Skip to main content
The Audit Log provides a comprehensive, timestamped record of all key activities occurring within the tenant. It is a critical tool for monitoring changes, troubleshooting issues, and ensuring compliance by giving administrators visibility into who did what and when.
Note: Audit logs are retained for a duration of 30 days.
Audit log events are categorized into the following areas:
  • Approval management
  • Cases
  • Case related tables
  • Connections
  • Dashboards
  • Global variables
  • Runners
  • Self-service apps
  • Tables
  • Tenant admin settings
  • Tenant user management
  • Users
  • Workflows
  • Workspace management
For a complete list of Audit Log events, see this section.
The audit logs do not track changes to data or content, such as workflow action updates, workflow executions, modifications to table records, or changes to cases.

Audit Log Table Content

Each log entry includes the following information:
  • Category – The general type of activity: Setting updates, System configuration, or User actions.
  • Action – The specific action that occurred.
  • Parameters – Key data relevant to the action, such as the affected username, Workflow name, or API endpoint.
  • Details – Additional context or information about the action.
  • Workspace – The name of the workspace where the action took place.
  • Done by – The email address of the user who initiated the action.
  • Date and Time – When the action was performed.

Categories and Events

In the following section, you can find a complete overview of Blink’s audit log categories and the types of events captured within each. Audit logs in Blink are designed to give you full visibility into user activity, system changes, and workflow executions across the platform.

Approval Management

EventDescription
Request approvedA submitted request was approved by an authorized user.
Request deniedA submitted request was denied by an authorized user.
Request submittedA request was submitted for approval.

Cases

EventDescription
Case exportedA case was exported to a downloadable format.
Case sharedA case was shared with external parties or users.
Table exported to CSVA case table was exported in CSV format.

EventDescription
Custom cases table createdA new custom table for cases was created.
Custom cases table editedAn existing custom cases table was edited.
Exported to CSVData from a custom cases table was exported as a CSV file.
Field createdA new field was added to a custom cases table.
Field editedA field in a custom cases table was updated.
Field deletedA field was removed from a custom cases table.

Connections

EventDescription
Connection createdA new integration connection was created.
Connection deletedAn existing integration connection was removed.
Connection editedAn integration connection was modified or updated.

Dashboards

EventDescription
Dashboard activatedA dashboard was activated and made live.
Dashboard createdA new dashboard was created.
Dashboard deactivatedA dashboard was deactivated.
Dashboard deletedA dashboard was deleted.
Dashboard editedChanges were made to a dashboard’s configuration or layout.
Dashboard metadata editedMetadata for the dashboard (e.g., tags, ownership) was updated.

Global Variables

EventDescription
Global variable createdA new global variable was created.
Global variable deletedA global variable was removed from the system.
Global variable editedAn existing global variable was updated or changed.

Runners

EventDescription
Runner group createdA new group for managing runners was created.
Runner group deletedA runner group was deleted.
Runner group editedA runner group’s settings or members were updated.
Runner group set as defaultA runner group was marked as the default for new workflows or tasks.

Self-Service Apps

EventDescription
App createdA new self-service app was created.
App deletedA self-service app was removed.
App publishedA self-service app was published and made available.

Tables

EventDescription
Field createdA new field was added to a data table.
Field deletedA field was removed from a data table.
Field editedA field in a table was modified.
Table createdA new data table was created.
Table deletedA data table was deleted.
Table editedA data table was updated or modified.
Table exported to CSVA table’s contents were exported to a CSV file.

Tenant Admin Settings

EventDescription
Audit logs exportedAudit logs were exported for review or archiving.
Blink-cloud runner updatedSettings for the Blink cloud runner were updated.
Default tenant runner updatedThe default runner for the tenant was changed.
Runner auto upgrade updatedAuto-upgrade settings for runners were modified.
SAML role mapping updatedRole mapping configuration for SAML was updated.
SAML settings updatedSAML authentication settings were changed.
Two-factor authentication disabledTwo-factor authentication was disabled for the tenant.
Two-factor authentication enabledTwo-factor authentication was enabled for the tenant.

