Log Events API

Learn about each example response and available response fields for log events retrieved by an API client for Prisma SaaS.
A registered API client on Prisma SaaS can long poll the log events endpoint to retrieve events as they occur. There are five types of log events available:

Get Events

A
GET
request to the
/api/v1/log_events
endpoint with
api_access
scope is used to access the client’s event stream. One event will be returned for each call or nothing when there is a Request Timeout.
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: application/json'
Example Request Body
GET /api/v1/log_events HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ Accept: application/json Host: api.aperture.paloaltonetworks.com

Activity Monitoring

Example Response
HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: public_api:test:0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 17 Feb 2017 00:18:59 GMT Content-Length: 361 { "log_type" : "activity_monitoring", "item_type" : "File", "item_name" : "My File", "user" : "John Smith", "source_ip" : "10.10.10.10", "location" : "Somewhere, USA", "action" : "delete", "target_name" : null, "target_type" : null, "serial" : "mySerial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-02-17T00:18:58.961Z" }
Response Fields
Path
Type
Description
log_type
String
Event type.
item_type
String
Item type (
File
,
Folder
, or
User
)
item_name
String
Name of the file, folder, or user associated with the event.
item_unique_id
String
Unique ID number for an asset’s related asset.
user
String
Cloud app user that performed the action.
source_ip
String
Original session source IP address.
location
String
Location of the cloud app user that performed the event.
action
String
Action performed.
target_name
Null
Target name.
target_type
Null
Target type.
serial
String
Serial number of the organization using the service (tenant).
cloud_app_instance
String
Cloud app name (not cloud app type).
timestamp
String
ISO8601 timestamp to show when the event occurred.

Incidents

Example Response
HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: public_api:test:0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 17 Feb 2017 00:18:58 GMT Content-Length: 520 { "log_type": "incident", "severity": 1.0, "item_type": "File", "item_name": "helloworld.java", "asset_id": "5e9e38823cedb43cb015b460", "item_owner": "Admin User", "container_name": null, "item_creator": "Admin User", "exposure": "COMPANY", "occurrences_by_rule": null, "item_owner_email": "owner@emaildomain.com", "item_creator_email": "owner@emaildomain.com", "serial": null, "cloud_app_instance": "Office 365 8", "timestamp": "2020-05-08T23:50:55Z", "incident_id": "5eb5ed492021c32b37588a6c", "policy_rule_name": "java", "incident_category": null, "incident_owner": null, "collaborators": "", "datetime_edited": "2020-05-08T23:50:55Z", *"item_cloud_url": "https://www.sharepoint.com/sites/site/Shared%20Documents/foldername/helloworld.java", "item_owner_group": "O365_1_all", "item_sha256": "4953946b0bbcd10d872d09561bf0f0988e186b625e4af65c64691adf5af279d4", "item_size": 1335, "item_verdict": "not available"* }
Response Fields
Path
Type
Description
log_type
String
Event type.
severity
Number
Incident severity. Values are 0 to 5.
item_type
String
Item type (
File
,
Folder
, or
User
)
item_name
String
Name of the file, folder, email subject, or user associated with the event.
item_unique_id
String
Unique ID number for an asset’s related asset.
asset_id
String
Unique ID number for the asset identified as a risk.
item_owner
String
User who owns the asset identified as a risk.
container_name
String
Value of
bucket name
for AWS S3, Google Cloud Platform, and Microsoft Azure assets. Value is
null
for the remaining apps.
item_creator
String
User who created the asset identified as a risk.
exposure
String
Exposure level (
Public
,
External
,
Company
, or
Internal
)
occurrences_by_rule
Number
Number of times the asset violated the policy.
item_owner_email
String
Email address of the item owner.
item_creator_email
String
Email address of the item creator.
serial
String
Serial number of the organization using the service (tenant)
cloud_app_instance
String
Cloud app name (not cloud app type).
timestamp
String
ISO8601 timestamp to show when the event occurred.
incident_id
String
Unique ID number for the incident.
policy_rule_name
String
Names of one or more policy rules (not policy types) that were matched.
incident_category
String
Category of the incident. For example,
Personal
or
Business Justified
.
incident_owner
String
Administrator assigned to the incident.
collaborators
String
List of collaborators for file, or recipients of email.
datetime_edited
String
Last time file was edited.
item_cloud_url
String
File URL associated with the incident and used to download or view the asset.
item_owner_group
String
AD groups to which the asset owner belongs.
item_sha256
String
File in sha256 hash, as reported by WildFire.
item_size
String
Size of the file as reported by WildFire.
item_verdict
String
Verdict as reported by WildFire: either
malware
,
benign
, or
not available
.

