Audit User Activity in Visier

Ensure your users are performing authorized activities and keep your data safe by automating audit event observability.

Overview

Auditing system security and user activity doesn't have to be a manual chore. Many administrators struggle with the spreadsheet shuffle: periodically downloading Application Logs as XLSX files, manually parsing them, and trying to spot anomalies before they become issues. This reactive approach is slow, prone to human error, and doesn't scale as your organization grows. Imagine a scenario where a sensitive data access event occurs. By the time you download and review a weekly log, days have passed.

Audit event webhooks solve this by transforming Visier audit data into a proactive stream. Instead of manual exports, Visier pushes event data directly to your preferred endpoint in JSON format using the industry-standard Common Event Format (CEF). This is a huge win for security teams because most modern monitoring tools recognize CEF out of the box and don't require custom mapping for standard fields like Device Vendor, Signature ID, and Severity.

Whether you are feeding a SIEM (Security Information and Event Management) tool or a custom dashboard, webhooks ensure you see who is doing what in real time. This guide transitions you from static logs to a scalable, automated observation pipeline.

Checklist

To successfully implement audit event webhooks, complete the following tasks:

Set up your HTTPS endpoint to receive and acknowledge JSON payloads.
Configure the webhook with Visier.
Verify the event stream by triggering a test event and checking your logs.
Monitor and maintain the integration to ensure continuous data flow.

Set up your HTTPS endpoint

Before Visier can send data, you must have a destination ready. The destination is typically a URL hosted by your internal security team or a cloud provider (like an AWS Lambda function or an Azure Logic App).

Webhook notifications from Visier

Visier optimizes delivery by sending a batch whenever 200 events occur or 30 seconds elapse, whichever comes first. Ensure your listener can handle this frequency without timing out.

Your HTTPS endpoint

The endpoint must be able to parse JSON.
To ensure reliable delivery, your endpoint must respond with an HTTP 2xx status code within 2 seconds. If your endpoint doesn't send a response, Visier marks the notification as failed. Visier retries the notification up to 3 times.

Tip: We recommend that your endpoint performs only basic validation, such as signature verification, before immediately returning a 200 OK. To avoid timeouts, handle any complex logic (such as database writes, sending emails, or calling third-party APIs) using a background worker or task queue.
If your endpoint requires authentication, set up a username and password or an access token.
The webhook must have an encryption key that uses the HMAC-SHA256 algorithm. You can use the Encryption Keys API to generate an encryption key. For more information, see "Encryption Keys" in API Reference.

Configure the webhook connection

Next, tell Visier exactly where to send the data and how to authenticate. Use the Webhooks API to specify the:

Target HTTPS endpoint.
Audit event type.
Authentication credentials.

Verify the event stream

Because the webhook triggers based on activity, perform an action in Visier (such as signing in) to generate an audit event.
Check your listener logs for a 200 OK response. If you see the JSON payload containing your recent activity, the webhook connection is configured correctly.
For additional security, verify that Visier sent the notification by checking the x-visier-signature header.

Monitor and maintain

Webhooks are push events. If your endpoint goes down, Visier will retry, but consistent downtime can lead to gaps in your audit history. Those audit events are not lost! Visier retries the notification up to 3 times. Resolve the issue with the webhook on your side as soon as possible to receive the events.

We recommend that you set up internal alerts on your listener side to notify you if the endpoint stops receiving data for more than a few minutes during business hours.

If the endpoint issue isn't resolved quickly enough, you can still retrieve the audit events in XLSX format. Download the application logs in Studio or use Visier APIs. For more information, see Application Logs and "Retrieve the Application Logs" in API Reference.

Outcome

After following this guide, you will have a live, automated stream of Visier audit events flowing into your external environment for an automated, scalable security posture.

Next steps:

Set up alerts: Now that data is in your SIEM, create alerts for high severity events or unauthorized access attempts.
Data retention: Determine your organization's policy for storing these JSON logs. Visier provides the stream, but your endpoint manages the long-term storage.
Explore more: Review Use Visier APIs to see how you can further automate user management alongside your new audit stream.

Example: I want to automate audit event observability

This section provides a step-by-step example to set up auditing webhooks to an external environment.

