Get Audit Management Log

Cortex XDR REST API

post /public_api/v1/audits/management_logs

Get audit management logs. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of incidents from the start of the result set.

Body parameters
request_dataObject

A dictionary containing the API request fields. An empty dictionary returns all results.

filtersArray

Array of filter fields.

fieldString (Enum)

Filter is based on the following keywords: - email: User's email address. - type: Type of audit log. - sub_type: Subtype of audit log. - result: Result type. - timestamp: Log timestamp.

Allowed values:"email""type""sub_type""result""timestamp"
operatorString (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords and values are: in - email, type, sub_type, result: List of strings gte / lte - timestamp: Integer in timestamp epoch milliseconds

Allowed values:"in""gte""lte"
valueString array integer

Value that this filter must match. - timestamp: Integer representing the number of milliseconds after the Unix epoch, UTC timezone. - All other fields require a string value. In the case of in operator, the value is an array.

search_fromInteger

An integer representing the starting offset within the query result set from which you want management logs returned. Management logs are returned as a zero-based list. Any log indexed less than this value is not returned in the final result set and defaults to zero.

search_toInteger

An integer representing the end offset within the result set after which you do not want management logs returned. Logs in the management log list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all logs to the end of the list.

sortObjectrequired

Identifies the sort order for the result set. By default the sort is defined as creation-time and desc.

fieldString (Enum)

The field you want to sort by.

Allowed values:"type""sub-type""result"
keywordString (Enum)

Whether to sort in ascending or descending order.

Allowed values:"asc""desc"
REQUEST BODY
{ "request_data": { "search_from": 0, "search_to": 100, "sort": { "field": "timestamp", "keyword": "asc" } } }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/audits/management_logs'
-d ''
Responses

Successful response

Body
replyObject

JSON object containing the query result.

total_countInteger

Number of total results of this filter without paging.

result_countInteger

Number of returned items.

dataArray

List of audit items.

AUDIT_IDInteger
AUDIT_OWNER_NAMEString
AUDIT_OWNER_EMAILString
AUDIT_ASSET_JSONString
AUDIT_ASSET_NAMESString
AUDIT_HOSTNAMEString
AUDIT_RESULTString
AUDIT_REASONString
AUDIT_DESCRIPTIONString
AUDIT_ENTITYString (Enum)
Allowed values:"LIVE_TERMINAL""RULES""RULES_EXCEPTIONS""AUTH""RESPONSE""INCIDENT_MANAGEMENT""ALERT_MANAGEMENT""INCIDENT_TIMELINE_EVENT""ENDPOINT_MANAGEMENT""ENDPOINT_GROUPS""ALERT_WHITELIST""PUBLIC_API""DISTRIBUTIONS""STARRED_INCIDENTS""POLICY_PROFILES""DEVICE_CONTROL_PROFILES""DEVICE_CONTROL_POLICY""PROTECTION_PROFILES""DEVICE_CONTROL_PROFILE""HOST_FIREWALL_PROFILE""HOST_DISK_ENCRYPTION_PROFILE""POLICY_RULES""PROTECTION_POLICY""DEVICE_CONTROL_TEMP_EXCEPTIONS""DEVICE_CONTROL_GLOBAL_EXCEPTIONS""DEVICE_CONTROL_CUSTOM_DEVICE""GLOBAL_EXCEPTIONS""MSSP""REPORTING""DASHBOARD""BROKER_API""BROKER_VM""MTH""MDR""ALERT_NOTIFICATIONS""INTEGRATIONS""QUERY""SCRIPT_EXECUTION""ALERT_RULES""COLLECTION""API_KEY""EDL""VA_RESCAN_ENDPOINT""HI_RESCAN_ENDPOINT""REMEDIATION""INGEST_DATA""LICENSING""AGENT_CONFIGURATION""PERMISSIONS""SCORING_RULES""LAYOUT_RULES""PLAYBOOK_TRIGGERS""FEATURED_ALERT_FIELDS""SYSTEM""TENANT_TAKEOVER""SCOUTER_POLICY""SCOUTER_PROFILE""SCOUTER_GROUPS""ALLOWED_DOMAINS""QUERY_LIBRARY""TENANT_CONFIGURATION""SCOUTER_CONFIGURATION""HOST_FIREWALL""XIF""XDM""ACTION_CENTER""XCLOUD_INTEGRATION""DATASETS""XSOAR""SECURITY_SETTINGS""ALERT_EXCLUSION""INDICATOR_RULES""EVENT_FORWARDING""ASSET_INVENTORY""SERVER_SETTINGS""ASSET_ROLES""CUSTOM_FIELDS""AUTOMATION_RULES""AGENT_EXCEPTION_RULES""REMEDIATION_PATH_RULES"
AUDIT_ENTITY_SUBTYPEString
AUDIT_SESSION_IDInteger
AUDIT_CASE_IDInteger
AUDIT_INSERT_TIMEInteger
AUDIT_SEVERITYString
AUDIT_LINKString
AUDIT_SOURCE_IPString
AUDIT_USER_AGENTString
AUDIT_USER_ROLESArray[string]
AUDIT_ADDITIONAL_INFORMATIONObject
endpoint_namesArray[string]
endpoint_countInteger
RESPONSE
{ "reply": { "total_count": 1, "result_count": 1, "data": [ { "AUDIT_ID": 1, "AUDIT_OWNER_NAME": "User Name", "AUDIT_OWNER_EMAIL": "username@paloaltonetworks.com", "AUDIT_ASSET_JSON": "{}", "AUDIT_ASSET_NAMES": "", "AUDIT_HOSTNAME": "", "AUDIT_RESULT": "SUCCESS", "AUDIT_REASON": "", "AUDIT_DESCRIPTION": "", "AUDIT_ENTITY": "AUTH", "AUDIT_ENTITY_SUBTYPE": "Login", "AUDIT_SESSION_ID": 382303947890, "AUDIT_CASE_ID": 473829372, "AUDIT_INSERT_TIME": 1565074114053, "AUDIT_SEVERITY": "SEV_020_LOW", "AUDIT_LINK": "", "AUDIT_SOURCE_IP": "31.174.156.148", "AUDIT_USER_AGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", "AUDIT_USER_ROLES": [ "Account Admin" ], "AUDIT_ADDITIONAL_INFORMATION": { "endpoint_names": [ "WIN-fgo6762G" ], "endpoint_count": 1 } } ] } }

Bad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal server error. A unified status for API communication type errors.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }