Log Events API

Learn about each example response and available response fields for log events retrieved by an API client for Prisma SaaS.
A registered API client on Prisma SaaS can long poll the log events endpoint to retrieve events as they occur. There are five types of log events available:

Get Events

A
GET
request to the
/api/v1/log_events
endpoint with
api_access
scope is used to access the client’s event stream. One event will be returned for each call or nothing when there is a Request Timeout.
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: application/json'
Example Request Body
GET /api/v1/log_events HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ Accept: application/json Host: api.aperture.paloaltonetworks.com

Activity Monitoring

Example Response
HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: public_api:test:0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 17 Feb 2017 00:18:59 GMT Content-Length: 361 { "log_type" : "activity_monitoring", "item_type" : "File", "item_name" : "My File", "user" : "John Smith", "source_ip" : "10.10.10.10", "location" : "Somewhere, USA", "action" : "delete", "target_name" : null, "target_type" : null, "serial" : "mySerial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-02-17T00:18:58.961Z" }
Response Fields
Path
Type
Description
log_type
String
Event type
item_type
String
Item type (
File
,
Folder
, or
User
)
item_name
String
Name of the file, folder, or user associated with the event.
user
String
The cloud app user that performed the action
source_ip
String
Original session source IP address
location
String
Location of the cloud app user that performed the event.
action
String
Action performed
target_name
Null
Target name
target_type
Null
Target type
serial
String
Serial number of the organization using the service (tenant).
cloud_app_instance
String
Cloud app name (not cloud app type).
timestamp
String
ISO8601 timestamp to show when the event occurred.

Incidents

Example Response
HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: public_api:test:0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 17 Feb 2017 00:18:58 GMT Content-Length: 520 { "log_type" : "incident", "item_type" : "File", "item_name" : "My File", "asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741", "item_owner" : "John Smith", "container_name": "test-container", "item_creator" : "John Smith", "exposure" : "public", "occurrences_by_rule" : 5, "serial" : "mySerial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-02-17T00:18:58.347Z", "incident_id" : "9610efdcd8a74a259bf031843eac0309", "policy_rule_name" : "PCI Policy", "incident_category" : "Testing", "incident_owner" : "John Smith" "item_owner_email": "owner@email-domain.com", "item_creator_email": "owner@email-domain.com", }
Response Fields
Path
Type
Description
asset_id
String
Unique ID number for the asset identified as a risk.
cloud_app_instance
String
Cloud app name (not cloud app type)
collaborators
String
List of collaborators for file, or recipients of email
container_name
String
The value is the
bucket name
for AWS S3, Google Cloud Platform, and Microsoft Azure assets. The value is
null
for the remaining apps.
datetime_edited
String
Last time file was edited
exposure
String
Exposure level (
Public
,
External
,
Company
, or
Internal
)
incident_category
String
The category of the incident. For example,
Personal
or
Business Justified
.
incident_id
String
Unique ID number for the incident
item_owner
String
The user who owns the asset identified as a risk
item_creator
String
The user who created the asset identified as a risk.
item_creator_email
String
Email address of the item creator.
item_name
String
Name of the file, folder, email subject, or user associated with the event.
incident_owner
String
The administrator assigned to the incident.
item_owner_email
String
Email address of the item owner.
item_type
String
Item type (
File
,
Folder
, or
User
)
log_type
String
Event type
occurrences_by_rule
Number
Number of times the asset violated the policy.
policy_rule_name
String
The names of one or more policy rules (not policy types) that were matched.
serial
String
Serial number of the organization using the service (tenant)
severity
Number
The incident severity. Values are 0 to 5.
timestamp
String
ISO8601 timestamp to show when the event occurred

