Cisco AMP for Endpoints API

GET /v1/audit_logs

Description

Provides audit logs based on the filters specified in the query parameters.

Query Parameters

Name Type Example Values Description
audit_log_type String User
limit Integer 5
audit_log_id GUID e773a9eb-296c-40df-98d8-bed46322589d
event String login
start_time String (Time ISO8601) 2015-10-01T00:00:00+00:00, 2018-10-01T00:00:00+00:00
end_time String (Time ISO8601) 2015-10-01T00:00:00+00:00, 2018-10-01T00:00:00+00:00
audit_log_user String amp@cisco.com

Show Response Fields

Name Type Description
version String
metadata.links.self String
metadata.links.next String
metadata.results.total Integer
metadata.results.current_item_count Integer
metadata.results.index Integer
metadata.results.items_per_page Integer
data Array
data[].event String
data[].audit_log_type String
data[].audit_log_id GUID
data[].audit_log_user String
data[].created_at String (Time ISO8601)
data[].old_attributes.sha String
data[].new_attributes.sha
Write
Preview

Examples

Fetch list of audit logs
Fetch list of audit logs filtered by audit_log_type
Fetch list of audit logs filtered by audit_log_id
Fetch list of audit logs filtered by event
Fetch list of audit logs filtered by start_time
Fetch list of audit logs filtered by end_time
Fetch list of audit logs filtered by audit_log_user

Fetch list of audit logs

Request

Requires Authorization
GET /v1/audit_logs
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1994
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2881
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"1a6bfeeb648808d610cbeb43926d0802"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs",
      "next": "https://api.amp.cisco.com/v1/audit_logs?offset=500"
    },
    "results": {
      "total": 5135,
      "current_item_count": 500,
      "index": 0,
      "items_per_page": 500
    }
  },
  "data": [
    {
      "event": "create",
      "audit_log_type": "Agent",
      "audit_log_id": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2021-05-05T23:22:34Z",
      "old_attributes": {
        "policy_id": null,
        "product_version_id": null
      },
      "new_attributes": {
        "policy_id": 915608,
        "product_version_id": 15342
      }
    },
    {
      "event": "create",
      "audit_log_type": "Computer",
      "audit_log_id": "16db5cf986eec6f44422",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2021-05-05T23:22:34Z",
      "old_attributes": {
        "name": null,
        "desc": null,
        "hostname": null,
        "ip_external": null,
        "group_id": null,
        "operating_system_id": null
      },
      "new_attributes": {
        "name": "Demo_Upatre",
        "desc": "Computer populated with demo data",
        "hostname": "Demo_Upatre",
        "ip_external": "49.223.159.99",
        "group_id": 431790,
        "operating_system_id": 8795
      }
    }
  ]
}

Fetch list of audit logs filtered by audit_log_type

Request

Requires Authorization
GET /v1/audit_logs?audit_log_type=User&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1994
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2880
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"7de26769fd72caf3259b894051c3fc42"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5&offset=5"
    },
    "results": {
      "total": 130,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "385501d4-017e-477c-8af6-8d096f95545d",
      "audit_log_user": "marlin2+sdc_api_docs@cisco.com",
      "created_at": "2021-04-09T19:15:54Z"
    },
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "385501d4-017e-477c-8af6-8d096f95545d",
      "audit_log_user": "marlin2+sdc_api_docs@cisco.com",
      "created_at": "2021-04-09T16:52:08Z"
    }
  ]
}

Fetch list of audit logs filtered by audit_log_id

Request

Requires Authorization
GET /v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1994
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2879
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"a9fb885234aeac0605f2202d249f6a5b"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5&offset=5"
    },
    "results": {
      "total": 1146,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "update",
      "audit_log_type": "ApplicationBlockingList",
      "audit_log_id": "e773a9eb-296c-40df-98d8-bed46322589d",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2021-05-05T22:56:19Z",
      "old_attributes": {
        "sha": "2bfdebd96f3271c8f63c588e0a14cdabba678b1020c3a7fa420aabbd8ed19d5c"
      },
      "new_attributes": {
        "sha": null
      }
    },
    {
      "event": "update",
      "audit_log_type": "ApplicationBlockingList",
      "audit_log_id": "e773a9eb-296c-40df-98d8-bed46322589d",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2021-05-05T22:56:18Z",
      "old_attributes": {
        "sha": ""
      },
      "new_attributes": {
        "sha": "2bfdebd96f3271c8f63c588e0a14cdabba678b1020c3a7fa420aabbd8ed19d5c"
      }
    }
  ]
}

Fetch list of audit logs filtered by event

Request

Requires Authorization
GET /v1/audit_logs?event=login&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1994
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2878
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"a4b0ca04e743e0171a67ab5405df18f3"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5&offset=5"
    },
    "results": {
      "total": 61,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "385501d4-017e-477c-8af6-8d096f95545d",
      "audit_log_user": "marlin2+sdc_api_docs@cisco.com",
      "created_at": "2021-04-09T19:15:54Z"
    },
    {
      "event": "login",
      "audit_log_type": "User",
      "audit_log_id": "385501d4-017e-477c-8af6-8d096f95545d",
      "audit_log_user": "marlin2+sdc_api_docs@cisco.com",
      "created_at": "2021-04-09T16:52:08Z"
    }
  ]
}

Fetch list of audit logs filtered by start_time

Request

Requires Authorization
GET /v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1993
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2877
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"5202eab3e320b7a82f3f0604fc582e89"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5&offset=5"
    },
    "results": {
      "total": 5135,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "create",
      "audit_log_type": "Agent",
      "audit_log_id": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2021-05-05T23:22:34Z",
      "old_attributes": {
        "policy_id": null,
        "product_version_id": null
      },
      "new_attributes": {
        "policy_id": 915608,
        "product_version_id": 15342
      }
    },
    {
      "event": "create",
      "audit_log_type": "Computer",
      "audit_log_id": "16db5cf986eec6f44422",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2021-05-05T23:22:34Z",
      "old_attributes": {
        "name": null,
        "desc": null,
        "hostname": null,
        "ip_external": null,
        "group_id": null,
        "operating_system_id": null
      },
      "new_attributes": {
        "name": "Demo_Upatre",
        "desc": "Computer populated with demo data",
        "hostname": "Demo_Upatre",
        "ip_external": "49.223.159.99",
        "group_id": 431790,
        "operating_system_id": 8795
      }
    }
  ]
}

Fetch list of audit logs filtered by end_time

Request

Requires Authorization
GET /v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1993
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2876
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"5f330be26072af943a02e676c1dc0311"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5",
      "next": "https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5&offset=5"
    },
    "results": {
      "total": 863,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "event": "create",
      "audit_log_type": "Group",
      "audit_log_id": "eeaaea2b-7bcb-4263-8fb2-84a519c12940",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2018-09-18T22:06:25Z",
      "old_attributes": {
        "name": null
      },
      "new_attributes": {
        "name": "jRwlALSr"
      }
    },
    {
      "event": "update",
      "audit_log_type": "Group",
      "audit_log_id": "7fe7a1d5-f2e5-4348-a0d8-6dcc7b40fe66",
      "audit_log_user": "16db5cf986eec6f44422",
      "created_at": "2018-09-18T22:06:23Z",
      "old_attributes": {
        "ancestry": "577010"
      },
      "new_attributes": {
        "ancestry": null
      }
    }
  ]
}

Fetch list of audit logs filtered by audit_log_user

Request

Requires Authorization
GET /v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1993
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2875
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"62cbfbdab8ae71d55c91819e054cb930"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5"
    },
    "results": {
      "total": 0,
      "current_item_count": 0,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [

  ]
}