SaaS Security
Log Events API
Table of Contents
Expand All
|
Collapse All
SaaS Security Docs
Log Events API
Learn about each example response and available response
fields for log events retrieved by an API client for Data Security.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the Data Security license:
|
A registered API
client on Data Security can long poll the log events endpoint
to retrieve events as they occur:
You
can retrieve the following log events:
All requests must
use the region-specific
host. The examples below use AMER region.
Get Log Events
A GET request to the /api/v1/log_events endpoint
with api_access scope is used to access the
client’s event stream. One event will be returned for each call
or nothing when there is a Request Timeout.
Example
Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: application/json'
Example Request Body
GET /api/v1/log_events HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ Accept: application/json Host: api.aperture.paloaltonetworks.com
Request Timeout
Requests time out after 20 seconds and an http
response with code 204 is returned.
After receiving the response, you can initiate a new request.
Example
Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: application/json'
Example Request Body
GET /api/v1/log_events HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ Accept: application/json Host: api.aperture.paloaltonetworks.com
Example Response
HTTP/1.1 204 No Content Content-Type: application/json; charset=utf-8 x-response-time: 1019ms
There is no response body in
the response of a request timeout.
Activity Monitoring
Example Response
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: public_api:test:0
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 17 Feb 2017 00:18:59 GMT
Content-Length: 361
{
"log_type" : "activity_monitoring",
"item_type" : "File",
"item_name" : "My File",
"user" : "John Smith",
"source_ip" : "10.10.10.10",
"location" : "Somewhere, USA",
"action" : "delete",
"target_name" : null,
"target_type" : null,
"serial" : "mySerial",
"cloud_app_instance" : "My Cloud App",
"timestamp" : "2017-02-17T00:18:58.961Z"
} Response Fields
Path | Type | Description |
|---|---|---|
log_type | String | Event type. |
item_type | String | Item type (File, Folder,
or User) |
item_name | String | Name of the file, folder, or user associated
with the event. |
item_unique_id | String | Unique ID number for an asset’s related
asset. |
user | String | Cloud app user that performed the action. |
source_ip | String | Original session source IP address. |
location | String | Location of the cloud app user that performed
the event. |
action | String | Action performed. |
target_name | Null | Target name. |
target_type | Null | Target type. |
serial | String | Serial number of the organization using
the service (tenant). |
cloud_app_instance | String | Cloud app name (not cloud app type). |
timestamp | String | ISO8601 timestamp to show when the event
occurred. |
Incidents
Example
Response
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: public_api:test:0
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 17 Feb 2017 00:18:58 GMT
Content-Length: 520
{
"log_type": "incident",
"severity": 1.0,
"item_type": "File",
"item_name": "helloworld.java",
"asset_id": "5e9e38823cedb43cb015b460",
"item_owner": "Admin User",
"container_name": null,
"item_creator": "Admin User",
"exposure": "COMPANY",
"occurrences_by_rule": null,
"item_owner_email": "owner@emaildomain.com",
"item_creator_email": "owner@emaildomain.com",
"serial": null,
"cloud_app_instance": "Office 365 8",
"timestamp": "2020-05-08T23:50:55Z",
"incident_id": "5eb5ed492021c32b37588a6c",
"policy_rule_name": "java",
"incident_category": null,
"incident_owner": null,
"collaborators": "",
"datetime_edited": "2020-05-08T23:50:55Z",
*"item_cloud_url": "https://www.sharepoint.com/sites/site/Shared%20Documents/foldername/helloworld.java",
"item_owner_group": "O365_1_all",
"item_sha256": "4953946b0bbcd10d872d09561bf0f0988e186b625e4af65c64691adf5af279d4",
"item_size": 1335,
"item_verdict": "not available"*
} Response Fields
Path | Type | Description |
|---|---|---|
log_type | String | Event type. |
severity | Number | Incident severity. Values are 0 to 5. |
item_type | String | Item type (File, Folder,
or User) |
item_name | String | Name of the file, folder, email subject,
or user associated with the event. |
item_unique_id | String | Unique ID number for an asset’s related
asset. |
asset_id | String | Unique ID number for the asset identified
as a risk. |
item_owner | String | User who owns the asset identified as a
risk. |
container_name | String | Value of bucket name for
AWS S3, Google Cloud Platform, and Microsoft Azure assets. Value
is null for the remaining apps. |
item_creator | String | User who created the asset identified as
a risk. |
exposure | String | Exposure level (Public, External, Company,
or Internal) |
occurrences_by_rule | Null |
Value is null.
