Focus
Focus
Table of Contents

Log Events API

Learn about each example response and available response fields for log events retrieved by an API client for Data Security.
A registered API client on Data Security can long poll the log events endpoint to retrieve events as they occur:
You can retrieve the following log events:
All requests must use the region-specific host. The examples below use AMER region.

Get Log Events

A GET request to the /api/v1/log_events endpoint with api_access scope is used to access the client’s event stream. One event will be returned for each call or nothing when there is a Request Timeout.
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 

'Authorization: Bearer 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN 

DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l 

kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: 

application/json' 
Example Request Body
GET /api/v1/log_events HTTP/1.1 

Authorization: Bearer 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN 

DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l 

kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ 

Accept: application/json 

Host: api.aperture.paloaltonetworks.com 

Request Timeout

Requests time out after 20 seconds and an http response with code 204 is returned. After receiving the response, you can initiate a new request.
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 

'Authorization: Bearer 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN 

DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l 

kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: 

application/json' 
Example Request Body
GET /api/v1/log_events HTTP/1.1 

Authorization: Bearer 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN 

DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l 

kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ 

Accept: application/json 

Host: api.aperture.paloaltonetworks.com 
Example Response
HTTP/1.1 204 No Content 

Content-Type: application/json; charset=utf-8 

x-response-time: 1019ms 
There is no response body in the response of a request timeout.

Activity Monitoring

Example Response
HTTP/1.1 200 OK 

X-Content-Type-Options: nosniff 

X-XSS-Protection: 1; mode=block 

Cache-Control: no-cache, no-store, max-age=0, must-revalidate 

Pragma: no-cache 

Expires: 0 

X-Frame-Options: DENY 

X-Application-Context: public_api:test:0 

Content-Type: application/json;charset=UTF-8 

Transfer-Encoding: chunked 

Date: Fri, 17 Feb 2017 00:18:59 GMT 

Content-Length: 361 

{ 

"log_type" : "activity_monitoring", 

"item_type" : "File", 

"item_name" : "My File", 

"user" : "John Smith", 

"source_ip" : "10.10.10.10", 

"location" : "Somewhere, USA", 

"action" : "delete", 

"target_name" : null, 

"target_type" : null, 

"serial" : "mySerial", 

"cloud_app_instance" : "My Cloud App", 

"timestamp" : "2017-02-17T00:18:58.961Z" 

} 
Response Fields
Path
Type
Description
log_type
String
Event type.
item_type
String
Item type (File, Folder, or User)
item_name
String
Name of the file, folder, or user associated with the event.
item_unique_id
String
Unique ID number for an asset’s related asset.
user
String
Cloud app user that performed the action.
source_ip
String
Original session source IP address.
location
String
Location of the cloud app user that performed the event.
action
String
Action performed.
target_name
Null
Target name.
target_type
Null
Target type.
serial
String
Serial number of the organization using the service (tenant).
cloud_app_instance
String
Cloud app name (not cloud app type).
timestamp
String
ISO8601 timestamp to show when the event occurred.

Incidents

Example Response
HTTP/1.1 200 OK 

X-Content-Type-Options: nosniff 

X-XSS-Protection: 1; mode=block 

Cache-Control: no-cache, no-store, max-age=0, must-revalidate 

Pragma: no-cache 

Expires: 0 

X-Frame-Options: DENY 

X-Application-Context: public_api:test:0 

Content-Type: application/json;charset=UTF-8 

Transfer-Encoding: chunked 

Date: Fri, 17 Feb 2017 00:18:58 GMT 

Content-Length: 520 

{ 

"log_type": "incident",

"severity": 1.0, 
	
"item_type": "File", 

"item_name": "helloworld.java", 

"asset_id": "5e9e38823cedb43cb015b460", 

"item_owner": "Admin User",  

"container_name": null, 

"item_creator": "Admin User", 

"exposure": "COMPANY", 

"occurrences_by_rule": null, 

"item_owner_email": "owner@emaildomain.com",

"item_creator_email": "owner@emaildomain.com", 

"serial": null, 

"cloud_app_instance": "Office 365 8", 

"timestamp": "2020-05-08T23:50:55Z",

"incident_id": "5eb5ed492021c32b37588a6c", 

"policy_rule_name": "java", 

"incident_category": null,

"incident_owner": null, 

"collaborators": "", 

"datetime_edited": "2020-05-08T23:50:55Z", 

*"item_cloud_url": "https://www.sharepoint.com/sites/site/Shared%20Documents/foldername/helloworld.java", 

