Skip to main content

Cloud SIEM Audit Logging

The Audit Event Index provides event logs in JSON format on your account activity so you to monitor and audit changes. By default the Audit Event Index is enabled for Cloud SIEM and Enterprise accounts. 


This page describes functionality that is available to users whose Cloud SIEM URL ends in

Where to find the documentation  

The audit logging documentation is hosted on each Sumo Logic deployment. Sumo Logic has several deployments that are assigned depending on the geographic location and the date an account is created. If you're not sure what what your deployment is, see how to determine which endpoint to use.

Select the documentation link for your deployment:

DeploymentLocationDocumentation URL
US1United States
US2United States

This section explains how to scope a search of the Audit Event Index to return Cloud SIEM events.

Limit search to user or system events

Cloud SIEM audit events are stored in two Partitions:

  • sumologic_audit_events. This index contains user action events, which are events that were triggered by a user action, either from the UI or an API. For example, a user created an Insight from a Signal using the Cloud SIEM UI.
  • sumologic_system_events. This index contains system action events, which are events that were triggered by the system. For example, an Insight was generated by Cloud SIEM.

Use _index=sumologic_audit_events to limit results to events related to user actions

Use  _index=sumologic_system_events to limit results to events related to system actions.

Limit search to Cloud SIEM events

You can use the subsystem field, which every event log contains, to limit the events returned to Cloud SIEM-related events:


For information about other fields you can use in Audit Index searches, see auto-generated documentation at the documentation URL for your deployment.

Limit search by Cloud SIEM feature

The table below shows the _sourceCategory that is assigned to event logs by Cloud SIEM feature.

Product Feature_sourceCategory Value
Aggregation RulecseRule
Configure Assigned Insight Emails
(Relates to the option, on the Actions page, that causes a user to receive an email whenever another user assigns an Insight to them.)
Chain RulecseRule
Cloud SOAR IncidentcseCloudSoar
Context ActioncseContextAction
Custom Entity TypecseCustomEntityType
Custom InsightcseCustomInsight
Custom Match List ColumncseCustomMatchListColumn
Custom Tag SchemacseCustomTagSchema
Customer Sourced Entity Lookup TablecseCustomerSourcedEntityLookupTable
Entity Criticality ConfigcseEntityCriticalityConfig
Entity Domain ConfigurationcseEntityNormalization
Entity Group ConfigurationcseEntityGroupConfiguration
Entity NotecseEntityNote
Favorite FieldcseFavoriteField
First Seen RulecseRule
Insight CommentcseInsightComment
Inventory Entity Lookup TablecseInventoryEntityLookupTable
Log MappingcseLogMapping
Match ListcseMatchList
Match RulecseRule
MITRE ATT&CK CoveragecseMitreAttackCoverage
Network BlockcseNetworkBlock
Outlier RulecseRule
Rule Tuning ExpressioncseRuleTuningExpression
Streaming Export ConfigurationcseStreamingExportConfiguration
Sumo MappingcseSumoMapping
Suppressed ListcseSuppressList
Templated Match RulecseRule
Threat Intel Source
(Applies to all source types on the Threat Intel page.)
Threat Intel Source PollcseThreatIntelSource
Threshold RulecseRule
Virus Total ConfigurationcseConfiguration
Yara RulecseYara
Yara SourcecseYara

_sourceName and _sourceHost assignment

The _sourceName and _sourceHost fields are assigned to audit event logs as follows.

Metadata FieldAssignment Description
_sourceNameValue of the common parameter, eventName.
_sourceHostThe remote IP address of the host that made the request. If not available the value will be no_sourceHost.

Common parameters

Each audit event log has common keys that categorize it to a product area and provide details of the event.

ParameterDescriptionData Type
accountIdThe unique identifier of the organization.String
eventIdThe unique identifier of the event.String
eventNameThe name of the event.String
eventTimeThe event timestamp in ISO 8601 format.String
eventFormatVersionThe event log format version.String
operatorInformation of who did the operation. If it's missing, the Sumo service was the operator.JSON object of Strings
subsystemThe product area of the event.String

Search the Audit Event Index 

To search the Audit Event Index for logs that describe Cloud SIEM events:

  1. Start a log search.
  2. In the search tab, enter a search using _index to specify the partition you want to search, and other metadata or fields to further scope your search. For example:
    | json auto
    | where subsystem="cse"
  3. Choose the time range for your search.
  4. Click Start to run the search.

Example event log

Here is an example InsightCreated event log.

Index retention period 

By default, the retention period of the Audit Event Index is the same as the retention period of your Default Partition. You can change the retention period by editing the relevant partitions, sumologic_audit_events and sumologic_system_events. For more information, see Create and Edit a Partition.

Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.