Аudit logs

This option is available with the Extended and Optimal plans.

You can use audit logs to track key events and employee activity within your organization. Audit logs may be critical in handling incidents and mitigating security risks.

Administrators and audit log managers can use audit logs to view:

Events in services

  • How employees log in to their accounts. For example, you can see when and from which device an employee logged in.
  • What employees of the organization do with emails and files in Yandex Mail and Yandex Disk. For example, you can see who moved an email or file.
Events in the organization account

  • Changes made in the organization account. For example, you can see what changed in a user's data and who made the changes.

  • What other administrators look for in the email archive and how they configure message filters.

How to connect an identity provider

  1. Open Yandex 360 for Business.
  2. Select Audit log in the menu on the left.
  3. Click Enable and confirm the action.

User notification

Under clause 3.6 of the offer, after enabling access, the admin is obliged to notify all users and, if necessary, obtain their written consent (unless it was obtained earlier).

View logs

Step 1. Specify the logs you want to find

  1. Open Yandex 360 for Business.

  2. In the left menu, select Audit logService logs.

  3. Click Service and choose:

    • Mail: Employee actions with messages.

    • Messenger: Employee actions with chats and channels, as well as sending and deleting messages.

    • Disk: Employee actions with files.

    • Authorizations: Employee login events.

    If this option is available, you can select multiple services at once. To do this, select the services and click Save.

  1. Open Yandex 360 for Business.

  2. In the left menu, select Audit logAdmin logs.

  3. Click Section and select:

    • Message filters: Change logs for the email processing rules.

    • Email archive: Search events in the email archive.

    • Offices and meeting rooms: Adding, changing, or deleting offices and meeting rooms.

    • Shared mailboxes: Adding, changing, and deleting shared mailboxes.

    • Delegated mailboxes: Creating and deleting delegated mailboxes.

    • Domains: Adding, changing, and deleting domains.

    • External сontacts: Adding, changing, or deleting external contacts.

    • Employees: Actions with employee accounts: adding, deleting, blocking, and unblocking accounts, updating data and aliases, editing groups and departments.

    • Company profile: Change logs in the organization profile: owner changes, name changes.

    • Shared disks: Creating and deleting shared disks.

    • Single sign-on (SSO): Logs of SSO settings changes.

    If this option is available, you can select multiple sections at once. To do this, select the sections and click Save.

Step 2. Clarify requests with filters

You can narrow down your search with filters. For example, you can find a specific event within a certain period.

To add a filter, select it, choose parameters, and click Save.

Available filters:

  • Employee or Admin: Username of the person who performed the action. You can specify multiple at once.
  • Date: Date when the action was performed. You can select an available period or specify your own.
  • IP address: IP address from which the action was performed.
  • Event source: Service where the action request was made. You can specify multiple at once.
  • Event: Performed action. You can specify multiple at once.

When selecting one event with parameters, you can configure up to three additional filters.

To remove a filter, click to the right of it. To clear the applied filters and return to the previous step, click Clear filters.

Step 3. Collect and review logs

  1. Click Find logs.
  2. Click an event in the list to learn more about it — the data will appear in a pop-up window. For example:

If you want to see all the information about the "Search" event in the email archive, verify the phone number linked to your Yandex ID. Or link a number if you haven't done so already. See how to link a number in Yandex ID Help.

Date and time of events

Logs are displayed in the time zone of the user who requested them.

Will the search results remain after the page is refreshed?

The search results and selected filters will reset once you refresh the page.

If you switch to another section of the organization account, the search results will reset, but the selected filters will remain. You can search the logs again with the same parameters.

Managing logs via the API

Preparation

  1. To work with the API, you'll need an OAuth token, which you can get after creating an application in the Yandex OAuth service.

    • If you don't have an OAuth application yet, follow the instructions on the Access to API page to create one and obtain a token. When creating an application, select the ya360_security:read_auditlog permission.
    • If you already have an OAuth application for working with the Yandex 360 for Business API, add permission to read the organization's audit logs, then get a new OAuth token by following the instructions.

  2. Find the organization ID: go to the company account and select General settingsCompany profile. You can see the ID below the organization name.

How to retrieve your app logs

  1. Create a GET request:

    curl -X GET -H "Authorization: OAuth {oauth_token}" https://cloud-api.yandex.net/v1/auditlog/organizations/{org_id}/events?ended_at={ended_at}&count={count}

    Insert the required values into the code:

    • {orgId}: Organization ID.
    • {oauth_token}: OAuth token.
    • {ended_at}: End date and time of the audit log in ISO 8601 format, such as 2024-01-31T23:59:59.
    • {count}: Number of events on a results page, from 1 to 100.

  2. To clarify the request, specify additional parameters at the end using &, for example:

    &started_at={started_at}&types={types}&include_uids={include_uids}&ip={ip}&service={service}

    Substitute the following values into the code:

    • {started_at}: Start date and time of the audit log in ISO 8601 format, such as 2024-01-01T00:00:00.
    • {types}: Types of events that should be included in the list. You can specify multiple comma-separated types, without spaces.Event types in the API documentation
    • {include_uids}: List of users whose actions should be included in the event list. You can specify multiple comma-separated users, without spaces. For example, include_uids=1,2,3.
    • {ip}: IP address from which the action was performed.
    • {service}: Service where the action request was made. You can select one from the list:
      • Web — website.
      • Desktop — computer program.
      • Mobile — mobile app.
      • Api — external HTTP API.
      • Synchronization — external application for automatic data sync (for example, according to the SCIM standard).
      • ID — internal user authorization service.
      • Internal — other internal services.
      • Unknown — source not specified.

  3. Send the request. The response returns a list of events based on the specified parameters.

    Sample response
    {
   "iteration_key": "5",
   "items": [{
       "user_login":{login},
       "user_name":{name},
       "event":{
         "status":{starus},
         "idempotency_id":{event ID},
         "uid":{user ID},
         "service":{service},
         "ip":{IP address},
         "occurred_at":{date},
         "org_id":{organization ID},
         "is_system": false,
         "meta":{
           "device_id": null,
           "revision": "1"
         },
         "request_id":{request ID},
         "type":{event type}
       }
     }
   ]
 }

    Here:
    {login}, {name}, {user ID}, {IP address} is the event initiator data: the employee's name, username, ID, and IP address.
    {status} is the result of the request: Success orError (such as an error in authorization events where the employee entered an incorrect username or password).
    {service} is the service where the action request was made, such as Web for website.
    {date} is the event date and time.
    {event type} is the type of the event, such as id_cookie.set for browser login. Event types in the API documentation

How do I make API requests?

  1. Prepare the request: copy and paste the sample code above into any text editor, replacing the values with your token and ID.

  2. Open any folder.

  3. Click on empty space in the address bar.

  4. Type cmd there and press Enter.

  5. The "Command line" window will open. Insert the request you've prepared and press Enter.

API documentation

Full details on all methods for getting audit logs are available in the documentation.

An employee with the rights to manage organization settings in Yandex 360 for Business. How to grant administrator rights

An employee with the rights to manage a specific group of settings in Yandex 360 for Business. For example, payment and service plan managers have access to the "Payment and service plan" section, and message filters managers have access to the "Message filtering" section. Managerial roles and how to assign them

Special code allowing access to data on behalf of a specific user.

API request to retrieve a resource from the server. It's used to retrieve data from the server based on specific parameters.

Previous
Federations
Next
Single sign-on (SSO)