Views
The Views page tracks when users access sensitive resources such as scanners, users, roles, and scan results. Unlike Changes (which tracks state modifications), Views captures read-only access patterns. This is critical for detecting account compromise through reconnaissance behavior, where an attacker enumerates resources before taking action.
Fields & Columns
| Name | Description |
|---|---|
| Time | Timestamp when the resource was accessed |
| User | The user who viewed the resource, or "Unknown" if not authenticated |
| Action | What the user did, typically viewing a list or individual resource |
| Resource Type | The kind of data accessed (e.g., scanners, users, scan results) |
| Resource ID | The specific resource ID that was viewed, if applicable |
| IP Address | Client IP from which the access originated |
How To
Investigate suspicious access
- Navigate to Audit > Views.
- Filter by the suspected user or resource type.
- Review the timestamps and accessed resources.
- Cross-reference with Auth audit to check login patterns.
Gotchas
- A user viewing many resources in quick succession may indicate account compromise and reconnaissance.
- Views from unexpected IP addresses warrant investigation even if the user is legitimate.
- Resource types use underscores internally but display as spaces in the table.
- View audit records are retained indefinitely. Consult your compliance requirements to determine if periodic archival is needed.
API Calls (1)
| Method | Path | Description |
|---|---|---|
| GET | /api/audit/views | List all access log entries (paginated) |
Related Pages
- Changes — Tracks state modifications rather than read access
- Auth — Tracks authentication events that precede resource access
- Port State Changes — Tracks port state transitions rather than resource access patterns