Access requirements

To use APIs, you must have a Visier account and authenticate. For more information about authenticating, see API Authentication.

Custom profile with these capabilities: Security (Write, API) or Webhook Management

Reach out to your administrator for access.

Step 1: Set up your HTTPS endpoint

In your own tooling, create an HTTPS endpoint. In this example, the endpoint is https://my.webhook.com.

The HTTPS endpoint must:

Be able to parse JSON.
Acknowledge Visier's webhook notification within 2 seconds.

If your endpoint requires authentication, set up a username and password or an access token. In this example, the access token is g1v3m34cc355.

Generate an encryption key to associate with the webhook using the HMAC-SHA256 algorithm. The following sample code uses Visier APIs to generate an encryption key with the value webhook_key.

Copy

Sample request: Generate the webhook_key encryption key

1
2
3
4
5
6
7
8
9
curl -X POST --url 'https://jupiter.api.visier/v1alpha/admin/encryption-keys' \
-H 'apikey:12345' \
-H 'Cookie:VisierASIDToken=abc123' \
-H 'Content-Type: application/json' \
-d '{
    "keyName": "webhook_key",
    "expiryDate": "2029-05-01 18:00:00.000",
    "algorithm": "HmacSHA256"
}'

Step 2: Configure the webhook connection

Use APIs to specify the webhook's target endpoint, audit event type, and authentication credentials.

Copy

Sample request: Create an audit event webhook

1
2
3
4
5
6
7
8
9
curl -X POST --url 'https://jupiter.api.visier/v1alpha/admin/encryption-keys' \
-H 'apikey:12345' \
-H 'Cookie:VisierASIDToken=abc123' \
-H 'Content-Type: application/json' \
-d '{
    "keyName": "webhook_key",
    "expiryDate": "2029-05-01 18:00:00.000",
    "algorithm": "HmacSHA256"
}'

Step 3: Verify the event stream

First, generate an audit event and check your listener logs.

Sign in to Visier to generate an audit event.
Check your listener logs for a 200 OK response.

Next, verify that Visier sent the message.

Extract the x-visier-signature header value.

Prepare the payload. This is the raw request body from Visier; for example:

Copy

Sample webhook raw request body

1
{"timestamp": "1743718453610","eventId": "c0c91580-ce09-40fd-8f84-39d8578c704b","eventType": "jobResultSuccess","event": {"jobid": "00000000-0000-0000-0000-000000000000","rootJobId": "00000000-0000-0000-0000-000000000000","parentJobId": "00000000-0000-0000-0000-000000000000","tenantCode": "WFF_j1r","jobType": "","dataCategoryId": "00000000-0000-0000-0000-000000000000","dataVersion": ""}}

Compute the HMAC value using the SHA256 hash function. Use the configured secret as the key and the payload as the message.
Compare the signature to the signature extracted from the header. The values must match. If the values don't match, ignore the message.

Step 4: Monitor and maintain

Set up internal alerts on the listener side to notify you if the endpoint stops receiving data for more than a few minutes during business hours. Visier retries the notification up to 3 times. Resolve the issue with the webhook on your side as soon as possible to receive the events.

If you cannot resolve the issue before Visier fails the notification, you can retrieve the missing audit events in XLSX format using Studio or APIs.

Retrieve the application logs in Studio

Do one of the following:
Option
Do this
In the global workspace
On the global navigation bar, click Tenant, and then click the Users tab.
In a project
On the navigation bar, click Security > Users.
Click the More button > Download Application Logs in the upper-right corner of the Users room.
In the Download Application Logs dialog, select the date range for the log.
Click Download.
Result: The log is generated as an XSLX file and automatically begins downloading.

Option	Do this
In the global workspace	On the global navigation bar, click Tenant, and then click the Users tab.
In a project	On the navigation bar, click Security > Users.

Retrieve the application logs with APIs

Use the following sample request to make an API call that downloads the application logs. Remember to replace the placeholder values with your own values.

Copy

Sample request: Get the Application Log in XLSX format

1
2
3
curl -X GET --url 'https://jupiter.api.visier.io/v1/admin/users/reports/application-logs?startTime=1663632418220?endTime=1663632500000' \
-H 'apikey:12345' \
-H 'Cookie:VisierASIDToken=abc123'