Description
User and process activity can be collected for security auditing and sent into an Elastic observability workflow. It is useful for administrators tracking system events, policy changes, and suspicious behavior.
Audit data is highly sensitive and can include commands, file paths, users, and security events. Configure collection scope, access control, retention, and alerting carefully.