How Turngate Thinks About Logs

We think about logs differently. We think you should too.

“Make logs easier to understand” is a driving principle at Turngate. We want to make sure that users from all backgrounds can get value from using our tools. We’ve invested a lot of time and energy into making our UI easy to use and simple to navigate. We’ve also spent a lot of time thinking about logs in general. In order to fully utilize our products, it’s useful to know how we think about logs; how they’re structured, the content in them, what makes them the same, and what makes them different.

This article contains information on our data ontology. “Ontology” is a fancy word for “how we structure our data.” Well, at least that’s a rough definition. We can get into the semantics and syntactics of ontologies, taxonomies, and hierarchies, but there’s a word limit to the size of these articles, so we’re going with “how we structure our data.”

Terminology

Categories

At the top level, we’ve got a handful of categories that we associate with every log entry. These categories are the primary mechanism analysts use to dig into their log data. These top level buckets allow you to quickly find the information you’re looking for, but it’s important to understand what each category contains.

Actors

Actors are the “who” of an audit log. You may note we didn’t say identity. If you did, contact us and we’ll send you some stickers. The use of the term “Actor” is very purposeful; an actor is the entity that caused the log to happen. Actors can have multiple identities associated with them. For instance, one system may use an email as the identifier (such as [email protected]), another may use just the username (jimsmith), and another may allow people to use any identifier they want (superduperaccountant). When investigating activity, tracking all the different identities associated with a person can be complicated, so we try to roll everything together under one actor to simplify things.

Data Sources

Data Sources answer the question “who sent this log?” It’s basically the SaaS provider that sent over your logs. Okta, Google Workspace, Github, and Box are all examples of data sources you can onboard at Turngate (there’s more, we’re just listing a few as examples). If you’re only interested in Google Workspace, you can select just that data source. Easy.

Locations

Where was the Actor when they did the action? That’s a Location. Locations are IP addresses and can be sorted and searched against. As we grow we plan on allowing groups of IP’s to represent a more abstract concept of Location. For instance, you will be able to group a bunch of IP’s into a “Corporate Office” location. But we’re not there quite yet. NOTE: Ontologies are useful for not just who you are but who you want to be. By talking about Locations instead of IP addresses early in our development, we don’t have to change our ontology as we grow. Cool, eh?

Application

Now we’re getting to the unique part of Turngate. An application is the generic type of application that the audit log pertains to. Rather than force you to know the details of all the logs (or specific product names) from a given SaaS provider, we categorize them into generic applications so you can easily understand at a high level the nature of the events you’re looking at. Further, these buckets are really generic so if you want to search for all file access from a given IP address regardless if the users were using Box, Dropbox, Google Drive, or Microsoft OneDrive, you can just filter on FileStorage and see it all in once place. Cool, eh

If you want to find all file accesses a particular user made, you don’t want to have to dig through Google Drive logs, Box logs, OneDrive logs, and Dropbox logs. With Turngate you can just select “File” as an application and see all file related activity. Calendar, Login, Conferencing, and Chat are other examples of generic applications you can filter by.

Context

Activities are also categorized as to whether they were performed in a user, system, or administrative context. We pre-sort all activities to make it easy to find all the administrative actions someone took without having to know all the administrative activities possible.

Access

Finally, we categorize actions based on the type of access the user performed. Reads, writes, and deletes are common access categories tho there are other more specialized ones.

Wrapping up

Every audit record sent to Turngate is assigned values to each of the above categories. These categories serve as the core of how you filter, sort, and dig through all your data to find the information that’s useful to you. If this is confusing or you have ideas on how can we approve, mash the contact link below and let us know. Thanks!