Cisco AMP for Endpoints API

GET /v1/audit_logs

Description

Provides audit logs based on the filters specified in the query parameters.

Query Parameters

Name	Type	Example Values
`audit_log_type`	String	User
`limit`	Integer	5
`audit_log_id`	GUID	e773a9eb-296c-40df-98d8-bed46322589d
`event`	String	login
`start_time`	String (Time ISO8601)	2015-10-01T00:00:00+00:00, 2018-10-01T00:00:00+00:00
`end_time`	String (Time ISO8601)	2015-10-01T00:00:00+00:00, 2018-10-01T00:00:00+00:00
`audit_log_user`	String	amp@cisco.com

Show Response Fields

Name	Type	Description
version	String
metadata.links.self	String
metadata.links.next	String
metadata.results.total	Integer
metadata.results.current_item_count	Integer
metadata.results.index	Integer
metadata.results.items_per_page	Integer
data	Array
data[].event	String
data[].audit_log_type	String
data[].audit_log_id	GUID
data[].audit_log_user	String
data[].created_at	String (Time ISO8601)
data[].old_attributes.sha	String
data[].new_attributes.sha

Write

Preview

Describe this action in markdown

Provides audit logs based on the filters specified in the query parameters.

### Query Parameters

|Name|Type|Example Values|Description|
|----|----|----|----|
|`audit_log_type`|String|User||
|`limit`|Integer|5||
|`audit_log_id`|GUID|e773a9eb-296c-40df-98d8-bed46322589d||
|`event`|String|login||
|`start_time`|String (Time ISO8601)|2015-10-01T00:00:00+00:00, 2018-10-01T00:00:00+00:00||
|`end_time`|String (Time ISO8601)|2015-10-01T00:00:00+00:00, 2018-10-01T00:00:00+00:00||
|`audit_log_user`|String|amp@cisco.com||
[Show Response Fields](response-fields)

|Name|Type|Description|
|---|---|---|
|version|String||
|metadata.links.self|String||
|metadata.links.next|String||
|metadata.results.total|Integer||
|metadata.results.current_item_count|Integer||
|metadata.results.index|Integer||
|metadata.results.items_per_page|Integer||
|data|Array||
|data[].event|String||
|data[].audit_log_type|String||
|data[].audit_log_id|GUID||
|data[].audit_log_user|String||
|data[].created_at|String (Time ISO8601)||
|data[].old_attributes.sha|String||
|data[].new_attributes.sha|||

Auto Generate

Examples

Fetch list of audit logs

Fetch list of audit logs filtered by audit_log_type

Fetch list of audit logs filtered by audit_log_id

Fetch list of audit logs filtered by event

Fetch list of audit logs filtered by start_time

Fetch list of audit logs filtered by end_time

Fetch list of audit logs filtered by audit_log_user

Fetch list of audit logs

Request

Requires Authorization

GET /v1/audit_logs

Headers

accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3599
x-ratelimit-remaining: 2998
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-11-22T19:40:39Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs",
      "next": "https://api.amp.cisco.com/v1/audit_logs?offset=500"
    },
    "results": {
      "total": 6777,
      "current_item_count": 500,
      "index": 0,
      "items_per_page": 500
    }
  },
  "data": [
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "7a5ae177-ea2b-44bd-b8fd-baea3e0f1ec2",
      "audit_log_user": "jabriana+sdc_api_docs@cisco.com",
      "created_at": "2019-11-05T18:22:21Z"
    },
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "7a5ae177-ea2b-44bd-b8fd-baea3e0f1ec2",
      "audit_log_user": "jabriana+sdc_api_docs@cisco.com",
      "created_at": "2019-11-05T16:46:14Z"
    }
  ]
}

Fetch list of audit logs filtered by audit_log_type

Request

Requires Authorization

GET /v1/audit_logs?audit_log_type=User&limit=5

Headers

accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3599
x-ratelimit-remaining: 2997
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-11-22T19:40:39Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5&offset=5"
    },
    "results": {
      "total": 147,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "7a5ae177-ea2b-44bd-b8fd-baea3e0f1ec2",
      "audit_log_user": "jabriana+sdc_api_docs@cisco.com",
      "created_at": "2019-11-05T18:22:21Z"
    },
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "7a5ae177-ea2b-44bd-b8fd-baea3e0f1ec2",
      "audit_log_user": "jabriana+sdc_api_docs@cisco.com",
      "created_at": "2019-11-05T16:46:14Z"
    }
  ]
}