Remediation

Example Response
HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: public_api:test:0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 17 Feb 2017 00:18:56 GMT Content-Length: 468 { "log_type" : "remediation", "item_type" : "File", "item_name" : "My File", "asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741", "item_owner" : "John Smith", "item_creator" : "John Smith" "container_name": "test-container", "action_taken" : "quarantine", "action_taken_by" : "John Smith", "serial" : "mySerial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-02-17T00:18:55.581Z", "incident_id" : "9610efdcd8a74a259bf031843eac0309", "policy_rule_name" : "PCI Policy" "item_owner_email": "owner@email-domain.com", "item_creator_email": "owner@email-domain.com", }
Response Fields
Path
Type
Description
log_type
String
Event type
item_type
String
Item type (
File
,
Folder
, or
User
)
item_name
String
Name of the file, folder, or user associated with the event.
serial
String
Serial number of the organization using the service (tenant)
cloud_app_instance
String
Cloud app name (not cloud app type)
timestamp
String
ISO8601 timestamp to show when the remediation occurred
incident_id
String
Unique ID number for the remediated incident (risk)
asset_id
String
Unique ID number for the remediated asset
item_owner
String
The user who owns the remediated asset
container_name
String
The value is the
bucket name
for AWS S3, Google Cloud Platform, and Microsoft Azure assets. The value is
null
for the remaining apps.
item_creator
String
The user who created the remediated asset
policy_rule_name
String
The names of one or more policy rules (not policy types) that were matched
action_taken
String
The action taken to remediate (
Admin Quarantine
,
UserQuarantine
, or
Remove Public Links
)
action_taken_by
String
The cloud app user who took the remediation action. For automated remediation, the value is
Aperture
.
item_owner_email
String
Email address of the item owner.
item_creator_email
String
Email address of the item creator.

Policy Violation

Example Resposne
HTTP/1.1 200 OK { "log_type" : "policy_violation", "severity" : 3.0, "item_type" : "File", "item_name" : "My File", "item_owner" : "John Smith", "item_creator" : "John Smith", "action_taken" : "download", "action_taken_by" : "John Smith", "asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741", "serial" : "serial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-01-06T19:04:06Z", "policy_rule_name" : "Policy Rule", "incident_id" : "9610efdcd8a74a259bf031843eac0309" "item_owner_email": "owner@email-domain.com", "item_creator_email": "owner@email-domain.com",
Response Fields
Path
Type
Description
log_type
String
Event type
item_type
String
Item type (
File
,
Folder
, or
User
)
item_name
String
Name of the file, folder, or user associated with the event.
serial
String
Serial number of the organization using the service (tenant)
cloud_app_instance
String
Cloud app name (not cloud app type)
timestamp
String
ISO8601 timestamp to show when the policy violation occurred
incident_id
String
Unique ID number for the policy violation incident (risk)
asset_id
String
Unique ID number for the asset which violated the policy
item_owner
String
The user who owns the asset which violated the policy
item_creator
String
The user who created the asset which violated the policy
policy_rule_name
String
The names of one or more policy rules (not policy types) that were matched
action_taken
String
Action taken to fix the policy violation. For example,
Alerted Admin
,
Removed PublicLinks
,
Quarantine
, or
EmailOwner
action_taken_by
String
The cloud app user who took the action. For automated remediation, the value is Aperture.
severity
Number
The incident severity. Values are 0 to 5.
item_owner_email
String
Email address of the item owner. This value is null for now.
item_creator_email
String
Email address of the item creator. This value is null for now.

Admin Audit

Example Response
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 380 x-response-time: 297ms { "log_type" : "admin_audit", "admin_id" : "admin id", "admin_role" : "admin role", "ip" : "ip address", "event_type" : "event type", "item_type" : "File", "item_name" : "My File", "field" : "field", "action" : "action", "resource_value_old" : "old val", "resource_value_new" : "new val", "timestamp" : "2017-04-06T21:35:10.025Z", "serial" : "mySerial" }
Response Fields
Path
Type
Description
log_type
String
Event type
timestamp
String
ISO8601 timestamp to show when the event occurred
serial
String
Serial number of the organization using the service (tenant)
admin_id
String
Email account associated with the administrative user
admin_role
String
Role assigned to the administrative user:
super_admin
,
admin
,
limited_admin
, or
read_only
ip
String
IP address of the administrative user who performed the action.
event_type
String
Type of configuration change event:
settings
,
policy
,
remediation
,
login
item_type
String
The type of item in the configuration that changed:
user
,
apps
,
settings
,
content_policy
,
file
,
risk
,
general_settings
item_name
String
Name of the item that changed in the configuration.
field
String
Name of the field associated with the configuration change.
action
String
The configuration change activity that occurred:
create
,
edit
,
delete
,
login
,
logout
resource_value_old
String
Value before the configuration change occurred.
resource_value_new
String
Value after the configuration change occurred.

Request Timeout

Requests time out after 20 seconds and an http response with code
204
is returned. After receiving the response, you can initiate a new request.
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: application/json'
Example Request Body
GET /api/v1/log_events HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ Accept: application/json Host: api.aperture.paloaltonetworks.com
Example Response
HTTP/1.1 204 No Content Content-Type: application/json; charset=utf-8 x-response-time: 1019ms
There is no response body in the response of a request timeout.

Related Documentation