search
WebsiteBlogLogin

Audits

hashtag
Overview

Fetches audits for user, domain, or organization. start_date defaults to 14 days ago and max is 13 months.

hashtag
Configuration

hashtag
Parameters

  • parameters.domain will store the value of the API URL, excluding the endpoint paths like /v1/cp/oauth/token or /v1/cp/alert_events

hashtag
Secrets

  • secrets.client_id will reference to Agari's Client ID

  • secrets.client_secret will reference to Agari's Client Secret.

Open the Secret fields and click New secret to create a new one:

  • Give the secret a Name.

  • Turn off the Expiration date option.

  • Click Add new value and paste the secret corresponding to the value.

  • Click Save.

circle-info

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML:

hashtag
Configure as YAML

Toggle this ON to enable a free text field where you can paste your YAML.

Here we provide three different YAMLs that list audits by Domain, Organization and User.

hashtag
Manually configure

If you would rather configure each field, follow the steps below.

circle-info

Here you have the examples based on the List audits by Domain YAML. Simply replace the word domain with organization or user.

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

  • Duration - 5 minutes (5m) as default, adjust based on your needs.

  • Offset - initial offset should be 5m

  • Format - RFC3339

Authentication Phase

Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.

  • Type* - token

  • Request Method* - POST (we would need to generate the JWT using the secrets client_id and client_secret)

  • URL* - ${parameters.domain}/v1/cp/oauth/token

  • Headers

    • Name - Content-type

    • Value - application/x-www-form-urlencoded

    • Name - Accept

    • Value - application/json

  • BodyType* - UrlEncoded

    • Body params

      • Name - client_id

      • Value -'${secrets.client_id}'

      • Name - client_secret

      • Value - '${secrets.client_secret

  • Token Path* - .access_token

  • Auth Injection

    • In* - header

    • Name* - authorization

    • Prefix - Bearer

    • Suffix - ''

Enumeration Phase

Toggle ON

  • Pagination Type* - offset/Limit

  • Limit* - 200

  • Request

    • Response Type - JSON

    • Method* - GET

    • URL* - ${parameters.domain}/v1/cp/domains

    • Headers -

      • Name - accept

      • Value - application/json

    • Query Params -

      • Name - offset

      • Value - ${pagination.offset}

      • Name - limit

      • Value - ${pagination.limit}

  • Output

    • Select - [.domains[].id]

    • Map - .

    • Output Mode - element

Collection Phase

  • Variables

    • Source - input

    • Name - domainId

    • Expression: "."

    • Format ""

  • Pagination Type* - none

  • Request

    • Response Type - JSON

    • Method* - GET

    • URL* - ${parameters.domain}/v1/cp/audits

    • Headers -

      • Name - accept

      • Value - application/json

    • Query Params -

      • Name - start_date

      • Value - ${temporalWindow.from}

      • Name - end_date

      • Value - ${temporalWindow.to}

      • Name - object_type

      • Value - domain

      • Name - object_id

      • Value - ${inputs.domainId}

  • Output

    • Select - .audits.entries

    • Map - .

    • Output Mode - element

This HTTP Pull Listener now uses the data export API to extract alert events.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousAlert EventsNextDomains

Last updated

Was this helpful?