Audits

Overview

Fetches audits for user, domain, or organization. start_date defaults to 14 days ago and max is 13 months.

Configuration

Parameters

parameters.domain will store the value of the API URL, excluding the endpoint paths like /v1/cp/oauth/token or /v1/cp/alert_events

Secrets

secrets.client_id will reference to Agari's Client ID
secrets.client_secret will reference to Agari's Client Secret.

After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML:

Configure as YAML

Toggle this ON to enable a free text field where you can paste your YAML.

Here we provide three different YAMLs that list audits by Domain, Organization and User.

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: ${parameters.domain}/v1/cp/oauth/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
        - name: Accept
          value: application/json
      bodyType: urlEncoded
      bodyParams:
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: offsetLimit
  limit: 200
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/v1/cp/domains
    headers:
      - name: Accept
        value: application/json
    queryParams:
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
  output:
    select: "[.domains[].id]"
    map: "."
    outputMode: element
collectionPhase:
  variables:
    - source: input
      name: domainId
      expression: "."
      format: ""
  paginationType: none
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/v1/cp/audits
    headers:
      - name: Accept
        value: application/json
    queryParams:
      - name: start_date
        value: ${temporalWindow.from}
      - name: end_date
        value: ${temporalWindow.to}
      - name: object_type
        value: domain
      - name: object_id
        value: ${inputs.domainId}
  output:
    select: ".audits.entries"
    map: "."
    outputMode: elementwithTemporalWindow: true

temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: ${parameters.domain}/v1/cp/oauth/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
        - name: Accept
          value: application/json
      bodyType: urlEncoded
      bodyParams:
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: offsetLimit
  limit: 200
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/v1/cp/organizations
    headers:
      - name: Accept
        value: application/json
    queryParams:
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
  output:
    select: "[.organizations[].id]"
    map: "."
    outputMode: element
collectionPhase:
  variables:
    - source: input
      name: orgId
      expression: "."
      format: ""
  paginationType: none
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/v1/cp/audits
    headers:
      - name: Accept
        value: application/json
    queryParams:
      - name: start_date
        value: ${temporalWindow.from}
      - name: end_date
        value: ${temporalWindow.to}
      - name: object_type
        value: organization
      - name: object_id
        value: ${inputs.orgId}
  output:
    select: ".audits.entries"
    map: "."
    outputMode: element

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: ${parameters.domain}/v1/cp/oauth/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
        - name: Accept
          value: application/json
      bodyType: urlEncoded
      bodyParams:
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: offsetLimit
  limit: 200
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/v1/cp/users
    headers:
      - name: Accept
        value: application/json
    queryParams:
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
  output:
    select: "[.users[].id]"
    map: "."
    outputMode: element
collectionPhase:
  variables:
    - source: input
      name: userId
      expression: "."
      format: ""
  paginationType: none
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/v1/cp/audits
    headers:
      - name: Accept
        value: application/json
    queryParams:
      - name: start_date
        value: ${temporalWindow.from}
      - name: end_date
        value: ${temporalWindow.to}
      - name: object_type
        value: user
      - name: object_id
        value: ${inputs.userId}
  output:
    select: ".audits.entries"
    map: "."
    outputMode: element

Manually configure

If you would rather configure each field, follow the steps below.

Here you have the examples based on the List audits by Domain YAML. Simply replace the word domain with organization or user.

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Duration - 5 minutes (5m) as default, adjust based on your needs.
Offset - initial offset should be 5m
Format - RFC3339

Authentication Phase

Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.

Type* - token
Request Method* - POST (we would need to generate the JWT using the secrets client_id and client_secret)
URL* - ${parameters.domain}/v1/cp/oauth/token
Headers
- Name - Content-type
- Value - application/x-www-form-urlencoded
- Name - Accept
- Value - application/json
BodyType* - UrlEncoded
- Body params
  - Name - client_id
  - Value -'${secrets.client_ID}'
  - Name - client_secret
  - Value - '${secrets.client_Secret
Token Path* - .access_token
Auth Injection
- In* - header
- Name* - authorization
- Prefix - Bearer
- Suffix - ''

Enumeration Phase

Toggle ON

Pagination Type* - offset/Limit
Limit* - 200
Request
- Response Type - JSON
- Method* - GET
- URL* - ${parameters.domain}/v1/cp/domains
- Headers -
  - Name - accept
  - Value - application/json
- Query Params -
  - Name - offset
  - Value - ${pagination.offset}
  - Name - limit
  - Value - ${pagination.limit}
Output
- Select - [.domains[].id]
- Map - .
- Output Mode - element

Collection Phase

Variables
- Source - input
- Name - domainId
- Expression: "."
- Format ""
Pagination Type* - none
Request
- Response Type - JSON
- Method* - GET
- URL* - ${parameters.domain}/v1/cp/audits
- Headers -
  - Name - accept
  - Value - application/json
- Query Params -
  - Name - start_date
  - Value - ${temporalWindow.from}
  - Name - end_date
  - Value - ${temporalWindow.to}
  - Name - object_type
  - Value - domain
  - Name - object_id
  - Value - ${inputs.domainId}
Output
- Select - .audits.entries
- Map - .
- Output Mode - element

This HTTP Pull Listener now uses the data export API to extract alert events.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousAlert Events NextDomains

Last updated 4 days ago

Was this helpful?