GET /v1/audit_logs
Description
Provides audit logs based on the filters specified in the query parameters.
Query Parameters
| Name | Type | Example Values | Description |
|---|---|---|---|
audit_log_type |
String | User | |
limit |
Integer | 5 | |
audit_log_id |
GUID | e773a9eb-296c-40df-98d8-bed46322589d | |
event |
String | login | |
start_time |
String (Time ISO8601) | 2015-10-01T00:00:00+00:00, 2018-10-01T00:00:00+00:00 | |
end_time |
String (Time ISO8601) | 2015-10-01T00:00:00+00:00, 2018-10-01T00:00:00+00:00 | |
audit_log_user |
String | amp@cisco.com |
| Name | Type | Description |
|---|---|---|
| version | String | |
| metadata.links.self | String | |
| metadata.links.next | String | |
| metadata.results.total | Integer | |
| metadata.results.current_item_count | Integer | |
| metadata.results.index | Integer | |
| metadata.results.items_per_page | Integer | |
| data | Array | |
| data[].event | String | |
| data[].audit_log_type | String | |
| data[].audit_log_id | GUID | |
| data[].audit_log_user | String | |
| data[].created_at | String (Time ISO8601) | |
| data[].old_attributes.sha | String | |
| data[].new_attributes.sha |
Examples
- Fetch list of audit logs
- Fetch list of audit logs filtered by audit_log_type
- Fetch list of audit logs filtered by audit_log_id
- Fetch list of audit logs filtered by event
- Fetch list of audit logs filtered by start_time
- Fetch list of audit logs filtered by end_time
- Fetch list of audit logs filtered by audit_log_user
Fetch list of audit logs
Request
Requires AuthorizationGET /v1/audit_logs
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.amp.cisco.com/v1/audit_logs'
Shortened for readability
content-type: application/json; charset=utf-8 transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1994 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2881 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"1a6bfeeb648808d610cbeb43926d0802" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2021-05-05T23:55:49Z strict-transport-security: max-age=31536000
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/audit_logs",
"next": "https://api.amp.cisco.com/v1/audit_logs?offset=500"
},
"results": {
"total": 5135,
"current_item_count": 500,
"index": 0,
"items_per_page": 500
}
},
"data": [
{
"event": "create",
"audit_log_type": "Agent",
"audit_log_id": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
"audit_log_user": "16db5cf986eec6f44422",
"created_at": "2021-05-05T23:22:34Z",
"old_attributes": {
"policy_id": null,
"product_version_id": null
},
"new_attributes": {
"policy_id": 915608,
"product_version_id": 15342
}
},
{
"event": "create",
"audit_log_type": "Computer",
"audit_log_id": "16db5cf986eec6f44422",
"audit_log_user": "16db5cf986eec6f44422",
"created_at": "2021-05-05T23:22:34Z",
"old_attributes": {
"name": null,
"desc": null,
"hostname": null,
"ip_external": null,
"group_id": null,
"operating_system_id": null
},
"new_attributes": {
"name": "Demo_Upatre",
"desc": "Computer populated with demo data",
"hostname": "Demo_Upatre",
"ip_external": "49.223.159.99",
"group_id": 431790,
"operating_system_id": 8795
}
}
]
}
Fetch list of audit logs filtered by audit_log_type
Request
Requires AuthorizationGET /v1/audit_logs?audit_log_type=User&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5'
Shortened for readability
content-type: application/json; charset=utf-8 transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1994 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2880 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"7de26769fd72caf3259b894051c3fc42" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2021-05-05T23:55:49Z strict-transport-security: max-age=31536000
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5",
"next": "https://api.amp.cisco.com/v1/audit_logs?audit_log_type=User&limit=5&offset=5"
},
"results": {
"total": 130,
"current_item_count": 5,
"index": 0,
"items_per_page": 5
}
},
"data": [
{
"event": "login",
"audit_log_type": "User",
"audit_log_id": "385501d4-017e-477c-8af6-8d096f95545d",
"audit_log_user": "marlin2+sdc_api_docs@cisco.com",
"created_at": "2021-04-09T19:15:54Z"
},
{
"event": "login",
"audit_log_type": "User",
"audit_log_id": "385501d4-017e-477c-8af6-8d096f95545d",
"audit_log_user": "marlin2+sdc_api_docs@cisco.com",
"created_at": "2021-04-09T16:52:08Z"
}
]
}
Fetch list of audit logs filtered by audit_log_id
Request
Requires AuthorizationGET /v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5'
Shortened for readability
content-type: application/json; charset=utf-8 transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1994 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2879 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"a9fb885234aeac0605f2202d249f6a5b" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2021-05-05T23:55:49Z strict-transport-security: max-age=31536000
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5",
"next": "https://api.amp.cisco.com/v1/audit_logs?audit_log_id=e773a9eb-296c-40df-98d8-bed46322589d&limit=5&offset=5"
},
"results": {
"total": 1146,
"current_item_count": 5,
"index": 0,
"items_per_page": 5
}
},
"data": [
{
"event": "update",
"audit_log_type": "ApplicationBlockingList",
"audit_log_id": "e773a9eb-296c-40df-98d8-bed46322589d",
"audit_log_user": "16db5cf986eec6f44422",
"created_at": "2021-05-05T22:56:19Z",
"old_attributes": {
