Examples of queries for humio-audit | LogScale System Repository Schema Guide | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Examples of queries for humio-audit

The following examples are queries you can run on the event data in the humio-audit repository.

Organization Access

Use this query to see who has access to an organization. Add the actor filter if you are running it on the cluster-wide view across multiple organizations.

logscale

//only needed for cluster-wide audit view
//actor.organizationId = ?OrgId OR organizationId = ?OrgId
 
 
case { repoName != * | repoName := viewName; *} // rename field for reporting
| case {
// types that are not standard cluster operations
in(field="type", values=["eventforwarder.*", "eventforwardingrule.*", "featureflag.user.*", "fleet.*", "group.*", "tokens*", "identityProvider", "ingest*", "login.bridge.*", "organizations*",  "query-quota.set", "repo*", "role.*", "s3-archiving.*",  "sessions.*", "subdomain.*", "user.*", "view*"]);
// types that imply repo data access
repoName=* | in(field="type", values=["*action.*", "alert.*", "*dashboard.*", "dataspace.query", "delete.events", "filterAlert.*", "package.*", "parser.*", "saved-query.*", "scheduled-search.*", "*file.*"])
}
| groupBy([actor.user.username, type, repoName], function=[count(type), max(@timestamp)], limit=max)
| format(format="%s (%s)", field=[type, _count], as="typeCount")
| last_login:=formatTime("%F", field=_max)
| groupBy([actor.user.username, repoName], function=[collect(typeCount), sum(_count), selectLast(last_login)], limit=max)

Enter search term