From b4e649cad81ebf4254ce0909b5048934a0761ee1 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Tue, 18 Mar 2025 10:36:22 +0530 Subject: [PATCH 1/5] Export search results - audit event --- .../search-basics/export-search-results.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/search/get-started-with-search/search-basics/export-search-results.md b/docs/search/get-started-with-search/search-basics/export-search-results.md index 359c89a9c0..e7c13a061e 100644 --- a/docs/search/get-started-with-search/search-basics/export-search-results.md +++ b/docs/search/get-started-with-search/search-basics/export-search-results.md @@ -29,3 +29,7 @@ You can export message fields to a CSV file, either just the fields displayed, o Click the gears icon in the top-right corner of the **Messages** tab, and then select **Export** **(Display Fields)** to export only the messages displayed, or **Export (All Fields)** to export all message fields. If the export is successful, your browser will automatically download the data and save it to a CSV file. ![export fields](/img/search/get-started-search/search-basics/export-search-results/export-fields.png) + +:::info +Audit events will be generated for every search results export (displayed fields or all fields). Administrators can now view these audit events to ensure that no sensitive data is exported. +::: \ No newline at end of file From ca3f5b18df5ed2bcd220565fc8e8d6be332976a4 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Tue, 18 Mar 2025 10:38:06 +0530 Subject: [PATCH 2/5] minor fix --- .../search-basics/export-search-results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/search/get-started-with-search/search-basics/export-search-results.md b/docs/search/get-started-with-search/search-basics/export-search-results.md index e7c13a061e..7b19591b7b 100644 --- a/docs/search/get-started-with-search/search-basics/export-search-results.md +++ b/docs/search/get-started-with-search/search-basics/export-search-results.md @@ -31,5 +31,5 @@ Click the gears icon in the top-right corner of the **Messages** tab, and then ![export fields](/img/search/get-started-search/search-basics/export-search-results/export-fields.png) :::info -Audit events will be generated for every search results export (displayed fields or all fields). Administrators can now view these audit events to ensure that no sensitive data is exported. +Audit events will be generated for every search results export (displayed fields or all fields). Administrators can use `_sourceCategory=content` to view these audit events to ensure that no sensitive data is exported. ::: \ No newline at end of file From f5151d703a5baeb809dcfeb59fcb40544886e07e Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 19 Mar 2025 11:04:17 +0530 Subject: [PATCH 3/5] Update docs/search/get-started-with-search/search-basics/export-search-results.md Co-authored-by: John Pipkin (Sumo Logic) --- .../search-basics/export-search-results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/search/get-started-with-search/search-basics/export-search-results.md b/docs/search/get-started-with-search/search-basics/export-search-results.md index 7b19591b7b..bb1ee782a6 100644 --- a/docs/search/get-started-with-search/search-basics/export-search-results.md +++ b/docs/search/get-started-with-search/search-basics/export-search-results.md @@ -31,5 +31,5 @@ Click the gears icon in the top-right corner of the **Messages** tab, and then ![export fields](/img/search/get-started-search/search-basics/export-search-results/export-fields.png) :::info -Audit events will be generated for every search results export (displayed fields or all fields). Administrators can use `_sourceCategory=content` to view these audit events to ensure that no sensitive data is exported. +Audit events will be generated for every search results export (displayed fields or all fields). Administrators can use `_sourceCategory=content` to view these [audit events](/docs/manage/security/audit-indexes/audit-event-index/) to ensure that no sensitive data is exported. ::: \ No newline at end of file From 5b3054ad0cad3f07f02d7138339deda786fd914c Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 19 Mar 2025 11:04:54 +0530 Subject: [PATCH 4/5] Update docs/search/get-started-with-search/search-basics/export-search-results.md --- .../search-basics/export-search-results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/search/get-started-with-search/search-basics/export-search-results.md b/docs/search/get-started-with-search/search-basics/export-search-results.md index bb1ee782a6..f9f076c7c4 100644 --- a/docs/search/get-started-with-search/search-basics/export-search-results.md +++ b/docs/search/get-started-with-search/search-basics/export-search-results.md @@ -31,5 +31,5 @@ Click the gears icon in the top-right corner of the **Messages** tab, and then ![export fields](/img/search/get-started-search/search-basics/export-search-results/export-fields.png) :::info -Audit events will be generated for every search results export (displayed fields or all fields). Administrators can use `_sourceCategory=content` to view these [audit events](/docs/manage/security/audit-indexes/audit-event-index/) to ensure that no sensitive data is exported. +Audit events will be generated for every search results export (displayed fields or all fields). Administrators can use `_sourceCategory=content` with `eventName:"SearchExported"` to view these [audit events](/docs/manage/security/audit-indexes/audit-event-index/) to ensure that no sensitive data is exported. ::: \ No newline at end of file From 3faa88a2b694475792938fcc2bc7b41ba39cf91d Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Tue, 25 Mar 2025 15:39:30 +0530 Subject: [PATCH 5/5] Update export-search-results.md --- .../search-basics/export-search-results.md | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/docs/search/get-started-with-search/search-basics/export-search-results.md b/docs/search/get-started-with-search/search-basics/export-search-results.md index f9f076c7c4..0ea63e9419 100644 --- a/docs/search/get-started-with-search/search-basics/export-search-results.md +++ b/docs/search/get-started-with-search/search-basics/export-search-results.md @@ -32,4 +32,32 @@ Click the gears icon in the top-right corner of the **Messages** tab, and then :::info Audit events will be generated for every search results export (displayed fields or all fields). Administrators can use `_sourceCategory=content` with `eventName:"SearchExported"` to view these [audit events](/docs/manage/security/audit-indexes/audit-event-index/) to ensure that no sensitive data is exported. -::: \ No newline at end of file + +
+ Sample log message + ```json + { + "userIdentity":{ + "userId":"00000000001***1", + "userEmail":"***.****@sumologic.com" + }, + "searchExportIdentity":{ + "exportId":"67C19***5BB4D96" + }, + "sessionId":"0FF9*****B09F", + "searchQuery":"_sourcecategory \**00 \"kubernetes/system\" \"error\"\n| where _pid \u003* \"****\"", + "exportedCount":11, + "location":"service UI raw", + "status":"SUCCESS", + "eventType":"Audit", + "severityLevel":"Info", + "accountId":"00000000005****7", + "eventId":"da6a5a2b-****-****-b01c-b63dba93fa66", + "eventName":"SearchExported", + "eventTime":"2025-03-24T15:49:27.664Z", + "eventFormatVersion":"1.0 beta", + "subsystem":"content" + } + ``` +
+:::