List audit trails

Returns a list of audit trails.

Query Parameters

limit int64
Limits the size of the response on each page to the specified number of items.
start string
Sets the page number used to browse the collection. Pages are indexed starting from 1 (i.e., ?start=1).

filter string

Narrows down the results to only the items that satisfy the filter criteria. The following table lists the supported filter fields for this resource and the filter conditions that can be applied on those fields:

Field	Filter Condition	Description
start_timestamp	$gte, $lt, $eq	The start timestamp denotes the time filter for audit events (when the server received the request) $gte and $lt accept RFC-3999 timestamps and $eq accepts a unix timestamp denoting the offset from the current time. $eq takes precedence over both $gte and $lt so if $eq is used, the backend will use the relative time filter instead of absolute time filters.For example, `?filter={"start_timestamp":{"$eq":86400}}`
category	$in	The category of the resource affected by an audit event. Possible values include `authentication`, `data_source`, `policy`, `protection`, `restore`, `tasks`, `backup`, `users`, `api_tokens`, `kms_config`, `sso`, `mfa`, `reports`, `alerts`, `cloud_connector`, `cloudformation_template`, `bandwidth_config`, `partner_ecosystem`, and `ecosystem_changes`. For example, `?filter={"category":{"$in":["policy"]}}`
action	$in	The action performed by the audit event. Possible values include `create`, `update`, `delete`, `enable`, `disable`, `browse`, `search`, `login`, `logout`, `register`, `unregister`, `refresh`, `apply`, `deploy`, `remove`, `invite`, `suspend`, `full_restore`, and `granular_restore`. For example, `?filter={"action":{"$in":["login"]}}`
status	$in	Whether or not the action succeeded. Possible values include `success`, `failure`, and `partial_success`. For example, `?filter={"status":{"$in":["success"]}}`
user_email	$in	The email address of the user performing the action For example, `?filter={"user_email":{"$in":["xyz@example.com"]}}`
ip_address	$eq	The IP Address of the client making the request. For example, `?filter={"ip_address":{"$eq":"127.0.0.1"}}`
primary_entity.id	$in	The system-generated IDs of the primary entities affected by the activity. For example, `?filter={"primary_entity.id":{"$in":["9c2934fc-ff4d-11e9-8e11-76706df7fe01"]}}`
primary_entity.type	$eq	The type(s) of primary entities to filter on. For example, `?filter={"primary_entity.type":{"$in":["aws_ebs_volume"]}}`
primary_entity.value	$in	The value(s) or name(s) to filter on. For example, the primary entity value associated with primary entity type "aws_ebs_volume" is "vol-0a5f2e52d6decd664" representing the name of the EBS volume. The filter supports substring search for all elements in the array For example, `?filter={"primary_entity.value":{"$in":["vol-0a"]}}`
parent_entity.type	$in	The type(s) of the parent entities to filter on. For example, `?filter={"parent_entity.type":{"$in":["aws_environment"]}}`
parent_entity.value	$in	The value(s) or name(s) associated with the parent entities affected by the compliance event. For example, the parent entity value associated with primary entity type "aws_ebs_volume" is "891106093485/us-west-2" representing the name of the AWS Account Region. For example, `?filter={"parent_entity.value":{"$in":["891106093485/us-west-2"]}}`
parent_entity.id	$in	The system-generated IDs of the parent entities which are associated with the primary entity affected by the compliance event. For example, `?filter={"parent_entity.id":{"$in":["9c2934fc-ff4d-11e9-8e11-76706df7fe01"]}}`
organizational_unit_id	$eq	The system-generated ID of the organizational unit whose audit trails are desired. For example, `?filter={"organizational_unit_id":{"$eq":"9c2934fc-ff4d-11e9-8e11-76706df7fe01"}}`

For more information about filtering, refer to the Filtering section of this guide.

Responses

200
default

Success

application/api.clumio.audit-trails=v1+json

Schema
Example (from schema)

Schema

_embedded object

Embedded responses related to the resource.

items object[]

A collection of requested items.

action string

The action performed by the user.

Action	Details
create	Creating or adding new entities like new policy, configuration, user, etc
update	Updating an existing entity like policy, settings, passwords, etc
delete	Delete an existing entity like policy, settings, users, etc
enable	Enabling a feature like single sign on or multi factor authentication settings
disable	Disabling features like single sign on or multi factor authentication settings
browse	Browsing through entities in the system like mailboxes or backups, etc
search	Searching through entities in the system like mailboxes or backups, etc
login	User logs in or tries to login
logout	User explicitly logged out.
register	When new registrations happen like new datasource registration or user registering for MFA
unregister	When unregistering like unregistering datasource or user unregistering MFA
apply	Apply policy to protect entities, tags, etc
remove	Remove protection for entities, tags, etc
invite	Inviting a user
suspend	Suspend an existing user
full_restore	Full restore of the VM, volume, mailbox, database or other entities
granular_retrieval	Restoring individual files, mails or records
redirected	When cross region restore occurs.
unapply	Assets removed from a rule.
batch_activate	Activate multiple policies.
batch_deactivate	Deactivate multiple policies.
grant_email_access	Grant email access for a file level object. This is mutually exclusive with grant_download_access
grant_download_access	Grant download access for a file level object. This is mutually exclusive with grant_email_access
download	File was download.
validate_tda_passcode	Validate passcode that is entered for a download.
regenerate_tda_passcode	Regenerate a new passcode used for download.

category string

The category of the auditable action performed by the user.

