IntegrationServices Audit Log v3 API Migration

Overview

This is to assist in migrating integrations from integrationServices/v3/auditlogs API to Audit Logs API.

In this document, you will find

Brief overview of the key differences and new features with the Audit Log API
A mapping of deprecated v3 Audit Log API endpoint to related new Audit Log endpoint including schema changes

Guides and Resources

Audit Log API Documentation
After migrating, learn how to increase security by removing unused API keys.
Syslog Connector 2.0

Key Differences

The new Audit Log API provides the following new endpoints:

The expanded functionality enables you to filter to exactly what you want to monitor or export data to perform quarter/annual audits of your organization.

The Audit Log schema maintains the same information through the description with a few modified field names and update timestamp to meet our standard ISO 8601 UTC format. See Schema Changes below.

API Endpoints

Operation	Legacy v3 Audit Log Endpoint	New Audit Log API Endpoint
Get Audit Logs From Queue	`GET /integrationServices/v3/auditlogs`	`GET /audit_log/v1/orgs/{org_key}/logs/_queue`
Search Audit Logs	None	`POST /audit_log/v1/orgs/{org_key}/logs/_search`
Export Audit Logs	None	`POST /audit_log/v1/orgs/{org_key}/logs/_export`

Examples

HTTP

Request

GET https://defense.conferdeploy.net/audit_log/v1/orgs/ABCD1234/logs/_queue

Request Headers

X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body

{
    "num_found": 2,
    "num_available": 2,
    "results": [
        {
            "org_key": "ABCD1234",
            "actor_ip": "50.215.71.123",
            "actor": "user1@mydomain.com",
            "request_url": null,
            "description": "Logged in successfully",
            "create_time": "2023-11-02T18:13:44.276Z"
        },
        {
            "org_key": "ABCD1234",
            "actor_ip": "50.215.71.123",
            "actor": "user1@mydomain.com",
            "request_url": null,
            "description": "Logged in successfully",
            "create_time": "2023-11-02T16:29:59.793Z"
        }
    ]
}

To download or review the Carbon Black Cloud Postman collection, click here.

Schema Changes

The following tables contains the fields to be substituted when migrating to the Audit Log API.

Fields that are marked DEPRECATED do not have an equivalent in the Alert v7 API or Alert Forwarder Schema v2.

Legacy Field	New Field
`clientIp`	`actor_ip`
`description`	`description`
`eventId`	`DEPRECATED`
`eventTime`	`create_time`
`flagged`	`DEPRECATED`
`loginName`	`actor`
`orgName`	`org_key`
`requestUrl`	`request_url`
`verbose`	`DEPRECATED`

Carbon Black Cloud Python SDK

Support for the updated Fetch from Audit Log Queue function as well as Search and Export Audit Logs was added in version 1.5.2 of the Carbon Black Cloud Python SDK.

A guide for the new methods is available on Read The Docs.

Last modified on June 3, 2024

Carbon Black Cloud