This article describes how to configure and use the Integration with Vanta to automatically export to Vanta the awareness audit logs generated in SMARTFENSE.
Workshop: Integration with other Products
Purpose of the integration
The Integration with Vanta allows sending SMARTFENSE audit logs related to awareness actions performed by users to Vanta, facilitating compliance and training evidence within regulatory frameworks.
Vanta API used
The integration uses the Vanta API available at:
https://vanta-connectors.readme.io/docs
Configuration in SMARTFENSE
To configure the integration with Vanta in SMARTFENSE, go to the Settings > Integrations > Vanta section.
To complete the configuration, you need to enter the following data:
OAuth client ID
OAuth client secret
Default Frameworks
Resource ID
These values are obtained by following the corresponding configuration instructions.
Audit logs
When saving the integration configuration in SMARTFENSE, an audit log associated with this action is automatically generated in the Audit > Administration section.
Creating and editing campaigns
In the view for creating or editing any type of campaign, when expanding More options, a subtitle called Integration with Vanta is displayed.
From this section, it is possible to:
Specify a particular Framework for the campaign being created or edited.
Use by default the Framework configured in Default Frameworks within the integration configuration section.
Exporting records
The integration allows the automatic export of audit logs from SMARTFENSE to Vanta.
The export is performed once per day.
Exported logs are related to the status of each user regarding each campaign to which they were assigned.
Test campaigns are excluded from this export.
Vanta API impacted
UserSecurityTrainingStatus
Data sent to Vanta per user and campaign
The following details the fields sent to Vanta for each user assigned to a campaign:
| Field in Vanta | Type | SMARTFENSE Field |
|---|---|---|
| displayName | string | Campaign name if it exists; otherwise, topic/scenario name |
| uniqueId | string | Campaign statistics ID |
| externalUrl | string | Assignment URL |
| trainingId | String | Campaign detail URL |
| trainingName | String | Topic/scenario name of the campaign |
| frameworksFulfilled | List[Enum["SOC2","ISO27001","HIPAA","PCI","GDPR","CCPA"]] | Campaign framework |
| traineeFullName | String | User's full name |
| traineeAccountName | String | User's username |
| traineeEmail | User's email | |
| status | Enum["INCOMPLETE","COMPLETE"] | User's status in the campaign |
| trainingCreatedTimestamp | DateTime | Campaign start date |
| trainingDueTimestamp | DateTime | Campaign expiration date |
| trainingCompletedTimestamp | Optional[DateTime] | Date of the interaction that generated the COMPLETE status |
User status in the campaign
The status sent to Vanta is determined according to the component and the condition reached:
| Campaign | Condition | Status |
|---|---|---|
| Interactive modules | Opened / Started | INCOMPLETE |
| Interactive modules | Finished | COMPLETE |
| Videos | Opened / Started | INCOMPLETE |
| Videos | Finished | COMPLETE |
| Video games | Opened / Started | INCOMPLETE |
| Video games | Finished | COMPLETE |
| Surveys | Opened / Started | INCOMPLETE |
| Surveys | Finished | COMPLETE |
| Exams | Opened | INCOMPLETE |
| Exams | Passed / Failed | COMPLETE |
| Newsletters | Sent | INCOMPLETE |
| Newsletters | Opened | COMPLETE |
Administrative audit log of the export
In the Audit > Administration section, it is possible to check the result of each daily export to Vanta.
The log structure includes:
Date
User: System
Action: Export of audit logs to Vanta
Description: And exported logs
-
Additional details:
Logs to export: X
Logs successfully exported: Y
Logs with errors: Z
Error details: [Detail]
💡 Best practices
Correctly define the Default Frameworks to ensure consistent classification in Vanta.
Review the logs daily in Audit > Administration to validate the export results.
Configure specific frameworks at the campaign level when there are different regulatory requirements.
Avoid including test campaigns in compliance analyses.