Audit

Overview

Returns the audit events matching the request.

Pre-requisites

In order to successfully use this endpoint, the role assigned to the app must have at least the following level of application permissions granted: Account | Logs | Read.

The page size should be provided in the meta pagination, otherwise the default is 10.

Configuration

Parameters

Domain (domain)

Secrets

Client Id (client_id)
Client Secret (client_secret)

Open the Secret fields and click New secret to create a new one:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML:

Toggle this ON to enable a free text field where you can paste your YAML.

withTemporalWindow: true
temporalWindow:
  duration: 1m
  offset: 1m
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: https://${parameters.domain}/oauth/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
        - name: Accept
          value: application/json
      bodyType: urlEncoded
      bodyParams:
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
        - name: grant_type
          value: 'client_credentials'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: false
collectionPhase:
  paginationType: cursor
  cursorSelector: ".meta.pagination.next"
  initialRequest:
    method: POST
    url: "https://${parameters.domain}/api/audit/get-audit-events"
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    bodyRaw: |
      {
        "data": [
          {
            "startDateTime":"${temporalWindow.from}",
            "endDateTime":"${temporalWindow.to}"
          }
        ],
        "meta": {
          "pagination": {
            "pageSize": 500,
          }
        }
      }
  nextRequest:
    method: POST
    url: "https://${parameters.domain}/api/audit/get-audit-events"
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    bodyRaw: |
      {
        "data": [
          {
            "startDateTime":"${temporalWindow.from}",
            "endDateTime":"${temporalWindow.to}"
          }
        ],
        "meta": {
          "pagination": {
            "pageToken": "${pagination.cursor}",
            "pageSize": 500,
          }
        }
      }
  output:
    select: ".data"
    map: "."
    outputMode: element

This HTTP Pull Listener now uses the data export API to extract audit events.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousCollect data from Mimecast NextSecurity

Last updated 16 days ago

Was this helpful?

withTemporalWindow: true temporalWindow: duration: 1m offset: 1m tz: UTC format: RFC3339 withAuthentication: true authentication: type: token token: request: method: POST url: https://${parameters.domain}/oauth/token headers: - name: Content-Type value: application/x-www-form-urlencoded - name: Accept value: application/json bodyType: urlEncoded bodyParams: - name: client_id value: '${secrets.client_id}' - name: client_secret value: '${secrets.client_secret}' - name: grant_type value: 'client_credentials' tokenPath: ".access_token" authInjection: in: header name: Authorization prefix: 'Bearer ' suffix: '' withEnumerationPhase: false collectionPhase: paginationType: cursor cursorSelector: ".meta.pagination.next" initialRequest: method: POST url: "https://${parameters.domain}/api/audit/get-audit-events" headers: - name: Accept value: application/json - name: Content-Type value: application/json bodyRaw: | { "data": [ { "startDateTime":"${temporalWindow.from}", "endDateTime":"${temporalWindow.to}" } ], "meta": { "pagination": { "pageSize": 500, } } } nextRequest: method: POST url: "https://${parameters.domain}/api/audit/get-audit-events" headers: - name: Accept value: application/json - name: Content-Type value: application/json bodyRaw: | { "data": [ { "startDateTime":"${temporalWindow.from}", "endDateTime":"${temporalWindow.to}" } ], "meta": { "pagination": { "pageToken": "${pagination.cursor}", "pageSize": 500, } } } output: select: ".data" map: "." outputMode: element

Good afternoon

hashtagOverview

hashtagPre-requisites

hashtagConfiguration

hashtagParameters

hashtagSecrets

Overview

Pre-requisites

Configuration

Parameters

Secrets