Audit logs

Audit logs document changes in a system. In the case of ReachFive, audit logs capture when certain events occur in your ReachFive account.

Currently, you can produce audit logs for the following Action(s) below.

All security-related (settings-update) updates are detected automatically.
Action Description

console:login

Login on the console.

jobs:create

Creating an export job.

jobs:copy

Copying an export job.

jobs:update

Updating an export job.

jobs:delete

Deleting an export job.

jobs:execution

Deleting an export job.

clients:create

Creating a Client.

clients:update

Updating a Client.

clients:delete

Deleting a Client.

users:update

Updating a User.

users:delete

Deleting a User.

settings:update

Updating security settings such as rate limits, SSO, password policy, user lockouts and/or activating (or deactivating) account features.

These security-related updates are detected automatically.
Why is this useful?

Having audit logs available allows you to track changes in your system more easily. This acts as an important security mechanism, informing you of changes in the system each time they occur automatically. If, for example, someone unexpectedly exports user profiles, you will automatically be informed via the audit logs and could potentially prevent a data breach.

Create Pub/Sub hook from console

The Pub/Sub hook that you create in the ReachFive Console is triggered after an event is generated similar to that of a typical Post-event webhook.

In order for an audit log to be produced for a specified event, you must first create a Pub/Sub hook in the ReachFive Console.

Prerequisites

  • You must have access to the ReachFive Console.

  • You must have a Developer, Manager, or Administrator role.

  • You must have the Pub/Sub Hooks feature enabled.

Instructions

  1. Log in to your ReachFive Console.

  2. Go to Settings  Pub/Sub Hooks  Audit Logs.

  3. Select New Pub/Sub hook or edit edit icon an existing Pub/Sub Hook.

  4. Enable your Pub/Sub hook.

  5. From the drop-down menu, choose the Action(s) that will trigger the Pub/Sub hook.

    Action(s)

    Name Description

    login

    Emitted after a successful authentication.

    signup

    Emitted after a successful signup.

    managed_user_created

    Emitted after a new user is successfully created through the Management API.

    unlink

    Emitted after a successful unlink identity.

    email_updated

    Emitted after a successful email update.

    phone_number_updated

    Emitted after a successful phone number update.

    phone_number_verified

    Emitted after a successful phone number verification.

    password_reset_requested

    Emitted after a successful password reset request.

    password_changed

    Emitted after a successful password change.

    password_reset

    Emitted after a successful password reset process.

    profile_compromised

    Emitted when the IFP module detects a compromised profile.

    otp_sent

    Emitted after a one-time password (otp) is successfully sent (via sms or email) for verification.

    This includes otps for Two-factor authentication (2FA) flows.

    login_not_matching_password

    Emitted after an unsuccessful login attempt due to the password not matching.

    login_matching_password

    Emitted after a successful login via the /password/login call.

    user_updated

    Emitted after a successful user update.

    user_deleted

    Emitted after a successful user deletion.

    We retain the user_deleted event type for a certain period of time after a user profile is deleted.

    user_updated_by_merge

    Emitted after a successful merge (for the updated user).

    user_deleted_by_merge

    Emitted after a successful merge (for the deleted user).

    email_verified

    Emitted after a successful email verification.

    phone_number_verified

    Emitted after a successful mobile number verification.

    user_created

    Emitted after successfully creating a new Lite profile.

    authorization_refused

    Emitted after an unsuccessful authorization attempt.

    authorization_deleted

    Emitted after authorization was deleted.

    authorization_granted

    Emitted after authorization was successfully granted.

    lite_merged_into_managed

    Emitted after a lite profile was succesfully merged into a managed profile.

    login_2nd_step

    Emitted after the user has successfully logged in using the Two-factor authentication (2FA) flow.

    ACCOUNT PROTECTION

    user_suspended

    Emitted after a successful user account suspension.

    user_unsuspended

    Emitted after a successful user account unsuspension.

    login_successful_suspended_account

    Emitted after an unsuccessful login attempt on a suspended account with the correct credentials.

    signup_compromised

    Emitted when a user profile is created with a suspicious IP.

    WEBHOOK FAILURES

    pre_event_failure

    Emitted when a failure occurred in the pre-event webhook.

    Currently, you can only set up PubSub hooks to trigger based on this event. It’s not possible on standard pre/post event webhooks.

    post_event_failure

    Emitted when a failure occurred in the post-event webhook.

    Currently, you can only set up PubSub hooks to trigger based on this event. It’s not possible on standard pre/post event webhooks.

    RETRY FAILURE EVENTS

    email_failure

    Emitted if there is an error while sending an email. Occurs after the provider responds with an error after the 3rd attempt.

    sms_failure

    Emitted if there is an error while sending an sms. Occurs after the provider responds with an error after the 3rd attempt.

    USER LOCKOUT EVENTS

    profile_lockout

    Emitted each time a user profile is locked.

    MFA EVENTS

    mfa_phone_number_deleted

    Emitted after an MFA credential (phone number) is deleted.

    mfa_email_deleted

    Emitted after an MFA credential (email) is deleted.

    mfa_email_start_registration

    Emitted after an email is used to start the MFA registration process.

    mfa_email_verify_registration

    Emitted after an email has been verified as an MFA credential.

    mfa_phone_number_verify_registration

    Emitted after a phone number is used to start the MFA registration process.

    mfa_phone_number_verify_registration

    Emitted after a phone number has been verified as an MFA credential.

  6. Enter your Project ID for your Google Cloud account.

  7. Enter the Topic where you want requests sent.

  8. Enter the Credentials (in JSON format) needed to connect to Google Cloud.

  9. Don’t forget to Save your input.

pubsub audit log

View Pub/Sub results

To view the Audit Logs, you should go to your Pub/Sub page in your Google Cloud Platform (GCP) account.

  1. Go to Topics.

  2. Choose the desired Topic ID.

  3. Click View Messages.

  4. Select the desired Cloud Pub/Sub subscription.

  5. Follow the on-screen instructions.

Audit log example
{
  "user_email": "user@gmail.com", (1)
  "entity_name": "jobs", (2)
  "user_name": "My user name", (3)
  "action_name": "create", (4)
  "created_at" : "2021-09-09T09:21:22.107809Z", (5)
  "id": "a040230b-60...998", (6)
  "ip_address": "x.x.x.x", (7)
  "action_data": { (8)
    "jobId": "AXvK4s..UnUYyz",
    "jobType": "export"
  },
  "client_id": "Console ReachFive", (9)
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" (10)
}
1 The email of the ReachFive Console user that produced the audit log.
2 The name of the entity that produced the audit log.
3 The user name of the ReachFive Console user that produced the audit log.
4 The Action name that triggered the Pub/Sub hook that produced the audit log.
5 The creation date timestamp for the audit log.
6 The ID of the audit log.
7 The IP address of the ReachFive Console user that produced the audit log.
8 The Action data (more information about the trigger). In this case, an export event with the Id AXvK4s..UnUYyz.
9 The client that produced the audit log.
10 The user_agent that produced the audit log.