Collect security audit logs to monitor user activity in ThoughtSpot and increase your system security.

ThoughtSpot Cloud provides security audit events related to account activities and user actions within ThoughtSpot. These events can help your SOC team detect potential security threats or compromised user accounts in your organization. These human-readable and comprehensive events can be shipped to your SIEM application in near real-time. Security events remain within the system for 30 days. To integrate with your SIEM or view these logs, contact ThoughtSpot Support.

ThoughtSpot security events include the following information:

  • An event ID
  • A unique description of the event (e.g. “A user account was created”)
  • Timestamp (in UTC) yyyy/mm/dd:hh:mm:ss
  • User ID of the person initiating the event
  • IP of the user
  • Fields specific to the event (e.g. name of the new account)

Security events

The possible events are:

Event descriptions

ThoughtSpot defines these events as follows:

Account logout
A user logs out from ThoughtSpot.
Row level security (RLS) rule creation
A user creates an RLS rule on a table.
RLS rule deletion
A user deletes an RLS rule on a table.
Failed login
A user fails to log in due to an incorrect password, or IdP/ADP deny the authentication request.
Group creation
A user creates a new group, either manually through the Admin Portal, or through the internal API.
Group deletion
A user deletes a group, either manually through the Admin Portal, or through the internal API.
Group modification
A user modifies the properties of a group, either in Admin Portal or over internal API. (Properties include group name, display name, and sharing visibility.)
Locked account
A local user fails to authenticate _x_ times in a row, locking the account. Administrators can configure the number of authentication attempts before lockout within ThoughtSpot.
Object creation
A user creates a new object (pinboard, worksheet, answer, etc.) in ThoughtSpot.
Object deletion
A user successfully or unsuccessfully attempts to delete an object (pinboard, worksheet, answer).
Object modification
A user successfully or unsuccessfully attempts to change the properties of an object.
Object sharing
A user successfully or unsuccessfully attempts to share an object with another user or group.
Password change
A user successfully or unsuccessfully attempts to change their password.
Privilege change
A user adds or removes one or several privileges from a group.
Profile change
A user profile changes, either manually in the Admin Portal or over SAML sync.
Successful login
A local, IdP or AD user logs in to ThoughtSpot.
RLS rule update
A user modifies an RLS rule on a table.
User account creation
A new user creates an account, either manually in the Admin Portal or through the internal API.
User account deletion
A user account is deleted, either manually in the Admin Portal or through the internal API.
User group change
A successful or unsuccessful attempt to change the user list to a group by adding or removing members.