Filter to specific logs

Ask the Community
1

I’m looking into specific categories of logs (authentication logs, create/change/revoke perms, group membership changes, privileged access logs) in order to monitor those specifics behaviors.

Is there any guidance available about the fields to filter the logs for, to obtain the above set/categories ?

Audit log’s categories are present in audit.3 logs but not all audit.2 logs are tagged with those categories, while (as of today) audit.2 is still the recommended logs to analyze.
https://www.palantir.com/docs/foundry/security/audit-log-categories/

2

Hi Vincent. According to the docs (https://www.palantir.com/docs/foundry/security/audit-logs-overview/#audit2-logs) even Audit V2 logs may present an audit category in them.

If the category is missing for some of those operations, you could do a histogram on your audit dataset on the column “name” and see all the events that are present in the logs. Most of the events should have suggestive names that you could use to detect if they are relevant for the operations you are interested in.