Fetch list of audit logs filtered by audit_log_id

Request

Requires Authorization

GET /v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5

Headers

accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3598
x-ratelimit-remaining: 2996
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-11-22T19:40:39Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5&offset=5"
    },
    "results": {
      "total": 2684,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "update",
      "audit_log_type": "ApplicationBlockingList",
      "audit_log_id": "e773a9eb-296c-40df-98d8-bed46322589d",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2019-11-01T17:04:30Z",
      "old_attributes": {
        "sha": "39c56fe36a91f18d762ecd92eaf479d7a40d3d4f13ac050baf3e0775b424fb26"
      },
      "new_attributes": {
        "sha": null
      }
    },
    {
      "event": "update",
      "audit_log_type": "ApplicationBlockingList",
      "audit_log_id": "e773a9eb-296c-40df-98d8-bed46322589d",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2019-11-01T17:04:30Z",
      "old_attributes": {
        "sha": ""
      },
      "new_attributes": {
        "sha": "39c56fe36a91f18d762ecd92eaf479d7a40d3d4f13ac050baf3e0775b424fb26"
      }
    }
  ]
}

Fetch list of audit logs filtered by event

Request

Requires Authorization

GET /v1/audit_logs?event=login&limit=5

Headers

accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3598
x-ratelimit-remaining: 2995
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-11-22T19:40:39Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5&offset=5"
    },
    "results": {
      "total": 69,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "7a5ae177-ea2b-44bd-b8fd-baea3e0f1ec2",
      "audit_log_user": "jabriana+sdc_api_docs@cisco.com",
      "created_at": "2019-11-05T18:22:21Z"
    },
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "7a5ae177-ea2b-44bd-b8fd-baea3e0f1ec2",
      "audit_log_user": "jabriana+sdc_api_docs@cisco.com",
      "created_at": "2019-11-05T16:46:14Z"
    }
  ]
}

Fetch list of audit logs filtered by start_time

Request

Requires Authorization

GET /v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5

Headers

accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3598
x-ratelimit-remaining: 2994
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-11-22T19:40:39Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5&offset=5"
    },
    "results": {
      "total": 6777,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "7a5ae177-ea2b-44bd-b8fd-baea3e0f1ec2",
      "audit_log_user": "jabriana+sdc_api_docs@cisco.com",
      "created_at": "2019-11-05T18:22:21Z"
    },
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "7a5ae177-ea2b-44bd-b8fd-baea3e0f1ec2",
      "audit_log_user": "jabriana+sdc_api_docs@cisco.com",
      "created_at": "2019-11-05T16:46:14Z"
    }
  ]
}

Fetch list of audit logs filtered by end_time

Request

Requires Authorization

GET /v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5

Headers

accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3598
x-ratelimit-remaining: 2993
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-11-22T19:40:39Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5&offset=5"
    },
    "results": {
      "total": 4483,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "create",
      "audit_log_type": "Group",
      "audit_log_id": "eeaaea2b-7bcb-4263-8fb2-84a519c12940",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2018-09-18T22:06:25Z",
      "old_attributes": {
        "name": null
      },
      "new_attributes": {
        "name": "jRwlALSr"
      }
    },
    {
      "event": "update",
      "audit_log_type": "Group",
      "audit_log_id": "7fe7a1d5-f2e5-4348-a0d8-6dcc7b40fe66",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2018-09-18T22:06:23Z",
      "old_attributes": {
        "ancestry": "577010"
      },
      "new_attributes": {
        "ancestry": null
      }
    }
  ]
}

Fetch list of audit logs filtered by audit_log_user

Request

Requires Authorization

GET /v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5

Headers

accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3598
x-ratelimit-remaining: 2992
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-11-22T19:40:39Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5"
    },
    "results": {
      "total": 0,
      "current_item_count": 0,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [

  ]
}