Collect security logs
ThoughtSpot Software provides security audit events related to account activities and user actions within ThoughtSpot. These events can help your SOC team detect potential security threats or compromised user accounts in your organization.
How to fetch security events
To fetch security events from ThoughtSpot, you can push the logs to your SIEM server.
Push to your SIEM server
ThoughtSpot’s human-readable and comprehensive events can be shipped to your SIEM application in near real-time. Security events remain within the system for 30 days. To integrate with your SIEM or view these logs, contact ThoughtSpot Support.
ThoughtSpot also supports log ingestion to the customer SIEM system. We support multiple output plugins which can be configured to push the security audit events to the configured destination SIEM server at an interval of every 5 seconds.
ThoughtSpot supports the following output plugin options:
-
HTTP
-
Splunk
-
Azure Log Analytics
-
Datadog
ThoughtSpot security events
ThoughtSpot security events include the following information:
-
An event ID
-
A unique description of the event (for example, “A user account was created”)
-
Timestamp (in UTC) yyyy/mm/dd:hh:mm:ss
-
User ID of the person initiating the event
-
IP of the user (public IP of the system from which the request comes to ThoughtSpot)
-
Fields specific to the event (for example, name of the new account)
Event descriptions
ThoughtSpot defines these events as follows:
- Account logout
-
A user logs out from ThoughtSpot.
- Answer creation
-
A user attempts to create a new answer.
- Answer deletion
-
A user attempts to delete an answer.
- Answer update
-
A user attempts to modify an existing answer.
- Row-level security (RLS) rule creation
-
A user creates an RLS rule on a table.
- RLS rule deletion
-
A user deletes an RLS rule on a table.
- Failed login
-
A user fails to log in due to an incorrect password, or IDP/ADP deny the authentication request.
- Failed logout
-
User logout failed.
- Group creation
-
A user creates a new group, either manually through the Admin Portal, or through the internal API.
- Group deletion
-
A user deletes a group, either manually through the Admin Portal, or through the internal API.
- Group modification
-
A user modifies the properties of a group, either in Admin Portal or over internal API. (Properties include group name, display name, and sharing visibility.)
- Group principals update
-
A user successfully or unsuccessfully attempts to add or remove users or groups from a group.
- Locked account
-
A local user fails to authenticate x times in a row, locking the account. Administrators can configure the number of authentication attempts before lockout within ThoughtSpot.
- Password change
-
A user successfully or unsuccessfully attempts to change their password.
- Password update failure
-
A user fails to update their password.
- Pinboard creation
-
A user attempts to create a new Pinboard.
- Pinboard deletion
-
A user attempts to delete a Pinboard.
- Pinboard update
-
A user attempts to modify an existing Pinboard.
- Privilege change
-
A user adds or removes one or several privileges from a group.
- Profile change
-
A user profile changes, either manually in the Admin Portal or over SAML sync.
- RLS rule update
-
A user modifies an RLS rule on a table.
- Successful login
-
A local, IDP or AD user logs in to ThoughtSpot.
- Table creation
-
A user attempts to create a new table.
- User account activation
-
User account activation attempted.
- User account creation
-
A new user creates an account, either manually in the Admin Portal or through the internal API.
- User account deletion
-
A user account is deleted, either manually in the Admin Portal or through the internal API.