Collect security logs

ThoughtSpot Cloud provides security audit events related to account activities and user actions within ThoughtSpot. These events can help your SOC team detect potential security threats or compromised user accounts in your organization.

How to fetch security events

To fetch security events from ThoughtSpot, you can push the logs to your SIEM server, or pull the logs using the Audit Logs API.

Push to your SIEM server

ThoughtSpot’s human-readable and comprehensive events can be shipped to your SIEM application in near real-time. Security events remain within the system for 30 days. To integrate with your SIEM or view these logs, contact ThoughtSpot Support.

ThoughtSpot also supports log ingestion to the customer SIEM system. We support multiple output plugins which can be configured to push the security audit events to the configured destination SIEM server at an interval of every 5 seconds.

ThoughtSpot supports the following output plugin options:

HTTP
Splunk
Azure Log Analytics
Datadog

Pull via Audit Logs API

The ThoughtSpot log API service allows you to programmatically get security audit events from the ThoughtSpot system. To use this API, make sure you have admin user privileges.

For more information, see Audit logs API.

ThoughtSpot security events

ThoughtSpot security events include the following information:

An event ID
A unique description of the event (for example, “A user account was created”)
Timestamp (in UTC) yyyy/mm/dd:hh:mm:ss
User ID of the person initiating the event
public IP of the system from which the request originates
Fields specific to the event (for example, name of the new account)

Security events

The possible events are:

ACCOUNT_LOCKED
AUTH_TOKEN_CREATED_SUCCESSFULLY
CREATE_ANSWER
CREATE_CONNECTION
CREATE_CONNECTION_ATTEMPTED
CREATE_PINBOARD
CREATE_RLS_RULE
CREATE_TABLES
CSV_UPLOAD_FINISHED
CSV_UPLOAD_STARTED
DATA_UPLOAD_CONFIGURED
DELETE_ANSWERS
DELETE_CONNECTION
DELETE_CONNECTION_ATTEMPTED
DELETE_PINBOARDS
DELETE_RLS_RULES
EDIT_CONNECTION
EDIT_CONNECTION_ATTEMPTED
FAILED_TO_CREATE_AUTH_TOKEN
LOGIN_FAILED
LOGIN_SUCCESSFUL
LOGOUT_FAILED
LOGOUT_SUCCESSFUL
PRINCIPALS_IN_GROUP_UPDATE
PRIVILEGE_CHANGES
ROLE_CREATED
ROLE_DELETED
ROLE_UPDATED
ROLES_ASSIGNED
ROLES_IMPORTED
ROLES_REMOVED
SHARE_OBJECTS
UPDATE_ANSWERS
UPDATE_PASSWORD
UPDATE_PASSWORD_FAILED
UPDATE_PINBOARDS
UPDATE_RLS_RULE
USER_ACTIVATE
USER_GROUPS_CREATED
USER_GROUPS_DELETED
USER_GROUP_MODIFIED
USERS_CREATED
USERS_DELETED
USERS_MODIFIED

Event descriptions

ThoughtSpot defines these events as follows:

ACCOUNT_LOCKED: A local user fails to authenticate x times in a row, locking the account. Administrators can configure the number of authentication attempts before lockout within ThoughtSpot.

AUTH_TOKEN_CREATED_SUCCESSFULLY: Auth token creation succeeds.

CREATE_ANSWER: A user attempts to create a new Answer.

CREATE_CONNECTION: Connection created.

CREATE_CONNECTION_ATTEMPTED: Create connection attempted.

CREATE_PINBOARD: A user attempts to create a new Liveboard.

CREATE_RLS_RULE: A user creates an RLS (row-level-security) rule on a table.

CREATE_TABLES: A user attempts to create a new table.

CSV_UPLOAD_FINISHED: CSV upload finishes.

CSV_UPLOAD_STARTED: CSV upload starts.

DATA_UPLOAD_CONFIGURED: Data upload configured for a connection.

DELETE_ANSWERS: A user attempts to delete an Answer.

DELETE_CONNECTION: Connection deleted.

DELETE_CONNECTION_ATTEMPTED: Connection deletion attempted.

DELETE_PINBOARDS: A user attempts to delete a Liveboard.

DELETE_RLS_RULES: A user deletes an RLS rule on a table.

EDIT_CONNECTION: Connection edited.

EDIT_CONNECTION_ATTEMPTED: Connection edit attempted.

