The log audit feature provides comprehensive audit logs for security events. These logs provide a valid basis for event tracing and compliance queries. This topic describes how to view internal access audit logs, administrator operation logs, Internet behavior audit logs, excess registration request logs, uninstallation request logs, application acceleration logs, access control logs, antivirus logs, and dynamic decision logs.
Private Access Audit
Regular logs
After you configure and enable an internal access policy, Secure Access Service Edge (SASE) detects events that hit the policy and performs the configured action, such as allowing or denying access. These events are recorded on the page, where you can query them later.
View log details: In the row of a specific log, click Details in the Actions column to view the policy hit details, basic information, access details, and endpoint details.
View the device list, authorized applications, and O&M exceptions for a user: Click a username to open the log summary page for that user. The page displays the following information.
Section | Description | Supported operations |
Data Statistics | Displays the following statistics for the user. This data helps you understand the user's overall access behavior:
| View detailed list: Click a statistic to view the corresponding details in the list below. |
Detailed List | You can view the detailed list of data in three categories: Devices, Authorized Applications, and O&M Exceptions. | View threat description: Click Details in the Actions column for the target item. View the threat description to help you locate the issue. |
Web Application Access Logs
SASE supports access hardening for web apps. This feature includes security checks, such as detecting the Host request header to prevent malicious bypasses, and access tracing, which adds information such as usernames to the HTTP request header for tracing.
On the tab, you can view the access logs for events that triggered access hardening for web apps. For more information about how to configure this feature, see Add an office application to SASE.
Internet Access Audit
On the Internet Access Audit tab, you can view the Website Access Records of company employees.
Terminal Management
On the Terminal Management tab, you can view logs for employees who use the SASE app. These logs include Logon and Logoff Logs, Over-quota Registration Application Logs, Uninstallation Application Logs, Terminal Logs, Software Application, and Unauthorized Software Discovery.
For more information about endpoint devices, see Configure and approve endpoint registration information.
For more information about software management, see Software management.
Sensitive File Detection
On the Sensitive File Detection tab, you can query logs of sensitive files sent by company employees. For more information about sensitive file detection, see Secure data by detecting outgoing files.
Intelligent behavior analysis
For audit logs of outgoing sensitive files, you can use AI to analyze user behavior. The analysis covers multiple dimensions, such as outgoing screenshots, screenshot content recognition, sensitive information determination, user action and intent analysis, and data breach risk assessment.
In the AI Analysis column of a specific audit log, click
.In the Intelligent Behavior Analysis panel, you can view the analysis results.
View sensitive file detection details
In the Actions column of a specific audit log, click Details.
In the Details panel, you can view information such as Data Flow, Key Information, Sensitive Message, Screenshot Evidence, Hit Policy, Office Terminal, Outbound Transfer Channel, and Account Information.
Dynamic Decision-making Logs
On the Dynamic Decision-making Logs tab, you can view the disposal and recovery operation logs that are related to dynamic decisions for company employees.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Log Audit page, click the Dynamic Decision-making Logs tab. You can filter the logs by criteria such as Time, Restoration Method, and User.
Click the Handling Logs tab to view information such as Log generation time, User, Device, Hit Policy, and Action.
Click the Restoration Logs tab to view information such as Log generation time, User, Device, Hit Policy, and Restoration Method.
Click View Handling Process in the Actions column. You are redirected to the Handling Process page, where you can view disposal and recovery information. For more information, see View the disposal flow.
Administrator Operation Logs
On the Administrator Operation Logs tab, you can view details about the operations that administrators performed on the system. The details include Operation Time, Account ID, Operation Source, Operation Feature, Operation Page, and Operation Type.
