Audit Logs for authorized user activity
The Automation Anywhere Enterprise platform provides a comprehensive and centralized audit logging of all automation activities to authorized users. Role-based access control to Audit Log is managed through the Control Room. More than 60 audit actions are logged.
- Doer of the action
- For example, a username.
- Source of the action
- For example, Bot Runner or Control Room
- Type of event
- The description of the event.
- When the event occurred
- For example, the date and the time of the event.
- Where the event occurred
- The device.
- Outcome of the event
- Description and status of the event.
Some key audit actions include the following:
- Log in and log out of the centralized Control Room.
- Create, update, and delete Users.
- Activate and deactivate the Control Room users.
- Any change of password for any user
- Create, update, and delete roles (helps in tracking changes to security policy, change in user access privileges)
- Create, update, and delete schedules
- Connection to the Credential Vault
- Create, update, and delete credentials
- Set the Production-ready version of the bots.
- Deploy the bots from the Control Room to the remote Bot Runners.
- Pause, resume, and stop the ongoing automations.
- Any upload and download from Bot Creators and Bot Runners
- Any check-in, check-out of bots from Bot Creators and Bot Runners
- Update email, version control, and other settings
- Enable and disable secure recording.
- Change a license.
Create Bot Runner instance on BotFarm, release virtual machine, terminate virtual machine.
The Control Room can be configured to export audit logs to an external log consolidation and reduction server via the Syslog protocol. This enables integration with Security Event Incident Management (SEIM) systems, for example, Splunk or LogRhythm. Configure the Syslog integration from the Settings -> Syslog page in the Control Room.
Syslog integration uses either UDP or TCP, and is configured to use TLS encryption between the Control Room and the remote Syslog server.
RBAC on audit log
Audit is automated for all privileged and nonprivileged roles to conform to best practices as defined in NIST AC-6. Access is view-only based on a deny-all and allow by exception based on roles and domains as defined in the Audit Section 7 addressing Audit and Accountability (NIST AU 1 through 15) and as required by NIST AC-2 Automated System Account Management.
If a role does not have permission to view Audit Logs, the Audit Trail tab is not visible to all members of those roles. Audit automatically captures all events related to creation, modification, enable, disable, user removals, bots, Bot Creators, and Bot Runners.
Control Room Bot Creator and Bot Runner activity logging
For every Bot Creator and Bot Runner, the Automation Anywhere Enterprise platform does comprehensive activity logging for bots, workflows, and reports.
Some of the key activities logged include the following:
- Task creation, update, deletion (task is a type of bot).
- Task run
- Workflow creation, update, deletion
- Workflow run
- Report creation, update, deletion
- Report run
- Change in bot properties
Audit of Bot Runner operations
Bot Insight captures additional Bot Runner events for review and analysis of audit records for indications of inappropriate or unusual activity. The Bot Insight logs can be exported for further analysis. Automated dashboards and reports are available and can be customized to identify and alert on anomalous activity. These capabilities conform to best practices as defined in NIST AU-6 Audit Review Analysis and Reporting.
Audit log nonrepudiation
The logs are protected against an individual (or process acting on behalf of an individual) falsely denying having done authorized actions through read-only privileges, automated event capture, and binds the identity of the user to the actions, in conformance with best practices as defined in NISGT AU-10 Non-repudiation and AU-11 Association of Identities.
Export audit logs
All Control Room and Bot Insight Bot Runner logs are exported to a Security Event Information Management Systems for further analysis to support the organizations incident response efforts in accordance with the NIST AU-6 and IR-5 requirements.