Is there an audit log entry which indicates what user enabled/disabled a threat report?

• CB Response Server: All Versions

While there isn't a way to find this in the UI, there is a roundabout way to determine who enabled/disabled a threat report using the NGINX access.log. It will be a POST entry, followed by /api/v1/threat_report, and starting with the IP Address of the endpoint where the change was being made. This will indicate a threat_report changed status, but not which feed, which report, or what was done to it. Please note this method may be inaccurate if the user logged in over a proxy.

Enabling verbose audit logging will allow capture API calls being made within the console to provide further information: https://community.carbonblack.com/t5/Knowledge-Base/CB-Response-How-to-enable-verbose-audit-logging/ta-p/71297