FAILED_TO_CREATE_AUTH_TOKEN: Auth token creation fails.

LOGOUT_FAILED: User logout failed.

LOGOUT_SUCCESSFUL: A user logs out from ThoughtSpot.

PRINCIPALS_IN_GROUP_UPDATE: A user successfully or unsuccessfully attempts to add or remove users or groups from a group.

PRIVILEGE_CHANGES: A user adds or removes one or several privileges from a group.

ROLE_CREATED: Role creation attempted.

ROLE_DELETED: Role deletion attempted.

ROLE_UPDATED: Role update attempted.

ROLES_ASSIGNED: Roles assignment to group attempted.

ROLES_IMPORTED: Roles import attempted.

ROLES_REMOVED: Removal of roles from group attempted.

UPDATE_ANSWERS: A user attempts to modify an existing Answer.

UPDATE_PASSWORD: A user successfully or unsuccessfully attempts to change their password.

UPDATE_PASSWORD_FAILED: A user fails to update their password.

UPDATE_PINBOARDS: A user attempts to modify an existing Liveboard.

UPDATE_RLS_RULE: A user modifies an RLS rule on a table.

USER_ACTIVATE: A user attempts to activate their account.

USER_GROUPS_CREATED: A user creates a new group, either manually through the Admin Portal, or through the internal API.

USER_GROUPS_DELETED: A user deletes a group, either manually through the Admin Portal, or through the internal API.

USER_GROUP_MODIFIED: A user modifies the properties of a group, either in Admin Portal or over internal API. (Properties include group name, display name, and sharing visibility.)

USERS_CREATED: A new user creates an account, either manually in the Admin Portal or through the internal API.

USERS_DELETED: A user account is deleted, either manually in the Admin Portal or through the internal API.

USERS_MODIFIED: A user profile changes, either manually in the Admin Portal or over SAML sync.

Free Trial events

The possible Free Trial events are:

TRIAL_USER_CREATE
TRIAL_USER_DELETE
TRIAL_USER_END
TRIAL_USER_EXPIRE
TRIAL_USER_EXTEND
USER_INVITED

Event descriptions

TRIAL_USER_CREATE: A user successfully or unsuccessfully attempts to create a Free Trial account.

TRIAL_USER_DELETE: A user successfully or unsuccessfully attempts to delete a Free Trial account.

TRIAL_USER_END: A user attempts to end their trial.

TRIAL_USER_EXPIRE: A Free Trial account expires.

TRIAL_USER_EXTEND: A user attempts to extend their trial.

USER_INVITED: A user is invited to ThoughtSpot for a free trial.

Team Edition events

The possible Team Edition events are:

TEAM_CHANGE_SUBSCRIPTION
TEAM_EDITION_USER_DELETE
TEAM_EDITION_USER_EXPIRE
USER_CHANGE_SUBSCRIPTION

Event descriptions

TEAM_CHANGE_SUBSCRIPTION: The team subscription changes.

TEAMS_EDITION_USER_DELETE: A Team Edition user successfully or unsuccessfully attempts to delete an account.

TEAM_EDITION_USER_EXPIRE: A Team Edition user account expires.

USER_CHANGE_SUBSCRIPTION: A user attempts to change a subscription.

Org events

The possible Orgs events are:

ORG_ACCESS_GRANTED_TO_USER
ORG_CREATION_FAILED
ORG_CREATION_SUCCESSFUL
ORG_DELETION_FAILED
ORG_DELETION_SUCCESSFUL
ORG_SWITCH_FAILED
ORG_SWITCH_SUCCESSFUL

Event descriptions

ORG_ACCESS_GRANTED_TO_USER: User added to an Org.

ORG_CREATION_FAILED: Org creation failed.

ORG_CREATION_SUCCESSFUL: Successfully created an Org.

ORG_DELETION_FAILED: Org deletion failed.

ORG_DELETION_SUCCESSFUL: Successfully deleted an Org.

ORG_SWITCH_FAILED: Failed to switch Org for user.

ORG_SWITCH_SUCCESSFUL: Successfully switched Org.

Was this page helpful?Give us feedback!

ThoughtSpot is the Modern Analytics Cloud company. Our Live Analytics services deliver personalized, actionable insights at the point of impact for every user, at every level.

Product

By Role

By Department

Solutions

About Us

Connect

(800) 508-7008