Getting started with Event Logs

Enpass helps organizations monitor and track important events related to user activities across key areas, including user accounts, vaults, password recovery, sharing, and more. Additionally, Enpass Event logs system can integrate with Security Information and Event Management (SIEM) tools to enable businesses to analyze and respond to high risk security events.

Pre-requisites

To enable Event Logs and SIEM integration in Enpass, ensure the following:

  • An Enpass Business Plan (Only with Microsoft 365 or Google Workspace storage option)
  • An account with Super Admin privileges for Enpass Admin Console.

Enabling Event Logs Collection

Event logging is provided as a feature of Enpass Hub. To activate this feature, please follow the steps below:

  1. If you haven’t integrated the Enpass Hub yet, follow the steps here. Completing the integration will automatically enable the Event Logs feature.
    Event Logs1
  2. If the Enpass Hub is already integrated and Event logs are still not enabled, follow the steps given below
    • Go to Integration section in Enpass Admin Console.
    • On the Integration screen, locate the Event Logs section.
    • Click on the Enable button of Event Logs to activate the feature.
    Event Logs2

Learn About Events and its Descriptions

Event Logs in Admin Console provides a detailed history of actions performed within the Enpass environment, including Enpass App, Enpass Hub and the Enpass admin console. Enpass Hub retains Event logs for a duration of up to 90 days. For extended retention and deeper analysis, integration with a SIEM tool is recommended.

Data Presented in Event Logs

  • Date & Time – Shows the timestamp of each logged event.
  • Actor – Refers to the user and system that performed the action.
  • Component – Identifies whether the activity was performed in the Enpass App, Enpass Hub or Enpass Admin Console.
  • IP Address – Displays the IP address from which the action was performed.
  • Activity – Details the specific action performed.
    About Events and its Descriptions

Event Categories

Event logs are organized into categories to help structure the various activities being tracked. The table below lists the different event categories and provides descriptions of the event logs tracked within each category.


Categories

Events

Users
  • New Device Registered - A new device has been added to the user's account.
  • Multi-Factor Authentication (MFA) Changes - Enabling, updating or resetting two-factor authentication (2FA).
  • Admin Password Changes - Adding, changing, or resetting the admin password.
  • Admin Permissions Updated - Changes made to the user's access scopes or permissions.
  • Public Key Changes - Detection, resolution, or addition of a public key in the hub.
  • Master Password Changed - The master password has been updated.
  • Authentication Methods Added - PIN or biometric authentication configured.
  • Device Deprovisioned - A previously registered device has been removed.
  • Business Admin Console Login Events - Successful logins, failed attempts, MFA failures, or blocked logins.
  • Application Login Events - Successful logins, failed login attempts, or multiple app unlock failures that may indicate unusual activity.

Vaults
  • Vault Management – Created, removed, or renamed a vault.
  • Vault Data Handling – Exported, printed, or imported data from a vault backup or file.
  • Vault Security – Changed the password, revealed the password, or removed a locked vault.
  • Vault Synchronization & Backup – Synchronization failed, exported a Keyfile, or backed up the vault.

Sharing
  • Item Sharing – Shared an item via email or clipboard, or successfully added a shared item to the system.
  • Vault Sharing – Shared a vault with one or more users.
  • Shared Vault Management – Created a new shared vault and added it to the system.
  • Shared Vault Permissions – Updated the permissions for a shared vault.
  • Shared Vault Access Control – Revoked access to a shared vault.

Recovery
  • Account Recovery Management – Initiation, expiration, approval, or decline of an account recovery request, along with recovery link expiration or revocation.
  • Master Password Recovery – Successful recovery of a user's account through the master password.
  • Recovery Request Issues – Failure to create a recovery request due to system or user-related issues.

Organization
  • User Management – Creation, removal, activation, deactivation, or email address update of a user account.
  • Group Management – Creation, deletion, or modification of user groups, including adding or removing users from a group.
  • Administrator & Policy Management – Assignment, removal, or permission modification of Business Console Administrators, along with changes to organization policies and branding settings.
  • Authentication & Security – Configuration, enabling, disabling, or enforcement of SSO authentication, along with SCIM token generation.
  • Hub & Recovery Management – Setup, removal, or modification of hub integration, SSL settings, and recovery administration.
  • Password Policies – Creation or modification of password rules and policies.

App
  • Browser and Security Configurations – A new browser has been linked to the user’s account, or an SSL certificate validation has failed.
  • Application Settings and Proxy – Modifications to application settings or changes in proxy configuration.
  • Data and Backup Management – Changes to the storage location of user data or backups, along with local log file deletion.
  • Account and Vault Updates – Addition of a personal vault in the application.
  • System and Device Changes – Issues with incorrect system time or a complete erasure of data from the device.

Disabling Event logs

To disable Event Logs from Enpass Admin Console follow the steps below:

  1. Go to Settings in Enpass Admin Console.
  2. On the Setting screen, locate the Event Logs section.
  3. Click on Three dots and then click on Disable.
    Disabling Event logs1
  4. A confirmation pop-up will appear to finalize the disabling of Event Logs.
    Disabling Event logs2

SIEM Integration

Enpass Hub only retains Event logs for a duration of up to 90 days. For extended retention and deeper analysis, integration with a SIEM (Security Information and Event Management) tool is recommended. SIEM provides advanced features such as visual dashboards for event analysis, customisable alerting to trigger automated actions.

Enpass supports integration with the following SIEM tools. You can refer to the appropriate integration guide based on your requirements: