Enable Workspace File Audits

Enable Workspace File Access auditing to capture file-level operations in workspaces. This feature is opt-in and requires enablement before use.

Prerequisites

Verify that you have the following:

  • Domino version 6.2 or later

  • A supported cloud deployment: AWS or Azure

  • Two object storage buckets in your cloud provider

Enable the service

Enable Workspace File Audits by configuring object storage buckets and Domino settings. You need two buckets, one for temporary staging and an archive bucket for long-term storage:

  • Working bucket: Temporary staging for raw audit events

  • Archive bucket: Long-term storage for processed audit events

You can provision these buckets using the Domino Terraform module or create them manually.

Use the Domino Terraform Module

The Domino Terraform module contains the bucket configuration details.

  1. Enable the workspace_audit option in the Terraform configuration.

  2. Re-run the Terraform module to provision the required buckets (working and archive).

  3. Contact your Domino administrator if you have questions or run into issues.

Without the Terraform Module

Create and configure the buckets manually in your cloud provider.

  1. Create the working bucket and archive bucket in your cloud blob storage provider.

  2. Verify that both buckets have the required IAM permissions for Domino to read and write.

After you create the buckets

Update the agent.yaml file to enable workspace audit and provide the bucket details.

The setting enabled: true triggers the full infrastructure setup: enabling Falco, updating the Falco configuration, deploying the workspace audit service, and connecting to the provisioned buckets.

AWS:

workspace_audit:
  cloud_provider: aws
  enabled: true
  event_archive_storage_aws:
    bucket: <your-archive-bucket-name>
    region: <your-region>
    sse_kms_key_id: <your-kms-key-id>
  event_working_storage_aws:
    bucket: <your-working-bucket-name>
    region: <your-region>
    sse_kms_key_id: <your-kms-key-id>

Azure:

workspace_audit:
  cloud_provider: azure
  enabled: true
  event_archive_storage_azure:
    account_name: <your-azure-storage-account-name>
    account_key: <your-azure-storage-account-key>
    container: <your-archive-container-name>
  event_working_storage_azure:
    account_name: <your-azure-storage-account-name>
    account_key: <your-azure-storage-account-key>
    container: <your-working-container-name>

Next steps