Category	Details
authentication	Activities related to Authentication
data_source	Data source changes
policy	Policy related actions
protection	Applying and removing protection
restore	Restore related operations
tasks	Tasks
backup	Backup related operations
users	User related operations
api_tokens	API Token related operations like creating, revoking or deleting tokens
kms_config	Key Management Service(KMS) related operations
sso	Single sign-on (SSO) related operations
mfa	Multi Factor Authentication(MFA) related operations
reports	Reports related operations
alerts	Alerts related operations
cloud_connector	Cloud connector related operations
cloudformation_template	Cloud Formation Template related operations
bandwidth_config	Bandwidth configuration related changes
partner_ecosystem	Changes to partner ecosystem
ecosystem_changes	Changes in the ecosystem like adding or removing VMs
organizational_unit	Changes in the Organizational Unit/Entity group such as creation, deletion, patch.

details string

Additional details about the activity provided in JSON format.

id string

The Clumio-assigned ID of the audit event.

interface string

The interface used to make the request i.e. 'UI','API'

ip_address string

The IP address from which the activity was requested.

parent_entity object

The parent object of the primary entity associated with or affected by the audit.

id string

A system-generated ID assigned to this entity.

type string

Type is mostly an asset type or the type of Entity. Some examples are "restored_file", "aws_ebs_volume", etc.

value string

A system-generated value assigned to the entity. For example, if the primary entity type is "aws_ebs_volume", then the value is the name of the EBS.

primary_entity object

The primary object associated with the audit event. Examples of primary entities include "aws_connection", "aws_ebs_volume" and "aws_ec2_instance". In some cases like global settings, the primary entity may be null.

id string

A system-generated ID assigned to this entity.

type string

Type is mostly an asset type or the type of Entity. Some examples are "restored_file", "aws_ebs_volume", etc.

value string

A system-generated value assigned to the entity. For example, if the primary entity type is "aws_ebs_volume", then the value is the name of the EBS.

status string

The status of the performed action. 'success', 'failure', 'partial_success'

timestamp string

The Timestamp of when the activity began. Represented in RFC-3339 format.

user_email string

The email address of the logged in user making the request.

_links object
URLs to pages related to the resource.
_first object
The HATEOAS link to the first page of results.
href string
The URI for the referenced operation.
templated boolean
Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.
type string
The HTTP method to be used with the "href" link for the referenced operation.
_last object
The HATEOAS link to the last page of results.
href string
The URI for the referenced operation.
templated boolean
Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.
type string
The HTTP method to be used with the "href" link for the referenced operation.
_next object
The HATEOAS link to the next page of results.
href string
The URI for the referenced operation.
templated boolean
Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.
type string
The HTTP method to be used with the "href" link for the referenced operation.
_prev object
The HATEOAS link to the previous page of results.
href string
The URI for the referenced operation.
templated boolean
Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.
type string
The HTTP method to be used with the "href" link for the referenced operation.
_self object
The HATEOAS link to this resource.
href string
The URI for the referenced operation.
templated boolean
Determines whether the "href" link is a URI template. If set to true, the "href" link is a URI template.
type string
The HTTP method to be used with the "href" link for the referenced operation.
current_count int64
The number of items listed on the current page.
filter_applied string
The filter used in the request. The filter includes both manually-specified and system-generated filters.
limit int64
The maximum number of items displayed per page in the response.
start string
The page number used to get this response. Pages are indexed starting from 1 (i.e., "start": "1").
total_count int64
The total number of items, summed across all pages.
total_pages_count int64
The total number of pages of results.

{
  "_embedded": {
    "items": [
      {
        "action": "string",
        "category": "string",
        "details": "string",
        "id": "string",
        "interface": "string",
        "ip_address": "string",
        "parent_entity": {
          "id": "string",
          "type": "string",
          "value": "string"
        },
        "primary_entity": {
          "id": "string",
          "type": "string",
          "value": "string"
        },
        "status": "string",
        "timestamp": "string",
        "user_email": "string"
      }
    ]
  },
  "_links": {
    "_first": {
      "href": "string",
      "templated": true,
      "type": "string"
    },
    "_last": {
      "href": "string",
      "templated": true,
      "type": "string"
    },
    "_next": {
      "href": "string",
      "templated": true,
      "type": "string"
    },
    "_prev": {
      "href": "string",
      "templated": true,
      "type": "string"
    },
    "_self": {
      "href": "string",
      "templated": true,
      "type": "string"
    }
  },
  "current_count": 0,
  "filter_applied": "string",
  "limit": 0,
  "start": "string",
  "total_count": 0,
  "total_pages_count": 0
}

Error

application/json

Schema
Example (from schema)

Schema

errors object[]
A list of errors encountered during runtime.
error_code uint32
error_message string
The reason for the error.

{
  "errors": [
    {
      "error_code": 0,
      "error_message": "string"
    }
  ]
}

List audit trails​

List audit trails