Skip to main content

List audit trails

Returns a list of audit trails.

Query Parameters
  • limit int64

    Limits the size of the response on each page to the specified number of items.

  • start string

    Sets the page number used to browse the collection. Pages are indexed starting from 1 (i.e., ?start=1).

  • filter string

    Narrows down the results to only the items that satisfy the filter criteria. The following table lists the supported filter fields for this resource and the filter conditions that can be applied on those fields:

    FieldFilter ConditionDescription
    start_timestamp$gte, $lt, $eqThe start timestamp denotes the time filter for audit events (when the server received the request) $gte and $lt accept RFC-3999 timestamps and $eq accepts a unix timestamp denoting the offset from the current time. $eq takes precedence over both $gte and $lt so if $eq is used, the backend will use the relative time filter instead of absolute time filters.For example, ?filter={"start_timestamp":{"$eq":86400}}
    category$inThe category of the resource affected by an audit event. Possible values include authentication, data_source, policy, protection, restore, tasks, backup, users, api_tokens, kms_config, sso, mfa, reports, alerts, cloud_connector, cloudformation_template, bandwidth_config, partner_ecosystem, and ecosystem_changes. For example, ?filter={"category":{"$in":["policy"]}}
    action$in The action performed by the audit event. Possible values include create, update, delete, enable, disable, browse, search, login, logout, register, unregister, refresh, apply, deploy, remove, invite, suspend, full_restore, and granular_restore. For example, ?filter={"action":{"$in":["login"]}}
    status$in Whether or not the action succeeded. Possible values include success, failure, and partial_success. For example, ?filter={"status":{"$in":["success"]}}
    user_email$in The email address of the user performing the action For example, ?filter={"user_email":{"$in":["xyz@example.com"]}}
    ip_address$eq The IP Address of the client making the request. For example, ?filter={"ip_address":{"$eq":"127.0.0.1"}}
    primary_entity.id$inThe system-generated IDs of the primary entities affected by the activity. For example, ?filter={"primary_entity.id":{"$in":["9c2934fc-ff4d-11e9-8e11-76706df7fe01"]}}
    primary_entity.type$eq The type(s) of primary entities to filter on. For example, ?filter={"primary_entity.type":{"$in":["aws_ebs_volume"]}}
    primary_entity.value$inThe value(s) or name(s) to filter on. For example, the primary entity value associated with primary entity type "aws_ebs_volume" is "vol-0a5f2e52d6decd664" representing the name of the EBS volume. The filter supports substring search for all elements in the array For example, ?filter={"primary_entity.value":{"$in":["vol-0a"]}}
    parent_entity.type$in The type(s) of the parent entities to filter on. For example, ?filter={"parent_entity.type":{"$in":["aws_environment"]}}
    parent_entity.value$in The value(s) or name(s) associated with the parent entities affected by the compliance event. For example, the parent entity value associated with primary entity type "aws_ebs_volume" is "891106093485/us-west-2" representing the name of the AWS Account Region. For example, ?filter={"parent_entity.value":{"$in":["891106093485/us-west-2"]}}
    parent_entity.id$in The system-generated IDs of the parent entities which are associated with the primary entity affected by the compliance event. For example, ?filter={"parent_entity.id":{"$in":["9c2934fc-ff4d-11e9-8e11-76706df7fe01"]}}
    organizational_unit_id$eq The system-generated ID of the organizational unit whose audit trails are desired. For example, ?filter={"organizational_unit_id":{"$eq":"9c2934fc-ff4d-11e9-8e11-76706df7fe01"}}
    For more information about filtering, refer to the Filtering section of this guide.
Responses

Success

Schema
  • _embedded object

    Embedded responses related to the resource.

  • items object[]

    A collection of requested items.

  • action string

    The action performed by the user.

    ActionDetails
    createCreating or adding new entities like new policy, configuration, user, etc
    updateUpdating an existing entity like policy, settings, passwords, etc
    deleteDelete an existing entity like policy, settings, users, etc
    enableEnabling a feature like single sign on or multi factor authentication settings
    disableDisabling features like single sign on or multi factor authentication settings
    browseBrowsing through entities in the system like mailboxes or backups, etc
    searchSearching through entities in the system like mailboxes or backups, etc
    loginUser logs in or tries to login
    logoutUser explicitly logged out.
    registerWhen new registrations happen like new datasource registration or user registering for MFA
    unregisterWhen unregistering like unregistering datasource or user unregistering MFA
    applyApply policy to protect entities, tags, etc
    removeRemove protection for entities, tags, etc
    inviteInviting a user
    suspendSuspend an existing user
    full_restoreFull restore of the VM, volume, mailbox, database or other entities
    granular_retrievalRestoring individual files, mails or records
    redirectedWhen cross region restore occurs.
    unapplyAssets removed from a rule.
    batch_activateActivate multiple policies.
    batch_deactivateDeactivate multiple policies.
    grant_email_accessGrant email access for a file level object. This is mutually exclusive with grant_download_access
    grant_download_accessGrant download access for a file level object. This is mutually exclusive with grant_email_access
    downloadFile was download.
    validate_tda_passcodeValidate passcode that is entered for a download.
    regenerate_tda_passcodeRegenerate a new passcode used for download.
  • category string

    The category of the auditable action performed by the user.