|
item_owner_email | String | Email address of the item owner. |
item_creator_email | String | Email address of the item creator. |
serial | String | Serial number of the organization using
the service (tenant) |
cloud_app_instance | String | Cloud app name (not cloud app type). |
timestamp | String | ISO8601 timestamp to show when the event
occurred. |
incident_id | String | Unique ID number for the incident. |
policy_rule_name | String | Names of one or more policy rules (not policy
types) that were matched. |
incident_category | String | Category of the incident. For example, Personal or Business Justified. |
incident_owner | String | Administrator assigned to the incident. |
collaborators | String | List of collaborators for file, or recipients
of email. |
datetime_edited | String | Last time file was edited. |
item_cloud_url | String | File URL associated with the incident and
used to download or view the asset. |
item_owner_group | String | AD groups to which the asset owner belongs. |
Remediation
Example
Response
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: public_api:test:0
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 17 Feb 2017 00:18:56 GMT
Content-Length: 468
{
"log_type" : "remediation",
"item_type" : "File",
"item_name" : "My File",
"asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741",
"item_owner" : "John Smith",
"item_creator" : "John Smith"
"container_name": "test-container",
"action_taken" : "quarantine",
"action_taken_by" : "John Smith",
"serial" : "mySerial",
"cloud_app_instance" : "My Cloud App",
"timestamp" : "2017-02-17T00:18:55.581Z",
"incident_id" : "9610efdcd8a74a259bf031843eac0309",
"policy_rule_name" : "PCI Policy"
"item_owner_email": "owner@email-domain.com",
"item_creator_email": "owner@email-domain.com",
} Response Fields
Path | Type | Description |
|---|---|---|
log_type | String | Event type. |
item_type | String | Item type (File, Folder,
or User). |
item_name | String | Name of the file, folder, or user associated
with the event. |
serial | String | Serial number of the organization using
the service (tenant). |
cloud_app_instance | String | Cloud app name (not cloud app type). |
timestamp | String | ISO8601 timestamp to show when the remediation occurred. |
incident_id | String | Unique ID number for the remediated incident
(risk). |
asset_id | String | Unique ID number for the remediated asset. |
item_owner | String | User who owns the remediated asset. |
container_name | String | Value of bucket name for
AWS S3, Google Cloud Platform, and Microsoft Azure assets. Value
is null for the remaining apps. |
item_creator | String | User who created the remediated asset. |
policy_rule_name | String | Names of one or more policy rules (not policy
types) that were matched. |
action_taken | String | Action taken to remediate (Admin Quarantine, UserQuarantine,
or Remove Public Links). |
action_taken_by | String | Cloud app user who took the remediation
action. For automated remediation, value is Aperture. |
item_owner_email | String | Email address of the item owner. |
item_creator_email | String | Email address of the item creator. |
Policy Violation
Example Resposne
HTTP/1.1 200 OK
{
"log_type" : "policy_violation",
"severity" : 3.0,
"item_type" : "File",
"item_name" : "My File",
"item_owner" : "John Smith",
"item_creator" : "John Smith",
"action_taken" : "download",
"action_taken_by" : "John Smith",
"asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741",
"serial" : "serial",
"cloud_app_instance" : "My Cloud App",
"timestamp" : "2017-01-06T19:04:06Z",
"policy_rule_name" : "Policy Rule",
"incident_id" : "9610efdcd8a74a259bf031843eac0309"
"item_owner_email": "owner@email-domain.com",
"item_creator_email": "owner@email-domain.com",Response
Fields
Path | Type | Description |
|---|---|---|
log_type | String | Event type. |
item_type | String | Item type (File, Folder,
or User). |
item_name | String | Name of the file, folder, or user associated
with the event. |
serial | String | Serial number of the organization using
the service (tenant). |
cloud_app_instance | String | Cloud app name (not cloud app type) |
timestamp | String | ISO8601 timestamp to show when the policy
violation occurred |
incident_id | String | Unique ID number for the policy violation
incident (risk). |
asset_id | String | Unique ID number for the asset which violated
the policy. |
item_owner | String | User who owns the asset which violated the
policy. |
item_creator | String | User who created the asset which violated
the policy. |
policy_rule_name | String | Names of one or more policy rules (not policy
types) that were matched. |
action_taken | String | Action taken to fix the policy violation.
For example, Alerted Admin, Removed PublicLinks, Quarantine,
or EmailOwner. |
action_taken_by | String | Cloud app user who took the action. For
automated remediation, the value is Aperture. |
severity | Number | Incident severity. Values are 0
to 5. |
item_owner_email | String | Email address of the item owner.
This value is null for now. |
item_creator_email | String | Email address of the item creator. This
value is null for now. |
Admin Audit
Example Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 380
x-response-time: 297ms
{
"log_type" : "admin_audit",
"admin_id" : "admin id",
"admin_role" : "admin role",
"ip" : "ip address",
"event_type" : "event type",
"item_type" : "File",
"item_name" : "My File",
"field" : "field",
"action" : "action",
"resource_value_old" : "old val",
"resource_value_new" : "new val",
"timestamp" : "2017-04-06T21:35:10.025Z",
"serial" : "mySerial"
} Response Fields
Path | Type | Description |
|---|---|---|
log_type | String | Event type. |
timestamp | String | ISO8601 timestamp to show when the event
occurred. |
serial | String | Serial number of the organization using
the service (tenant). |
admin_id | String | Email account associated with the administrative
user. |
admin_role | String | Role assigned to the administrative user: super_admin, admin, limited_admin, read_only |
ip | String | IP address of the administrative user who
performed the action. |
event_type | String | Type of configuration change event: settings, policy, remediationlogin |
item_type | String | Type of item in the configuration that changed: user, apps, settings, content_policy, file, risk, general_settings |
item_name | String | Name of the item that changed in the configuration. |
field | String | Name of the field associated with the configuration
change. |
action | String | Configuration change activity that occurred: create, edit, delete, login, logout |
resource_value_old | String | Value before the configuration change occurred. |
resource_value_new | String | Value after the configuration change occurred. |