rule_disabled | where timestamp > now() - 24h | table timestamp, actor_name, resource_name source_type=audit source=detection | where actor_name NOT IN ("admin@example.com", "system") | stats count by actor_name, action Panel Query Visualization Failed Logins (24h) source_type=audit action=login_failed | where timestamp > now() - 24h | stats countSingle value Login Locations source_type=audit action=login_success | stats count by ip_addressMap/Table Rule Changes (7d) source_type=audit source=detection | bucket timestamp span=1d | stats count by timestampLine chart Active Users source_type=audit | stats dc(actor_id) as unique_usersSingle value Top Actions source_type=audit | stats count by source, action | sort -count | head 20Bar chart
Panel Query Visualization User Account Changes source_type=audit source=userTable Role/Permission Changes source_type=audit source=role OR source=groupTable API Key Activity source_type=audit source=apikeyTable Credential Changes source_type=audit source=credentialsTable All Admin Actions source_type=audit | where action contains "created" OR action contains "deleted"Table
Panel Query Visualization Actions per User source_type=audit | stats count by actor_namePie chart Activity Timeline source_type=audit | bucket timestamp span=1h | stats count by timestampLine chart Actions by Type source_type=audit | stats count by actionBar chart Source Distribution source_type=audit | stats count by sourcePie chart
Create detection rules on audit events to monitor for security-relevant activity:
name : Brute Force Login Attempt query : | source_type=audit source=auth action=login_failed | stats count by actor_name | where count > 10 schedule : "*/5 * * * *" severity : high name : Detection Rule Deleted query : | source_type=audit source=detection action=rule_deleted schedule : "* * * * *" severity : critical name : After Hours Administrative Action query : | source_type=audit | where source IN ("user", "role", "group", "apikey", "credentials") | eval hour = hour(timestamp) | where hour < 6 OR hour > 22 | stats count | where count > 0 schedule : "*/15 * * * *" severity : medium name : Multiple Failed Operations query : | source_type=audit success=false | stats count by actor_name | where count > 5 schedule : "*/10 * * * *" severity : medium name : API Key Created Alert query : | source_type=audit source=apikey action=apikey_created schedule : "* * * * *" severity : low name : Bulk User Account Changes query : | source_type=audit source=user | where timestamp > now() - 5m | stats count | where count > 10 schedule : "*/5 * * * *" severity : high Set up real-time alerts for:
Detection rule deletions or bulk disabling
Role/permission changes
API key creation
User account lockouts
Failed authentication spikes
Track normal patterns for:
Number of logins per user
Time of day for administrative actions
Frequency of rule changes
API key usage patterns
Schedule periodic reviews:
Daily : Failed logins, rule changesWeekly : User account changes, API key activityMonthly : Role/permission changes, compliance reports
Combine audit logs with security data:
(source_type=audit source=auth action=login_success) OR (source_type=windows_security EventID=4624) | stats count by actor_name, ip_address Configure appropriate retention for audit data:
Many compliance frameworks require 90+ day retention
Consider longer retention for authentication and access control events
Export critical events to long-term storage if needed
curl -H "Authorization: Bearer $API_KEY " \ -H "Content-Type: application/json" \ -d '{ "query": "source_type=audit source=auth", "start": "-24h", "end": "now", "limit": 1000 }' \ http://nanosiem:3000/api/search # Export all audit events for the past 30 days curl -H "Authorization: Bearer $API_KEY " \ -H "Content-Type: application/json" \ -d '{ "query": "source_type=audit", "start": "-30d", "end": "now", "format": "json" }' \ http://nanosiem:3000/api/search/export > audit-export.json
Check ClickHouse connectivity : Audit events require ClickHouse to be operationalVerify source_type : Query with source_type=audit (not source_type=case_audit)Check time range : Ensure your query time range includes the expected eventsReview permissions : User must have appropriate view permissions
Events from background jobs may have actor_id=null
API key events include api_key_id but may not have user context
System-initiated events may show actor_name="system"
If audit volume is too high:
Review which actions are most frequent
Consider filtering routine read operations
Adjust dashboard refresh intervals
Use aggregation queries instead of raw event lists
