Merge pull request #201670 from batamig/cm-audit-logs

tamarakhader · web-flow · commit ebe00cb9054b · 2022-06-19T17:28:44.000-04:00
Viewing CM audit logs
diff --git a/articles/defender-for-iot/organizations/how-to-create-and-manage-users.md b/articles/defender-for-iot/organizations/how-to-create-and-manage-users.md
@@ -134,18 +134,54 @@ To update sign-out counting periods, adjust the `= <number>` value to the requir
 
 ## Track user activity
 
-You can track user activity in the event timeline on each sensor. The timeline displays the event or affected device, and the time and date that the user carried out the activity.
+Track user activity on a sensor's event timeline, or by viewing audit logs generated on an on-premises management console.
 
-**To view user activity**:
+- **The timeline** displays the event or affected device, and the time and date that the user carried out the activity.
 
-1. Select **Event Timeline** from the sensor side menu.
+- **Audit logs** record key activity data at the time of occurrence. Use audit logs generated on the on-premises management console to understand which changes were made, when, and by whom.
 
-1. Verify that  **User Operations** filter is set to **Show**.  
+### View user activity on the sensor's Event Timeline
 
-   :::image type="content" source="media/how-to-create-and-manage-users/track-user-activity.png" alt-text="Screenshot of the Event timeline showing a user that signed in to Defender for IoT.":::
+Select **Event Timeline** from the sensor side menu. If needed, verify that  **User Operations** filter is set to **Show**.
 
-1. Use the filters or Ctrl F option to find the information of interest to you.
+For example:
 
+:::image type="content" source="media/how-to-create-and-manage-users/track-user-activity.png" alt-text="Screenshot of the Event timeline showing a user that signed in to Defender for IoT.":::
+
+Use the filters or search using CTRL+F to find the information of interest to you.
+
+### View audit log data on the on-premises management console
+
+In the on-premises management console, select **System Settings > System Statistics**, and then select **Audit log**.
+
+The dialog displays data from the currently active audit log. For example:
+
+For example:
+
+:::image type="content" source="media/how-to-create-and-manage-users/view-audit-logs.png" alt-text="Screenshot of the on-premises management console showing audit logs." lightbox="media/how-to-create-and-manage-users/view-audit-logs.png":::
+
+New audit logs are generated at every 10 MB. One previous log is stored in addition to the current active log file.
+
+Audit logs include the following data:
+
+| Action | Information logged |
+|--|--|
+| **Learn, and remediation of alerts** | Alert ID |
+| **Password changes** | User, User ID |
+| **Login** | User |
+| **User creation** | User, User role |
+| **Password reset** | User name |
+| **Exclusion rules-Creation**| Rule summary |
+| **Exclusion rules-Editing**| Rule ID, Rule Summary |
+| **Exclusion rules-Deletion** | Rule ID |
+| **Management Console Upgrade** | The upgrade file used |
+| **Sensor upgrade retry** | Sensor ID |
+| **Uploaded TI package** | No additional information recorded. |
+
+
+> [!TIP]
+> You may also want to export your audit logs to send them to the support team for extra troubleshooting. For more information, see [Export audit logs for troubleshooting](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md#export-audit-logs-for-troubleshooting)
+>
 
 ## Change a user's password
 
@@ -232,6 +268,7 @@ You can recover the password for the on-premises management console or the senso
 
 1. Select **Next**, and your user, and a system-generated password for your management console will then appear.
 
+
 ## Next steps
 
 - [Activate and set up your sensor](how-to-activate-and-set-up-your-sensor.md)
diff --git a/articles/defender-for-iot/organizations/how-to-troubleshoot-the-sensor-and-on-premises-management-console.md b/articles/defender-for-iot/organizations/how-to-troubleshoot-the-sensor-and-on-premises-management-console.md
@@ -1,7 +1,7 @@
 ---
 title: Troubleshoot the sensor and on-premises management console
 description: Troubleshoot your sensor and on-premises management console to eliminate any problems you might be having.
-ms.date: 05/22/2022
+ms.date: 06/15/2022
 ms.topic: article
 ---
 # Troubleshoot the sensor and on-premises management console
@@ -262,13 +262,14 @@ All allowlists, policies, and configuration settings are cleared, and the sensor
 
 
 ## Troubleshoot an on-premises management console
-### Investigate a lack of expected alerts on the management console
 
-If an expected alert is not shown in the **Alerts** window, verify the following:
+### Investigate a lack of expected alerts
+
+If you don't see an expected alert on the on-premises **Alerts** page, do the following to troubleshoot:
 
-- Check if the same alert already appears in the **Alerts** window as a reaction to a different security instance. If yes, and this alert has not been handled yet, a new alert is not shown.
+- Verify whether the alert is already listed as a reaction to a different security instance. If it has, and that alert hasn't yet been handled, a new alert isn't shown elsewhere.
 