"item_owner_group": "O365_1_all", 

"item_sha256": "4953946b0bbcd10d872d09561bf0f0988e186b625e4af65c64691adf5af279d4", 

"item_size": 1335, 

"item_verdict": "not available"*

} 
Response Fields
Path
Type
Description
log_type
String
Event type.
severity
Number
Incident severity. Values are 0 to 5.
item_type
String
Item type (File, Folder, or User)
item_name
String
Name of the file, folder, email subject, or user associated with the event.
item_unique_id
String
Unique ID number for an asset’s related asset.
asset_id
String
Unique ID number for the asset identified as a risk.
item_owner
String
User who owns the asset identified as a risk.
container_name
String
Value of bucket name for AWS S3, Google Cloud Platform, and Microsoft Azure assets. Value is null for the remaining apps.
item_creator
String
User who created the asset identified as a risk.
exposure
String
Exposure level (Public, External, Company, or Internal)
occurrences_by_rule
Number
Number of times the asset violated the policy.
item_owner_email
String
Email address of the item owner.
item_creator_email
String
Email address of the item creator.
serial
String
Serial number of the organization using the service (tenant)
cloud_app_instance
String
Cloud app name (not cloud app type).
timestamp
String
ISO8601 timestamp to show when the event occurred.
incident_id
String
Unique ID number for the incident.
policy_rule_name
String
Names of one or more policy rules (not policy types) that were matched.
incident_category
String
Category of the incident. For example, Personal or Business Justified.
incident_owner
String
Administrator assigned to the incident.
collaborators
String
List of collaborators for file, or recipients of email.
datetime_edited
String
Last time file was edited.
item_cloud_url
String
File URL associated with the incident and used to download or view the asset.
item_owner_group
String
AD groups to which the asset owner belongs.
item_sha256
String
File in sha256 hash, as reported by WildFire.
item_size
String
Size of the file as reported by WildFire.
item_verdict
String
Verdict as reported by WildFire: either malware, benign, or not available.

Remediation

Example Response
HTTP/1.1 200 OK 

X-Content-Type-Options: nosniff 

X-XSS-Protection: 1; mode=block 

Cache-Control: no-cache, no-store, max-age=0, must-revalidate 

Pragma: no-cache 

Expires: 0 

X-Frame-Options: DENY 

X-Application-Context: public_api:test:0 

Content-Type: application/json;charset=UTF-8 

Transfer-Encoding: chunked 

Date: Fri, 17 Feb 2017 00:18:56 GMT 

Content-Length: 468 

{ 

"log_type" : "remediation", 

"item_type" : "File", 

"item_name" : "My File", 

"asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741", 

"item_owner" : "John Smith", 

"item_creator" : "John Smith"

"container_name": "test-container",

"action_taken" : "quarantine", 

"action_taken_by" : "John Smith", 

"serial" : "mySerial", 

"cloud_app_instance" : "My Cloud App", 

"timestamp" : "2017-02-17T00:18:55.581Z", 

"incident_id" : "9610efdcd8a74a259bf031843eac0309", 

"policy_rule_name" : "PCI Policy"