"sha": "2bfdebd96f3271c8f63c588e0a14cdabba678b1020c3a7fa420aabbd8ed19d5c"
},
"new_attributes": {
"sha": null
}
},
{
"event": "update",
"audit_log_type": "ApplicationBlockingList",
"audit_log_id": "e773a9eb-296c-40df-98d8-bed46322589d",
"audit_log_user": "16db5cf986eec6f44422",
"created_at": "2021-05-05T22:56:18Z",
"old_attributes": {
"sha": ""
},
"new_attributes": {
"sha": "2bfdebd96f3271c8f63c588e0a14cdabba678b1020c3a7fa420aabbd8ed19d5c"
}
}
]
}
Fetch list of audit logs filtered by event
Request
Requires AuthorizationGET /v1/audit_logs?event=login&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5'
Shortened for readability
content-type: application/json; charset=utf-8 transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1994 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2878 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"a4b0ca04e743e0171a67ab5405df18f3" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2021-05-05T23:55:49Z strict-transport-security: max-age=31536000
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5",
"next": "https://api.amp.cisco.com/v1/audit_logs?event=login&limit=5&offset=5"
},
"results": {
"total": 61,
"current_item_count": 5,
"index": 0,
"items_per_page": 5
}
},
"data": [
{
"event": "login",
"audit_log_type": "User",
"audit_log_id": "385501d4-017e-477c-8af6-8d096f95545d",
"audit_log_user": "marlin2+sdc_api_docs@cisco.com",
"created_at": "2021-04-09T19:15:54Z"
},
{
"event": "login",
"audit_log_type": "User",
"audit_log_id": "385501d4-017e-477c-8af6-8d096f95545d",
"audit_log_user": "marlin2+sdc_api_docs@cisco.com",
"created_at": "2021-04-09T16:52:08Z"
}
]
}
Fetch list of audit logs filtered by start_time
Request
Requires AuthorizationGET /v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5'
Shortened for readability
content-type: application/json; charset=utf-8 transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1993 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2877 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"5202eab3e320b7a82f3f0604fc582e89" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2021-05-05T23:55:49Z strict-transport-security: max-age=31536000
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5",
"next": "https://api.amp.cisco.com/v1/audit_logs?start_time=2015-10-01T00%3A00%3A00%2B00%3A00&limit=5&offset=5"
},
"results": {
"total": 5135,
"current_item_count": 5,
"index": 0,
"items_per_page": 5
}
},
"data": [
{
"event": "create",
"audit_log_type": "Agent",
"audit_log_id": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
"audit_log_user": "16db5cf986eec6f44422",
"created_at": "2021-05-05T23:22:34Z",
"old_attributes": {
"policy_id": null,
"product_version_id": null
},
"new_attributes": {
"policy_id": 915608,
"product_version_id": 15342
}
},
{
"event": "create",
"audit_log_type": "Computer",
"audit_log_id": "16db5cf986eec6f44422",
"audit_log_user": "16db5cf986eec6f44422",
"created_at": "2021-05-05T23:22:34Z",
"old_attributes": {
"name": null,
"desc": null,
"hostname": null,
"ip_external": null,
"group_id": null,
"operating_system_id": null
},
"new_attributes": {
"name": "Demo_Upatre",
"desc": "Computer populated with demo data",
"hostname": "Demo_Upatre",
"ip_external": "49.223.159.99",
"group_id": 431790,
"operating_system_id": 8795
}
}
]
}
Fetch list of audit logs filtered by end_time
Request
Requires AuthorizationGET /v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5'
Shortened for readability
content-type: application/json; charset=utf-8 transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1993 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2876 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"5f330be26072af943a02e676c1dc0311" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2021-05-05T23:55:49Z strict-transport-security: max-age=31536000
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5",
"next": "https://api.amp.cisco.com/v1/audit_logs?end_time=2018-10-01T00%3A00%3A00%2B00%3A00&limit=5&offset=5"
},
"results": {
"total": 863,
"current_item_count": 5,
"index": 0,
"items_per_page": 5
}
},
"data": [
{
"event": "create",
"audit_log_type": "Group",
"audit_log_id": "eeaaea2b-7bcb-4263-8fb2-84a519c12940",
"audit_log_user": "16db5cf986eec6f44422",
"created_at": "2018-09-18T22:06:25Z",
"old_attributes": {
"name": null
},
"new_attributes": {
"name": "jRwlALSr"
}
},
{
"event": "update",
"audit_log_type": "Group",
"audit_log_id": "7fe7a1d5-f2e5-4348-a0d8-6dcc7b40fe66",
"audit_log_user": "16db5cf986eec6f44422",
"created_at": "2018-09-18T22:06:23Z",
"old_attributes": {
"ancestry": "577010"
},
"new_attributes": {
"ancestry": null
}
}
]
}
Fetch list of audit logs filtered by audit_log_user
Request
Requires AuthorizationGET /v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.amp.cisco.com/v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5'
Shortened for readability
content-type: application/json; charset=utf-8 transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1993 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2875 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"62cbfbdab8ae71d55c91819e054cb930" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2021-05-05T23:55:49Z strict-transport-security: max-age=31536000
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/audit_logs?audit_log_user=amp%40cisco.com&limit=5"
},
"results": {
"total": 0,
"current_item_count": 0,
"index": 0,
"items_per_page": 5
}
},
"data": [
]
}