    CategoryDetails
    authenticationActivities related to Authentication
    data_sourceData source changes
    policyPolicy related actions
    protectionApplying and removing protection
    restoreRestore related operations
    tasksTasks
    backupBackup related operations
    usersUser related operations
    api_tokensAPI Token related operations like creating, revoking or deleting tokens
    kms_configKey Management Service(KMS) related operations
    ssoSingle sign-on (SSO) related operations
    mfaMulti Factor Authentication(MFA) related operations
    reportsReports related operations
    alertsAlerts related operations
    cloud_connectorCloud connector related operations
    cloudformation_templateCloud Formation Template related operations
    bandwidth_configBandwidth configuration related changes
    partner_ecosystemChanges to partner ecosystem
    ecosystem_changesChanges in the ecosystem like adding or removing VMs
    organizational_unitChanges in the Organizational Unit/Entity group such as creation, deletion, patch.
  • details string

    Additional details about the activity provided in JSON format.

  • id string

    The Clumio-assigned ID of the audit event.

  • interface string

    The interface used to make the request i.e. 'UI','API'

  • ip_address string

    The IP address from which the activity was requested.

  • parent_entity object

    The parent object of the primary entity associated with or affected by the audit.

  • id string

    A system-generated ID assigned to this entity.

  • type string

    Type is mostly an asset type or the type of Entity. Some examples are "restored_file", "aws_ebs_volume", etc.

  • value string

    A system-generated value assigned to the entity. For example, if the primary entity type is "aws_ebs_volume", then the value is the name of the EBS.

  • primary_entity object

    The primary object associated with the audit event. Examples of primary entities include "aws_connection", "aws_ebs_volume" and "aws_ec2_instance". In some cases like global settings, the primary entity may be null.

  • id string

    A system-generated ID assigned to this entity.

  • type string

    Type is mostly an asset type or the type of Entity. Some examples are "restored_file", "aws_ebs_volume", etc.

  • value string

    A system-generated value assigned to the entity. For example, if the primary entity type is "aws_ebs_volume", then the value is the name of the EBS.

  • status string

    The status of the performed action. 'success', 'failure', 'partial_success'

  • timestamp string

    The Timestamp of when the activity began. Represented in RFC-3339 format.

  • user_email string

    The email address of the logged in user making the request.

  • _links object

    URLs to pages related to the resource.

  • _first object

    The HATEOAS link to the first page of results.

  • href string

    The URI for the referenced operation.

  • templated boolean

    Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.

  • type string

    The HTTP method to be used with the "href" link for the referenced operation.

  • _last object

    The HATEOAS link to the last page of results.

  • href string

    The URI for the referenced operation.

  • templated boolean

    Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.

  • type string

    The HTTP method to be used with the "href" link for the referenced operation.

  • _next object

    The HATEOAS link to the next page of results.

  • href string

    The URI for the referenced operation.

  • templated boolean

    Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.

  • type string

    The HTTP method to be used with the "href" link for the referenced operation.

  • _prev object

    The HATEOAS link to the previous page of results.

  • href string

    The URI for the referenced operation.

  • templated boolean

    Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.

  • type string

    The HTTP method to be used with the "href" link for the referenced operation.

  • _self object

    The HATEOAS link to this resource.

  • href string

    The URI for the referenced operation.

  • templated boolean

    Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.

  • type string

    The HTTP method to be used with the "href" link for the referenced operation.

  • current_count int64

    The number of items listed on the current page.

  • filter_applied string

    The filter used in the request. The filter includes both manually-specified and system-generated filters.

  • limit int64

    The maximum number of items displayed per page in the response.

  • start string

    The page number used to get this response. Pages are indexed starting from 1 (i.e., "start": "1").

  • total_count int64

    The total number of items, summed across all pages.

  • total_pages_count int64

    The total number of pages of results.

GET /audit-trails

Authorization

Request

Click Edit to configure Base URL
https://us-west-2.api.clumio.com
Bearer Token
limit — query
start — query
filter — query
curl -L -X GET 'https://us-west-2.api.clumio.com/audit-trails' \
-H 'Accept: application/api.clumio.audit-trails=v1+json' \
-H 'Authorization: Bearer <TOKEN>'