Cloud Administration Event Log API

The Cloud Administration Event Log API is a REST-based web services interface that allows audit log events to be retrieved from the Cloud Authentication Service. You can use this REST API to import the audit log events into your security information and event management (SIEM) solution, such as NetWitness. Events are retrieved in chronological order in batches, and do not contain duplicates. They can be filtered by date range. Events are retained for 90 days and then purged.

The endpoint, which can be either the SIEM or another client, uses the Administration API Key to call the Administration Event Log API. The Super Admin generates this key and provides it to the Client Developer, as described in Manage API Keys for the Administration Event Log, User Event Log, and Help Desk APIs.

For information on audit log messages that describe Super Admin activities, see Administration Log Messages for the Cloud Authentication Service .

Authentication

Clients calling this API must authenticate themselves by including a JSON Web Token in a request. For instructions on using this token, see Authentication for the Cloud Administration REST APIs.

Administrative Roles

This API can use an API key that is associated with either the Super Administrator or Help Desk Administrator role. For more information, see Manage the Cloud Administration REST API Keys.

Software Developer Kit

You can download the API Software Developer Kit (SDK) from Cloud Administration REST API Download.

Request Requirements

Use the following method, request URL, body response, response body type, and response codes to retrieve audit log events from the Cloud Authentication Service and deliver them to your SIEM solution.

Method Request URL Response Body Response Body Type Response Codes
GET /AdminInterface/restapi/v1/adminlog/exportlogs Metadata plus array of Admin log events application/json 200, 400, 403

Request Parameters

The Administration Log Event API allows the following optional parameters.

Note: The request query parameter values may contain reserve characters that need to be URL encoded. Otherwise, the server may send a 400 Bad Request error. For example, the ISO 8601 Date and Time format may contain the + character if the specific time zone has an offset from UTC, such as+05:30. The + character needs to be encoded as %2B.

Name Description Type Default Value Example
startTimeAfter Start time of log events. ISO 8601 Date Time Current time - 1 day 2018-05-01T11:22:12.828-05:30
endTimeOnOrBefore End time of log events. ISO 8601 Date Time Current time 2018-05-09T21:06:33.125-05:30
pageNumber Zero-based index of the page to return. Integer 0 5
pageSize Number of records to return in a page (or batch). Value between 1-100. Any value specified outside of this range will be treated as 100. Integer 100 50

Request Examples

The following example displays a REST API request with no parameters.

GET /AdminInterface/restapi/v1/adminlog/exportlogs

Accept: application/json

Authorization: Bearer <JWT token>

The following example shows a REST API request with a specified start time.

GET /AdminInterface/restapi/v1/adminlog/exportlogs?startTimeAfter=2018-05-01T11:22:12.828-05:30

Accept: application/json

Authorization: Bearer <JWT token>

Responses

The following table shows response metadata.

Parameter Description Type
totalPages Total number of pages (or batches) of results. Integer
totalElements Total number of results Integer
pageSize Number of results returned in a page (or batch) Integer

The following example shows sample response metadata with 684 total results and a default page size of 100.

{

"totalPages": 7,

"totalElements": 684,

"pageSize": 100,

"elements": [

{

......

}

]

}

The following table shows API response data.

Parameter Description Type
eventId Identifies the event. String
eventLogDate Date and time of the log event, in UTC timezone. Example: 2018-05-13T16:29:59.000 UTC ISO 8601 Date Time
eventType Always set to Administration. String
serverURL

The Administration Server URL.

Example: https://access.securid.com/AdminInterface

String
serverIPAddress

IP Address
application SecurID. String
customerId Internal company specifier. String
customerName Company name, as specified in Company Settings. String
sourceIPAddress IP address used by the Super Admin account that performed the operation. IP Address
adminUserName Username or email address used by the Super Admin who performed the operation. String
adminUserRole Role of the administrator who performed the operation. Values are Super Administrator, Help Desk Administrator, and Support Administrator. String
activityKey Activity key of the administration operation. See Cloud Authentication Service Administration Log Messages. String
activityCode Unique activity code of the administration operation. See Cloud Authentication Service Administration Log Messages. Integer
result Result of the administration operation. (SUCCESS or FAILURE) String
reasonKey Reason for failure. String
message Describes the administration operation. String
requiresPublish Administration operation requires a publish. Values are true or false. Boolean

targetObject1Id

targetObject1Name

targetObject1Type

targetObject2Id

targetObject2Name

targetObject2Type

Identifies the target object of the administrative activity. Examples of administrative activity are ADD_POLICY and DELETE_POLICY. Publishing does not have a target object. String

Example Response

{

"totalPages": 1,

"totalElements": 2,

"pageSize": 100,

"elements": [

{

"eventId": 767,

"eventLogDate": "2018-05-13T16:29:59.000 UTC",

"eventType": "Administration",

"serverURL": "https://access.securid.com/AdminInterface/",

"serverIPAddress": "191.237.22.167",

"application": "SecurID",

"customerId": 3,

"customerName": "mycompanyname",

"sourceIPAddress": "1.2.3.4",

"adminUserName": "admin@mycompany.com",

"adminUserRole": "Super Administrator",

"activityKey": "SIGNIN_SUCCESS",

"activityCode": 80001,

"result": "SUCCESS",

"reasonKey": "",

"message": "admin@mycompany.com successfully signed in",

"requiresPublish": false

"targetObject1Id": null,

"targetObject1Name": null,

"targetObject1Type": null,

"targetObject2Id": null,

"targetObject2Name": null,

"targetObject2Type": null

},

{

"eventId": 768,

"eventLogDate": "2018-05-13T16:32:09.000 UTC",

"eventType": "Administration",

"serverURL": "https://access.securid.com/AdminInterface/",

"serverIPAddress": "191.237.22.167", ,

"application": "SecurID",

"customerId": 3,

"customerName": "mycompanyname",

"sourceIPAddress": "1.2.3.4",

"adminUserName": "admin@mycompany.com",

"adminUserRole: "Super Administrator",

"activityKey": "ADD_ADMIN_API_KEY",

"activityCode": 80400,

"result": "SUCCESS",

"reasonKey": "",

"message": "admin@mycompany.com added an

Admin API Key 139f6495-e447-4a26-a765-5c01b6152d5",

"requiresPublish": false,

"targetObject1Id": 18,

"targetObject1Name": "139f6495-e447-4a26-a765-5c01b6b152d5",

"targetObject1Type": "ADMIN_API_KEY",

"targetObject2Id": null,

"targetObject2Name": null,

"targetObject2Type": null

}

]

}