Get Audit Management Log

Cortex XDR REST API

post /public_api/v1/audits/management_logs

Get audit management logs. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of incidents from the start of the result set.

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ "https://api-yourfqdn/public_api/v1/audits/management_logs" \ -d '{ "request_data" : { "search_from" : 0, "filters" : [ { "field" : "email", "value" : [ "value", "value" ], "operator" : "in" }, { "field" : "email", "value" : [ "value", "value" ], "operator" : "in" } ], "sort" : { "field" : "type", "keyword" : "desc" }, "search_to" : 6 } }'
Response
{ "reply": { "total_count": 1, "result_count": 1, "data": [ { "AUDIT_ID": 1, "AUDIT_OWNER_NAME": "User Name", "AUDIT_OWNER_EMAIL": "username@paloaltonetworks.com", "AUDIT_ASSET_JSON": "{}", "AUDIT_ASSET_NAMES": "", "AUDIT_HOSTNAME": "", "AUDIT_RESULT": "SUCCESS", "AUDIT_REASON": "", "AUDIT_DESCRIPTION": "", "AUDIT_ENTITY": "AUTH", "AUDIT_ENTITY_SUBTYPE": "Login", "AUDIT_SESSION_ID": 382303947890, "AUDIT_CASE_ID": 473829372, "AUDIT_INSERT_TIME": 1565074114053, "AUDIT_SEVERITY": "SEV_020_LOW", "AUDIT_LINK": null, "AUDIT_SOURCE_IP": "31.174.156.148", "AUDIT_USER_AGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", "AUDIT_USER_ROLES": [ "Account Admin" ], "AUDIT_ADDITIONAL_INFORMATION": { "endpoint_names": [ "WIN-fgo6762G" ], "endpoint_count": 1 } } ] } }
Request
Body
optional
To retrieve all of the results, you need to iterate over the total_count in increments of 100 using search_from and search_to fields in the request.
Example: {"request_data":{"search_from":0,"search_to":100,"sort":{"field":"timestamp","keyword":"asc"}}}
request_data
optional
A dictionary containing the API request fields. An empty dictionary returns all results.
filters
optional
Array
Array of filter fields.
field
required
String (Enum)

Filter is based on the following keywords:

  • email: User's email address.
  • type: Type of audit log.
  • sub_type: Subtype of audit log.
  • result: Result type.
  • timestamp: Log timestamp.
Allowed values:
email
type
sub_type
result
timestamp
operator
required
String (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords and values are: in

  • email, type, sub_type, result: List of strings gte / lte
  • timestamp: Integer in timestamp epoch milliseconds
Allowed values:
in
gte
lte
value
required
Array of strings

Value that this filter must match.

  • timestamp: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
  • All other fields require a string value. In the case of in operator, the value is an array.
search_from
optional
Integer
An integer representing the starting offset within the query result set from which you want management logs returned. Management logs are returned as a zero-based list. Any log indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
An integer representing the end offset within the result set after which you do not want management logs returned. Logs in the management log list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all logs to the end of the list.
sort
optional
Identifies the sort order for the result set. By default the sort is defined as creation-time and desc.
field
required
String (Enum)
The field you want to sort by.
Allowed values:
type
sub-type
result
keyword
required
String (Enum)
Whether to sort in ascending or descending order.
Allowed values:
asc
desc
Responses

Successful response

Body
reply
optional
JSON object containing the query result.
total_count
optional
Integer
Number of total results of this filter without paging.
result_count
optional
Integer
Number of returned items.
data
optional
Array
List of audit items.
AUDIT_ID
optional
Integer
AUDIT_OWNER_NAME
optional
String
AUDIT_OWNER_EMAIL
optional
String
AUDIT_ASSET_JSON
optional
String
AUDIT_ASSET_NAMES
optional
String
AUDIT_HOSTNAME
optional
String
AUDIT_RESULT
optional
String
AUDIT_REASON
optional
String
AUDIT_DESCRIPTION
optional
String
AUDIT_ENTITY
optional
String (Enum)
Allowed values:
LIVE_TERMINAL
RULES
RULES_EXCEPTIONS
AUTH
RESPONSE
INCIDENT_MANAGEMENT
ALERT_MANAGEMENT
INCIDENT_TIMELINE_EVENT
ENDPOINT_MANAGEMENT
ENDPOINT_GROUPS
ALERT_WHITELIST
PUBLIC_API
DISTRIBUTIONS
STARRED_INCIDENTS
POLICY_PROFILES
DEVICE_CONTROL_PROFILES
DEVICE_CONTROL_POLICY
PROTECTION_PROFILES
DEVICE_CONTROL_PROFILE
HOST_FIREWALL_PROFILE
HOST_DISK_ENCRYPTION_PROFILE
POLICY_RULES
PROTECTION_POLICY
DEVICE_CONTROL_TEMP_EXCEPTIONS
DEVICE_CONTROL_GLOBAL_EXCEPTIONS
DEVICE_CONTROL_CUSTOM_DEVICE
GLOBAL_EXCEPTIONS
MSSP
REPORTING
DASHBOARD
BROKER_API
BROKER_VM
MTH
MDR
ALERT_NOTIFICATIONS
INTEGRATIONS
QUERY
SCRIPT_EXECUTION
ALERT_RULES
COLLECTION
API_KEY
EDL
VA_RESCAN_ENDPOINT
HI_RESCAN_ENDPOINT
REMEDIATION
INGEST_DATA
LICENSING
AGENT_CONFIGURATION
PERMISSIONS
SCORING_RULES
LAYOUT_RULES
PLAYBOOK_TRIGGERS
FEATURED_ALERT_FIELDS
SYSTEM
TENANT_TAKEOVER
SCOUTER_POLICY
SCOUTER_PROFILE
SCOUTER_GROUPS
ALLOWED_DOMAINS
QUERY_LIBRARY
TENANT_CONFIGURATION
SCOUTER_CONFIGURATION
HOST_FIREWALL
XIF
XDM
ACTION_CENTER
XCLOUD_INTEGRATION
DATASETS
XSOAR
SECURITY_SETTINGS
ALERT_EXCLUSION
INDICATOR_RULES
EVENT_FORWARDING
ASSET_INVENTORY
SERVER_SETTINGS
ASSET_ROLES
CUSTOM_FIELDS
AUTOMATION_RULES
AGENT_EXCEPTION_RULES
REMEDIATION_PATH_RULES
AUDIT_ENTITY_SUBTYPE
optional
String
AUDIT_SESSION_ID
optional
Integer
AUDIT_CASE_ID
optional
Integer
AUDIT_INSERT_TIME
optional
Integer
AUDIT_SEVERITY
optional
String
AUDIT_LINK
optional
String
AUDIT_SOURCE_IP
optional
String
AUDIT_USER_AGENT
optional
String
AUDIT_USER_ROLES
optional
Array of strings
AUDIT_ADDITIONAL_INFORMATION
optional
endpoint_names
optional
Array of strings
endpoint_count
optional
Integer

Bad Request. Got an invalid JSON.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.