View audit log
GET {{baseUrl}}/audit-log/v1/events?f=deserunt&limit=67454373
This endpoint requests a list of events. Events can include the following: - audit.log.view—The system received and processed an audit-log request. - session.create—The system created a session for the user. This event can be triggered by user login or authentication using an API key. - session.delete—The session expired, or the user ended the session. - session.impersonation.end—An administrator ended a session where they impersonated another user. - session.impersonation.start—An administrator started a session where they impersonated another user. - user.authenticate.api-keys—The user authenticated a session start using an API key. - user.authenticate.mfa—The two-factor authentication challenge was successful, and login allowed. - user.authenticate.password—The user authenticated a session start using a password. - user.create—An administrator created a new user account. - user.delete—An administrator deleted the user account. - user.impersonation.end—An administrator stopped impersonating another user. - user.impersonation.start—An administrator started impersonating another user. - user.logout—The user logged out of the session. - user.update—Either an administrator or the user updated the user account.
You can specify various filters to limit the events that are returned, as well as the number of events. By default, a maximum of 50 events is returned.
Note: If you configure SSO authentication, Tenable.io does not log user actions to the audit log. This information may be available from the identity services provider you use. For more information, see SSO Authentication.
Requires ADMINISTRATOR [64] user permissions. See Permissions.
Request Params
Key | Datatype | Required | Description |
---|---|---|---|
f | string | A filter condition in the field.operator:value format. Filter conditions can include: |
- date.gt:<YYYY-MM-DD>—Tenable.io returns events only if the date when the events occurred is after the date you specify. For example:
f=date.gt:2017-12-31
- date.lt:<YYYY-MM-DD>—Tenable.io returns events only if the date when the events occurred is before the date you specify. For example:
f=date.lt:2017-12-31
- actor_id.match:<UUID>—Tenable.io returns only the events with a matching actor UUID. For example:
f=actor_id.match:6000a811-8422-4096-83d3-e4d44f44b97d
- target_id.match:<UUID>—Tenable.io returns only the events with a matching target UUID. For example:
f=target_id.match:6000a811-8422-4096-83d3-e4d44f44b97d
You can specify multiple f
parameters, separated by ampersand (&) characters. For example: ?f=date.gt:2018-12-31&f=date.lt:2019-12-31&f=actor_id.match:50f84b7f-d1d3-4182-bb46-79cf5c51812e&limit=5000
|
| limit
| number | | Sets the limit for how many events Tenable.io should return by the call. By default, this value is 50. For example: limit=5000
|
RESPONSES
status: OK
{"events":[{"id":"a4e9177aa45c48c9d46a2f24c5f97b24","action":"user.authenticate.password","crud":"u","is_failure":true,"received":"2018-12-31T23:09:40Z","description":null,"actor":{"id":"50f84b7f-d1d3-4182-bb46-79cf5c51806e","name":"user2@example.com"},"is_anonymous":null,"target":{"id":"50f84b7f-d1d3-4182-bb46-79cf5c51806e","name":"user2@example.com","type":"User"},"fields":[{"key":"message","value":"Invalid credentials."},{"key":"sessionToken","value":"-"},{"key":"X-Forwarded-For","value":"172.204.81.57, 172.204.81.57"},{"key":"X-Request-Uuid","value":"71a6630e83148694260ad838ddff5dce:dd19f39e7ec84ba80dec:8d7f958f8c3b770767af"}]},{"id":"9ed34e87d3474ff985759d14ss703e4c","action":"session.create","crud":"c","is_failure":false,"received":"2018-12-31T23:33:01Z","description":null,"actor":{"id":null,"name":null},"is_anonymous":true,"target":{"id":"50f84b7f-d1d3-4182-bb46-79cf5c51816e","name":"user2@example.com","type":"User"},"fields":[{"key":"X-Access-Type","value":"Created by username"}]},{"id":"dca7681afaf24048baff7b4e90b668d7","action":"session.delete","crud":"d","is_failure":false,"received":"2018-12-31T23:40:57Z","description":null,"actor":{"id":"50f84b7f-d1d3-4182-bb46-79cf5c51816e","name":"user2@example.com"},"is_anonymous":null,"target":{"id":"bcce340","name":null,"type":"Session"},"fields":[{"key":"message","value":"session timeout"}]},{"id":"a2498a85cb5740a28e532814c0ba8369","action":"user.impersonation.start","crud":"u","is_failure":false,"received":"2018-12-31T09:23:12Z","description":null,"actor":{"id":"92907192-57db-407e-98ff-053de7f12bab","name":"monitoring@example.com"},"is_anonymous":null,"target":{"id":"50f84b7f-d1d3-4182-bb46-79cd5c51806e","name":"user2@example.com","type":"User"},"fields":[{"key":"sessionToken","value":"-"},{"key":"X-Access-Type","value":"apikey"},{"key":"X-Forwarded-For","value":"172.204.81.57"},{"key":"X-Request-Uuid","value":"63e024e7fe25ed24ce1c7142781527ac:43cf99b77f783a962a1a"}]},{"id":"eaac53481de04f67bc7eeea07d2fb0f5","action":"session.delete","crud":"d","is_failure":false,"received":"2018-12-31T01:40:07Z","description":null,"actor":{"id":"50f84b7f-d1d3-4182-bb46-79cf9c51806e","name":"user2@example.com"},"is_anonymous":null,"target":{"id":"12d024e","name":null,"type":"Session"},"fields":[{"key":"message","value":"session timeout"}]}],"pagination":{"total":5,"limit":50}}