Tenant User Management

EventDescription
Group createdA new group was created.
Group deletedAn existing group was deleted.
Group name updatedThe name of a group was changed.
Role createdA new role was created.
Role deletedAn existing role was deleted.
Role updatedAn existing role was updated.
Service account activatedA service account was activated.
Service account createdA new service account was created.
Service account deactivatedA service account was deactivated.
Service account deletedA service account was deleted.
Service account group assignment updatedA service account’s group was updated.
Service account role changedA service account’s role was changed.
User activatedA user was activated.
User deactivatedA user was deactivated.
User deletedA user was deleted.
User group assignment updatedA user’s group assignment was updated.
User invitedA user was invited.
User role changedA user’s role was changed.

Users

EventDescription
User logged inA user logged in.
User logged outA user logged out.
API key createdAn API key was created.
API key deletedAn API key was deleted.

Workflows

EventDescription
Pack createdA new pack was created.
Pack deletedA pack was deleted.
Pack editedA pack was edited.
Workflow activatedA workflow was activated.
Workflow createdA new workflow was created.
Workflow deactivatedA workflow was deactivated.
Workflow deletedA workflow was deleted.
Workflow publishedA workflow was published.
Workflow settings updatedWorkflow settings were updated.

Workspace Management

EventDescription
Workspace createdA new workspace was created.
Workspace deletedA workspace was deleted.
Workspace name updatedA workspace’s name was updated.
User invited/addedA user was invited or added.
User removedA user was removed.
User role changedA user’s role in the workspace was changed.

External Audit Log Integration

Blink supports native audit log streaming to external SIEM systems, allowing organizations to integrate Blink audit data into tools like Splunk or Elasticsearch. This feature gives security teams greater visibility and control by centralizing audit logs for compliance, monitoring, and incident response without the need for manual exports. Tenant admins can configure their SIEM endpoint directly in Blink, test the connection, and begin streaming audit logs in real time.

1

Navigate to the 'Audit Log Settings' page

In the top right-corner of the Audit Log page, select the icon

2

Enter the Required Parameters

  1. Enable audit log streaming:
    • When enabled, audit logs will be delivered to your specified external destination in real time.
    • Disabling this will stop all log delivery and deactivate the form below.
  2. URL:
    • The destination URL for your external logging service.
      This must be a reachable HTTPS endpoint that supports log ingestion.
  3. Authentication Token:
    • A token or API Key used to authenticate requests to your external logging endpoint. This is required for secure delivery of audit logs.
  4. Destination Type- Select the type of destination where logs will be sent:
3

Optional-Test Connection

You can verify that Blink is successfully connected to your selected SIEM platform by clicking the ‘Test Connection’ button.

Configuration Guide: Generating a Splunk HTTP Event Collector (HEC) Token

Follow this step-by-step guide, to learn how to generate Splunk HTTP Event Collector (HEC) token, which is required for integrating Splunk with the Blink platform. This token is required to integrate Splunk with the Blink platform in order to stream Blink’s audit logs to a selected external destination.
Note: The images used in this guide are for illustration purposes only. Your Splunk configuration may differ based on your organization’s environment, existing settings, and indexing policies. Use the images as a visual reference to help guide you through each step.
1

Access the HTTP Event Collector

Log in to your Splunk Enterprise account. In the top-right corner, click on Settings, then search for HTTP Event Collector and select it.
2

Select Source

Fill in all required fields for the data source configuration.
3

Input Settings

Choose the appropriate indexes that the ‘HTTP Event Collector’ token will be allowed to access.
Reminder: The indexes displayed in the example image may differ from your organization’s configuration. Be sure to select the correct indexes based on your environment and data routing needs.
4

Review

Review all the details you have entered to ensure everything is accurate before proceeding.
5

Token Created Successfully

Once the token has been generated in Splunk, copy it and securely store it.
6

Integrate with Blink

To complete the integration with Blink, go to the Audit Settings section of the Blink platform and do the following:
  • Paste the token into the Authentication Token field
  • Enter the URL: If the HEC feature is enabled in the Splunk Enterprise platform you will see the port it uses (by default, it’s 8088). Your full url will look something like this https://splunk.yourcompany.com:8088
  • Select Splunk HEC as the Destination Type
This ensures that Blink can successfully forward audit logs to your Splunk instance.
7

Test Connection and Save Settings

Click Test Connection to verify that the URL and token have been entered correctly and that Blink can successfully communicate with your Splunk instance. Once the connection is validated, click Save Settings to apply the configuration.
I