"item_owner_email": "owner@email-domain.com",

"item_creator_email": "owner@email-domain.com",

} 
Response Fields
Path
Type
Description
log_type
String
Event type.
item_type
String
Item type (File, Folder, or User).
item_name
String
Name of the file, folder, or user associated with the event.
serial
String
Serial number of the organization using the service (tenant).
cloud_app_instance
String
Cloud app name (not cloud app type).
timestamp
String
ISO8601 timestamp to show when the remediation occurred.
incident_id
String
Unique ID number for the remediated incident (risk).
asset_id
String
Unique ID number for the remediated asset.
item_owner
String
User who owns the remediated asset.
container_name
String
Value of bucket name for AWS S3, Google Cloud Platform, and Microsoft Azure assets. Value is null for the remaining apps.
item_creator
String
User who created the remediated asset.
policy_rule_name
String
Names of one or more policy rules (not policy types) that were matched.
action_taken
String
Action taken to remediate (Admin Quarantine, UserQuarantine, or Remove Public Links).
action_taken_by
String
Cloud app user who took the remediation action. For automated remediation, value is Aperture.
item_owner_email
String
Email address of the item owner.
item_creator_email
String
Email address of the item creator.

Policy Violation

Example Resposne
HTTP/1.1 200 OK 

{ 

"log_type" : "policy_violation", 

"severity" : 3.0, 

"item_type" : "File", 

"item_name" : "My File", 

"item_owner" : "John Smith", 

"item_creator" : "John Smith", 

"action_taken" : "download", 

"action_taken_by" : "John Smith", 

"asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741", 

"serial" : "serial", 

"cloud_app_instance" : "My Cloud App", 

"timestamp" : "2017-01-06T19:04:06Z", 

"policy_rule_name" : "Policy Rule", 

"incident_id" : "9610efdcd8a74a259bf031843eac0309"

"item_owner_email": "owner@email-domain.com",

"item_creator_email": "owner@email-domain.com",
Response Fields
Path
Type
Description
log_type
String
Event type.
item_type
String
Item type (File, Folder, or User).
item_name
String
Name of the file, folder, or user associated with the event.
serial
String
Serial number of the organization using the service (tenant).
cloud_app_instance
String
Cloud app name (not cloud app type)
timestamp
String
ISO8601 timestamp to show when the policy violation occurred
incident_id
String
Unique ID number for the policy violation incident (risk).
asset_id
String
Unique ID number for the asset which violated the policy.
item_owner
String
User who owns the asset which violated the policy.
item_creator
String
User who created the asset which violated the policy.
policy_rule_name
String
Names of one or more policy rules (not policy types) that were matched.
action_taken
String
Action taken to fix the policy violation. For example, Alerted Admin, Removed PublicLinks, Quarantine, or EmailOwner.
action_taken_by
String
Cloud app user who took the action. For automated remediation, the value is Aperture.
severity
Number
Incident severity. Values are 0 to 5.
item_owner_email
String
Email address of the item owner. This value is null for now.
item_creator_email
String
Email address of the item creator. This value is null for now.

Admin Audit

Example Response
HTTP/1.1 200 OK 

Content-Type: application/json; charset=utf-8 

Content-Length: 380 

x-response-time: 297ms 

{ 

"log_type" : "admin_audit", 

"admin_id" : "admin id", 

"admin_role" : "admin role", 

"ip" : "ip address", 

"event_type" : "event type", 

"item_type" : "File", 

"item_name" : "My File", 

"field" : "field", 

"action" : "action", 

"resource_value_old" : "old val", 

"resource_value_new" : "new val", 

"timestamp" : "2017-04-06T21:35:10.025Z", 

"serial" : "mySerial" 

} 
Response Fields
Path
Type
Description
log_type
String
Event type.
timestamp
String
ISO8601 timestamp to show when the event occurred.
serial
String
Serial number of the organization using the service (tenant).
admin_id
String
Email account associated with the administrative user.
admin_role
String
Role assigned to the administrative user: super_admin, admin, limited_admin, read_only
ip
String
IP address of the administrative user who performed the action.
event_type
String
Type of configuration change event: settings, policy, remediationlogin
item_type
String
Type of item in the configuration that changed: user, apps, settings, content_policy, file, risk, general_settings
item_name
String
Name of the item that changed in the configuration.
field
String
Name of the field associated with the configuration change.
action
String
Configuration change activity that occurred: create, edit, delete, login, logout
resource_value_old
String
Value before the configuration change occurred.
resource_value_new
String
Value after the configuration change occurred.