-- Verify that you did not exclude this alert by using the **Alert Exclusion** rules in the on-premises management console.
+- Verify that the alert isn't being excluded by **Alert Exclusion** rules. For more information, see [Create alert exclusion rules](how-to-work-with-alerts-on-premises-management-console.md#create-alert-exclusion-rules).
 
 ### Tweak the Quality of Service (QoS)
 
@@ -310,39 +311,33 @@ To limit the number of alerts, use the `notifications.max_number_to_report` prop
 
 1. Save the changes. No restart is required.
 
+### Export audit logs for troubleshooting
 
+Audit logs record key activity data at the time of occurrence. Use audit logs generated on the on-premises management console to understand which changes were made, when, and by whom.
 
-### Export audit logs from the management console
+You may also want to export your audit logs to send them to the support team for extra troubleshooting.
+
+> [!NOTE]
+> New audit logs are generated at every 10 MB. One previous log is stored in addition to the current active log file.
+>
 
-Audit logs record key information at the time of occurrence. Audit logs are useful when you are trying to figure out what changes were made, and by who. Audit logs can be exported in the management console, and contain the following information:
+**To export audit log data**:
 
-| Action | Information logged |
-|--|--|
-| **Learn, and remediation of alerts** | Alert ID |
-| **Password changes** | User, User ID |
-| **Login** | User |
-| **User creation** | User, User role |
-| **Password reset** | User name |
-| **Exclusion rules-Creation**| Rule summary |
-| **Exclusion rules-Editing**| Rule ID, Rule Summary |
-| **Exclusion rules-Deletion** | Rule ID |
-| **Management Console Upgrade** | The upgrade file used |
-| **Sensor upgrade retry** | Sensor ID |
-| **Uploaded TI package** | No additional information recorded. |
+1. In the on-premises management console, select **System Settings > Export**.
 
-**To export the audit log**:
+1. In the **Export Troubleshooting Information** dialog:
 
-1. In the management console, in the left pane, select **System Settings**.
+    1. In the **File Name** field, enter a meaningful name for the exported log. The default filename uses the current date, such as **13:10-June-14-2022.tar.gz**.
 
-1. Select **Export**.
+    1. Select **Audit Logs**.
 
-1. In the File Name field, enter the file name that you want to use for the exported log. If no name is entered, the default file name will be the current date.
+    1. Select **Export**.
 
-1. Select **Audit Logs**.
+    The file is exported and is linked from the **Archived Files** list at the bottom of the **Export Troubleshooting Information** dialog. Select the link to download the file.
 
-1. Select **Export**.
+1. Exported audit logs are encrypted for your security, and require a password to open. In the **Archived Files** list, select the :::image type="icon" source="media/how-to-troubleshoot-the-sensor-and-on-premises-management-console/eye-icon.png" border="false"::: button for your exported logs to view its password. If you're forwarding the audit logs to the support team, make sure to send the password to support separately from the exported logs.
 
-The exported log is added to the **Archived Logs** list. Select the :::image type="icon" source="media/how-to-troubleshoot-the-sensor-and-on-premises-management-console/eye-icon.png" border="false"::: button to view the OTP. Send the OTP string to the support team in a separate message from the exported logs. The support team will be able to extract exported logs only by using the unique OTP that's used to encrypt the logs.
+For more information, see [View audit log data on the on-premises management console](how-to-create-and-manage-users.md#view-audit-log-data-on-the-on-premises-management-console).
 
 ## Next steps
 
diff --git a/articles/defender-for-iot/organizations/media/how-to-create-and-manage-users/view-audit-logs.png b/articles/defender-for-iot/organizations/media/how-to-create-and-manage-users/view-audit-logs.png
