User Account Activity Log

Cytomic Orion logs the actions taken by SOC analysts in the console outside of an investigation. For more information about the actions logged within the context of an investigation, see Activity Log Associated with an Investigation.

Access the User Activity Log

In the top menu, select Settings. In the side panel, select Activity log. The User activity log list opens.

User Activity Log list

  • Search tool (1): Searches the contents of the Action, User, and Action type fields. You can type only a partial string. See Search Tools.

  • Grouping tool (2): Groups items in the list by the column you choose. For more information about the grouping tool, see Group Entries by Columns.

  • Sort list (3): To sort the list by a particular column, click the column header. Click the same header a second time to switch between ascending and descending order. See Sort Columns.

  • Export (4): Exports the contents of the list to a CSV file.

  • Side panel (5): Shows extended information about the items you select in the list. See Additional Information about Logged Events.

  • Center panel (6): Shows a list of actions that match the search criteria you entered. This table describes the columns included in the list:

Field Description

Date

Date of the logged action.

Action

Logged action along with the user account that started it and additional information. See Actions Logged in Cytomic Orion.

User

Name of the account that started the action. This column is not shown by default.

Action type

Type of logged action. This column is not shown by default.

Fields in the Activity Log list

Actions Logged in Cytomic Orion

Action type Description

Login

The user logged in to the console.

Logout due to inactivity

The console user did not take any action in two hours and was logged out of Cytomic Orion automatically for security reasons.

Logout

The user logged out of the console.

Create quick answer template/automatic investigation template/graph template

The user created the specified quick answer template, investigation template, or graph template.

Modify quick answer template/automatic investigation template/graph template

The user edited the specified quick answer template, investigation template, or graph template.

Delete quick answer template/automatic investigation template/graph template

The user deleted the specified quick answer template, investigation template, or graph template.

Update the description or category of a quick answer template/automatic investigation template/graph template

The user updated the description or the category of the specified quick answer template, investigation template, or graph template.

Rename quick answer template/automatic investigation template/graph template

The user renamed the specified quick answer template, investigation template, or graph template.

Copy quick answer template/automatic investigation template/graph template

The user copied the specified quick answer template or graph template.

Disable two-factor authentication

The user disabled two-factor authentication for their account.

Enable two-factor authentication

The user enabled two-factor authentication for their account.

Create hunting rule

The user created a hunting rule.

Modify hunting rule

The user modified a hunting rule.

Delete hunting rule

The user deleted a hunting rule.

Types of logged actions

Additional Information about Logged Events

Field Description

Action

Logged action. See Actions Logged in Cytomic Orion.

Email

Email address of the user account that performed the logged action.

Role

Role of the user account that performed the logged action.

IP

Public IP address of the last network device the analyst used to log in to the console.

OrganizationID

ID of the SOC/MSSP that the user account belongs to.

NotebookId

ID of the document on which the operation was performed.

OldNotebookDescription

Notebook description before it was edited.

NewNotebookDescription

New description associated with the notebook.

NotebookName

Name of the notebook on which the operation was performed.

DocumentName

Name of the document on which the operation was performed.

OldNotebookName

Notebook name before it was edited.

NewNotebookName

New notebook name.

ImageId

ID of the Jupyter image that was used as the basis for the notebook.

DocumentId

ID of the document on which the operation was performed.

DocumentVersionid

ID of the document internal version number.

DocumentIsManualSave

  • True: The document was saved manually.

  • False: The document was saved automatically.

OldCategoryId

Notebook category before it was edited.

NewCategoryId

New notebook category.

Discriminator

Type of document on which the operation was performed.

  • 0: Not set

  • 1: Document

  • 2: Template

  • 3: Quick answer

  • 4: Graph

  • 5: OSQuery

SourceNotebookId

ID of the notebook that was copied.

TargetNotebookId

ID of the new, copied notebook.

Fields in the right panel