IntegrationServices Audit Log v3 API Migration

Overview

This is to assist in migrating integrations from integrationServices/v3/auditlogs API to Audit Logs API.

In this document, you will find

  • Brief overview of the key differences and new features with the Audit Log API
  • A mapping of deprecated v3 Audit Log API endpoint to related new Audit Log endpoint including schema changes

Guides and Resources


Key Differences

The new Audit Log API provides the following new endpoints:

The expanded functionality enables you to filter to exactly what you want to monitor or export data to perform quarter/annual audits of your organization.

The Audit Log schema maintains the same information through the description with a few modified field names and update timestamp to meet our standard ISO 8601 UTC format. See Schema Changes below.


API Endpoints

Operation Legacy v3 Audit Log Endpoint New Audit Log API Endpoint
Get Audit Logs From Queue GET /integrationServices/v3/auditlogs GET /audit_log/v1/orgs/{org_key}/logs/_queue
Search Audit Logs None POST /audit_log/v1/orgs/{org_key}/logs/_search
Export Audit Logs None POST /audit_log/v1/orgs/{org_key}/logs/_export

Examples

Request
GET https://defense.conferdeploy.net/audit_log/v1/orgs/ABCD1234/logs/_queue
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Response Body
{
    "num_found": 2,
    "num_available": 2,
    "results": [
        {
            "org_key": "ABCD1234",
            "actor_ip": "50.215.71.123",
            "actor": "user1@mydomain.com",
            "request_url": null,
            "description": "Logged in successfully",
            "create_time": "2023-11-02T18:13:44.276Z"
        },
        {
            "org_key": "ABCD1234",
            "actor_ip": "50.215.71.123",
            "actor": "user1@mydomain.com",
            "request_url": null,
            "description": "Logged in successfully",
            "create_time": "2023-11-02T16:29:59.793Z"
        }
    ]
}
To download or review the Carbon Black Cloud Postman collection, click here.

Schema Changes

The following tables contains the fields to be substituted when migrating to the Audit Log API.

Fields that are marked DEPRECATED do not have an equivalent in the Alert v7 API or Alert Forwarder Schema v2.

Legacy Field New Field
clientIp actor_ip
description description
eventId DEPRECATED
eventTime create_time
flagged DEPRECATED
loginName actor
orgName org_key
requestUrl request_url
verbose DEPRECATED

Carbon Black Cloud Python SDK

Support for the updated Fetch from Audit Log Queue function as well as Search and Export Audit Logs was added in version 1.5.2 of the Carbon Black Cloud Python SDK.

A guide for the new methods is available on Read The Docs.


Last modified on June 3, 2024