English (US)

The Audit Log is not an actual audit log due to wrong actor names.

Dave Kaminsky (Qumulo)

To meet the generally accepted definition of what the minimum information an Audit Log requires, we should never see Zendesk in the log for an event like an Agent removing an email domain on the domains field of an organization.  

To be an acceptable Audit log, the actual actor who triggered the action being logged is required, not the name of the platform the log lives on. Also required are is the time stamp, type of action (create, modified, delete, etc), and object or data impacted.  

 

So in the current state, we know the what and when of a logged action, but not the Who.  So if we have a bad actor at play, we can't tell who it is without contacting support.   So give your agents and your customers a win and deflect those support tickets by making your feature meet the requirements of its intent, be an AUDIT LOG. 

This has been a major feature gap since audit logs were introduced.  There are other requests and feedback relating to improvements in audit logs.  There needs to be some focus on this feature for it to serve its purpose properly. 

 

-Dave

Ps. Here is some reference material if you need it....

https://csrc.nist.gov/glossary/term/audit_log

https://www.computerweekly.com/tip/Best-practices-for-audit-log-review-for-IT-security-investigations

 

3 Comments

  • Dave Dyson
    Zendesk Community Manager
    Thanks for this feedback, Dave!
    0
  • Caroline Kello
    Zendesk Product Manager

    Hi Dave, 

    You're absolutely right that Zendesk should never be used as the Actor when the event was the result of an action by a specific user. This is a blocker for any new events that we or other teams add, but unfortunately there are older events (done before the audit log was owned by the current team) where this is still the case. 

    We create stories on our backlog when we see it or, or are made aware of it by other teams and users, and we will address it as part of our ongoing work and ownership of the audit log. 

    Thanks, Caroline

    0
  • CJ Johnson

    I regularly see triggers misattributing actions to agents, as well. For example, one scenario I figured out is that if an agent updates a ticket with a macro that adds a tag, and the tag triggers a change a requester's language, the log says the agent did it, even though they did not, and may not even have the permissions to do so. Incorrect attribution is pretty alarming thing to see in an audit log and makes it very difficult to figure out what actually happened. 

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post
Powered by Zendesk