Remediation

Example Response
HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: public_api:test:0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 17 Feb 2017 00:18:56 GMT Content-Length: 468 { "log_type" : "remediation", "item_type" : "File", "item_name" : "My File", "asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741", "item_owner" : "John Smith", "item_creator" : "John Smith" "container_name": "test-container", "action_taken" : "quarantine", "action_taken_by" : "John Smith", "serial" : "mySerial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-02-17T00:18:55.581Z", "incident_id" : "9610efdcd8a74a259bf031843eac0309", "policy_rule_name" : "PCI Policy" "item_owner_email": "owner@email-domain.com", "item_creator_email": "owner@email-domain.com", }
Response Fields
Path
Type
Description
log_type
String
Event type.
item_type
String
Item type (
File
,
Folder
, or
User
).
item_name
String
Name of the file, folder, or user associated with the event.
serial
String
Serial number of the organization using the service (tenant).
cloud_app_instance
String
Cloud app name (not cloud app type).
timestamp
String
ISO8601 timestamp to show when the remediation occurred.
incident_id
String
Unique ID number for the remediated incident (risk).
asset_id
String
Unique ID number for the remediated asset.
item_owner
String
User who owns the remediated asset.
container_name
String
Value of
bucket name
for AWS S3, Google Cloud Platform, and Microsoft Azure assets. Value is
null
for the remaining apps.
item_creator
String
User who created the remediated asset.
policy_rule_name
String
Names of one or more policy rules (not policy types) that were matched.
action_taken
String
Action taken to remediate (
Admin Quarantine
,
UserQuarantine
, or
Remove Public Links
).
action_taken_by
String
Cloud app user who took the remediation action. For automated remediation, value is
Aperture
.
item_owner_email
String
Email address of the item owner.
item_creator_email
String
Email address of the item creator.

Policy Violation

Example Resposne
HTTP/1.1 200 OK { "log_type" : "policy_violation", "severity" : 3.0, "item_type" : "File", "item_name" : "My File", "item_owner" : "John Smith", "item_creator" : "John Smith", "action_taken" : "download", "action_taken_by" : "John Smith", "asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741", "serial" : "serial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-01-06T19:04:06Z", "policy_rule_name" : "Policy Rule", "incident_id" : "9610efdcd8a74a259bf031843eac0309" "item_owner_email": "owner@email-domain.com", "item_creator_email": "owner@email-domain.com",
Response Fields
Path
Type
Description
log_type
String
Event type.
item_type
String
Item type (
File
,
Folder
, or
User
).
item_name
String
Name of the file, folder, or user associated with the event.
serial
String
Serial number of the organization using the service (tenant).
cloud_app_instance
String
Cloud app name (not cloud app type)
timestamp
String
ISO8601 timestamp to show when the policy violation occurred
incident_id
String
Unique ID number for the policy violation incident (risk).
asset_id
String
Unique ID number for the asset which violated the policy.
item_owner
String
User who owns the asset which violated the policy.
item_creator
String
User who created the asset which violated the policy.
policy_rule_name
String
Names of one or more policy rules (not policy types) that were matched.
action_taken
String
Action taken to fix the policy violation. For example,
Alerted Admin
,
Removed PublicLinks
,
Quarantine
, or
EmailOwner
.
action_taken_by
String
Cloud app user who took the action. For automated remediation, the value is Aperture.
severity
Number
Incident severity. Values are 0 to 5.
item_owner_email
String
Email address of the item owner. This value is null for now.
item_creator_email
String
Email address of the item creator. This value is null for now.

Admin Audit

Example Response
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 380 x-response-time: 297ms { "log_type" : "admin_audit", "admin_id" : "admin id", "admin_role" : "admin role", "ip" : "ip address", "event_type" : "event type", "item_type" : "File", "item_name" : "My File", "field" : "field", "action" : "action", "resource_value_old" : "old val", "resource_value_new" : "new val", "timestamp" : "2017-04-06T21:35:10.025Z", "serial" : "mySerial" }
Response Fields
Path
Type
Description
log_type
String
Event type.
timestamp
String
ISO8601 timestamp to show when the event occurred.
serial
String
Serial number of the organization using the service (tenant).
admin_id
String
Email account associated with the administrative user.
admin_role
String
Role assigned to the administrative user:
super_admin
,
admin
,
limited_admin
,
read_only
ip
String
IP address of the administrative user who performed the action.
event_type
String
Type of configuration change event:
settings
,
policy
,
remediation
login
item_type
String
Type of item in the configuration that changed:
user
,
apps
,
settings
,
content_policy
,
file
,
risk
,
general_settings
item_name
String
Name of the item that changed in the configuration.
field
String
Name of the field associated with the configuration change.
action
String
Configuration change activity that occurred:
create
,
edit
,
delete
,
login
,
logout
resource_value_old
String
Value before the configuration change occurred.
resource_value_new
String
Value after the configuration change occurred.

Request Timeout

Requests time out after 20 seconds and an http response with code
204
is returned. After receiving the response, you can initiate a new request.
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: application/json'
Example Request Body
GET /api/v1/log_events HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ Accept: application/json Host: api.aperture.paloaltonetworks.com
Example Response
HTTP/1.1 204 No Content Content-Type: application/json; charset=utf-8 x-response-time: 1019ms
There is no response body in the response of a request timeout.

Health Metrics

Example Response
{"log_type":"health_metrics",
"tenant_name":"bzhang",
"dlp_service_status":"error",
"wfm_service_status":"normal",
"core_service_status":"normal",
"timestamp":"2020-06-30T00:46:50Z"}
Response Fields
Path
Type
Description
log_type
String
Event type
tenant_name
String
Tenant of the organization using the service.
dlp_service_status
String
Status of the DLP (Data Loss Prevention) service. Values are
normal
,
degraded
, or
error
.
wfm_service_status
String
Status of the WildFire cloud service. Values are
normal
,
degraded
, or
error
.
core_service_status
String
Status of the Core service (elastic search). Values are
normal
,
degraded
, or
error
.
timestamp
String
ISO8601 timestamp to show when the event occurred.

Recommended For You