Audit logs

Overview

Get a list of all audit logs. Retrieves paginated audit logs based on the provided filter criteria.

Configuration

Parameters

Name - Domain

Value - PrismaCloudEndpoint

Secrets

After entering the required parameters and secrets, you can choose to manually enter the Cortex incident Management fields, or simply paste the given YAML:

Toggle this ON to enable a free text field where you can paste your Cortex XDR API YAML.

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: Epoch
withAuthentication: true
authentication:
  type: "token"
  token:
    request:
      method: POST
      url: "${parameters.PrismaCloudEndpoint}/login"
      headers:
        - name: Content-Type
          value: application/json
      bodyType: raw
      bodyRaw: |
        {
          "username": "${secrets.PrismaCloudAccessKeyId}",
          "password": "${secrets.PrismaCloudAccessKeySecret}"
        }
      responseType: json
    tokenPath: ".token"
    authInjection:
      name: "Authorization"
      in: "header"
      prefix: "Bearer "
withEnumerationPhase: false
collectionPhase:
  paginationType: "cursor"
  cursor: ".nextPageToken"
  initialRequest:
    method: POST
    url: "${parameters.PrismaCloudEndpoint}/audit/api/v1/log"
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    responseType: json
    bodyType: raw
    bodyRaw: |
      {
        "timeRange": {
          "type": "absolute",
          "value": {
            "startTime": ${temporalWindow.from},
            "endTime": ${temporalWindow.to},
          }
        }
      }
  nextRequest:
    method: POST
    url: "{parameters.PrismaCloudEndpoint}/audit/api/v1/log"
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    responseType: json
    bodyType: raw
    bodyRaw: |
      {
        "timeRange": {
          "type": "absolute",
          "value": {
            "startTime": ${temporalWindow.from},
            "endTime": ${temporalWindow.to},
          }
        },
        "nextPageToken": ${pagination.cursor}
      }
  output:
    select: ".value"
    map: "."
    outputMode: element

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Authentication Phase

Type - token
Request -
- Method - POST
- URL - ${parameters.PrismaCloudEndpoint}/login
- Headers
  - Name - Content-Type
  - Value - application/json
- Body Type - raw
- Body Raw - | { "username": "${secrets.PrismaCloudAccessKeyId}", "password": "${secrets.PrismaCloudAccessKeySecret}" }
- Response Type - json
Token Path - .token
Auth injection
- Name - Authorization
- In - header
- Prefix - Bearer

Enumeration Phase

Off

Collection Phase

Pagination Type* - cursor
Cursor* - .nextPageToken
Initial Request
- Method* - POST
- URL* - ${parameters.PrismaCloudEndpoint}/audit/api/v1/log
- Headers
  - Name - Accept
  - Value - application/json
  - Name - Content-Type
  - Value - application/json
- Response Type* - json
- Body type* - raw
- Body content* -{ "timeRange": { "type": "absolute", "value": { "startTime": ${temporalWindow.from}, "endTime": ${temporalWindow.to}, } } }
Next Request
- Method* - POST
- URL* - ${parameters.PrismaCloudEndpoint}/audit/api/v1/log
- Headers
  - Name - Accept
  - Value - application/json
  - Name - Content-Type
  - Value - application/json
- Response Type* - json
- Body type* - raw
- Body content* - | { "timeRange": { "type": "absolute", "value": { "startTime": ${temporalWindow.from}, "endTime": ${temporalWindow.to}, } }, "nextPageToken": ${pagination.cursor} }
Output
- Select - .value
- Map - .
- Output Mode - element

This HTTP Pull Listener now uses the data export API to extract audit logs.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousCloud Security API NextSentinelOne

Last updated 15 days ago

Was this helpful?