System Audit Logs

CloudGuard keeps a full audit log of all accesses to your environments and of each action done on the account. This page shows a record of all actions taken by the system. For example, you opened a lease for two hours. After two hours, CloudGuard closed the lease.

CloudGuard keeps your system audit logs for three years.

To see the system audit logs:

Navigate to Events > Operational > System Audit Logs.
In the table, below the Cloud Account ID column, select an account ID to see its details. The Details window opens.

In addition to the event name and time, the log's details show this important information:
- Cloud Account ID - The cloud account ID on which the action was done.
- Event Name - The type of event on the cloud account, such as "API key created" or "Security group change detected".
- Time - The date and time the event occurred.
- Description - Details of the system audit such as changed tags, owner, and compliance.

To export the system audit logs:

Navigate to Events > Operational > System Audit Logs.
Below the logs table, click .

Note - The export table is limited to 10,000 events.

System Events

Events

You can configure CloudGuard to send audit log messages to an AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. SNS topic. The table below lists the messages.

Message-EventType	Audit parent type	Audit child type	Description
AccountLicenseUpdatedEvent	CloudGuard account	Account license updated	The licensing plan was updated.
CrossAccountIdentifierCreatedEvent	CloudGuard account	Cross account identifier was generated	A cross-account identifier was generated for the account (for MSP)
AlertTriggeredEvent	Alerts events	Alert triggered	Alert was triggered on a security group
AlertClosedEvent	Alerts events	Alert resolved	Alert was resolved on a security group
AlertUpdatedEvent	Alerts events	Alert updated	Alert content was updated on a security group
InvalidAwsCredentialsEvent	Cloud account	Invalid cloud credentials	The cloud account has invalid credentials
AwsCredentialsValidatedEvent	Cloud account	Cloud credentials validated	The cloud account that had invalid credentials is now valid
CloudSecGroupTamperDetectedEvent	Cloud security groups	Security group tamper detected and handled	A change was detected on a fully protected security group and it was reverted
CloudSecGroupChangesDetectedEvent	Cloud security groups	Security group change detected	A change was detected on a read-only security group
CloudSecGroupImportedEvent	Cloud security groups	Security group imported	Security group was imported from your cloud account
AwsLeaseEndedEvent	Cloud access leases	Access lease ended	An access lease was ended when the period finished
LeaseTerminatedEvent	Cloud access leases	Access lease terminated	An access lease was terminated manually by the user
ServerStateChangedEvent	CloudGuard Agents	Agent state changed	Agent state changed from state to state
AwsLeaseEndedEvent	CloudGuard access leases	Access lease ended	An access lease was ended when the period finished
LeaseTerminatedEvent	CloudGuard access leases	Access lease terminated	An access lease was terminated manually by the user
ApiKeyCreatedEvent	Users management	API Key created	API key was created for a user
SSOUserLogOnFailureEvent	Users	SSO Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. login failed	SSO login failed by a user
UserRoleCreatedEvent	User role event	User role created	The new role was created
UserRoleUpdatedEvent	User role event	User role updated	Role permissions were updated
AzureCloudAccountAddEvent	Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. Cloud Account	Azure Cloud Account created	New Azure cloud account was added to CloudGuard Console
AzureSecurityGroupImportedEvent	D9 Azure security group event	Azure network security group imported	New Azure security group imported
AzureSecurityGroupUpdatedEvent	D9 Azure security group event	Azure network security group change detected	Change detected on network security group