Audit Analytics
The audit analytics dashboard provides aggregated insights into security events across your fleet, helping you identify unusual activity and assess risk.
Analytics Dashboard
Navigate to Admin > Audit Analytics to view:
- Action Counts — breakdown of audit events by type (login, API call, config change, etc.)
- User Activity — which users are most active and what actions they perform
- Time Distribution — when events occur (by hour, day of week)
- Risk Score — a computed score based on suspicious patterns
Risk Scoring
The risk score is calculated based on several factors:
| Factor | Impact |
|---|---|
| Failed login attempts | High |
| Privilege escalations | High |
| Activity during unusual hours | Medium |
| Bulk operations | Medium |
| Configuration changes | Low |
Higher risk scores indicate potential security concerns that warrant investigation.
Time Periods
Analytics can be viewed at different granularities:
| Period | Description |
|---|---|
| Daily | Day-by-day breakdown |
| Weekly | Week-by-week summary |
| Monthly | Month-by-month overview |
Analytics API
| Endpoint | Method | Description |
|---|---|---|
/api/admin/audit/analytics | GET | Analytics data. Query: tenant_id, period (daily/weekly/monthly) |
/api/admin/audit/analytics/risk | GET | Risk score breakdown. Query: tenant_id |
SIEM Integration
Cloud OS instances support forwarding audit events to external SIEM systems in multiple formats:
| Format | Description |
|---|---|
| Syslog | Standard syslog format |
| CEF | Common Event Format (ArcSight, QRadar) |
| LEEF | Log Event Extended Format (IBM QRadar) |
Configure the SIEM export format on each Cloud OS instance under Security > SIEM.