Skip to main content

Audit Logs

Audit logs enable admins to keep track of changes in their configuration and settings across the BigPanda platform. The Audit Logs API gives admins a vital troubleshooting, investigation, and security tool.

BigPanda audit logs report on CreateUpdate, and Delete actions for these resources:

  • Alert Enrichment including:

    • Tags

    • Tags Order

    • Tag Enrichments

    • Tag Enrichments Order

    • Mapping Enrichment Schema

    • Mapping Table Upload

  • Alert Correlation Patterns

  • Alert Filtering

  • API Keys

  • AutoShare

  • Enrichment V1 Custom Tags

  • Environments

  • Integrations

  • JIT Provisioning

  • Maintenance Plans

  • Roles

  • SAML Attribute Mapping

  • Service Accounts

  • SSO Configuration

  • SSO Testing

  • Users

Users object

Currently, the audit log does not track changes to user phone number or name. In the future more details will be added to the Users audit log.

Audit Logs

Authentication

All BigPanda APIs require Bearer Token Authorization in the call headers.

This API uses the User API Key type of Authorization token.

BigPanda recommends adding Authentication headers only in the secure tool you use to make API calls.

Example 1. Search audit logs
curl --request GET \
     --url https://api.bigpanda.io/resources/v2.0/audit/logs \
     --header 'Authorization: Bearer <User API KEY>' \
     --header 'Content-Type: application/json; charset=utf8'
curl --request GET \
     --url https://eu-api.bigpanda.io/resources/v2.0/audit/logs \
     --header 'Authorization: Bearer <User API KEY>' \
     --header 'Content-Type: application/json; charset=utf8'


Parameters

The Audit Log object schema includes the following attributes:

Attribute 

Description 

Type 

actor

The user or system that made the change. Possible returns are:

  • type - whether the change was made by a user or the system. Attributes: user and system-generated.

  • user - Details on the user account that performed the action. (Only included in changes made by a user.) Attributes: id, email, and name.

Object

action_type

The action that was made. Possible returns are:

  • init_state - the initial value.

  • create - when a resource is created.

  • update - when a resource is updated.

  • delete - when a resource is deleted.

String

context

Actor access details as reported by the client. (Only included in changes performed by a user.) 

actor_access object attributes:

  • user_agent - information about the user’s browser.

  • ip_address - the access point used to access the system.

Object

timestamp

Unix epoch time when the event occurred (in seconds). 

Timestamp (in seconds)

resource_id

The system id of the resource that was changed.

String

resource_type

The resource type that was changed. Possible returns are:

  • auto_share_rules 

  • correlation_patterns 

  • enrichment v1 custom_tags 

  • environments 

  • users 

  • integrations 

  • alert_filtering

  • enrichment v2 resources:

    • tag_enrichments_order 

    • tag_enrichments 

    • tag 

    • mapping_enrichment 

  • api_keys

  • jit_roles

  • roles

  • service_accounts

  • sso_config

String

object

The resource object after the change. Resource objects include:

  • Alert Correlation

  • Alert Enrichments

  • Alert Filtering

  • API Keys

  • AutoShare

  • Environments

  • Integrations

  • JIT Provisioning

  • Maintenance Plans

  • Roles

  • SAML Attribute Mapping

  • Service Accounts

  • SSO Configuration

  • Users

When the resource is deleted, the object is {null}.

Object

Sample Object

Sample Query

curl --request GET \
     --url 'https://api.bigpanda.io/resources/v2.0/audit/logs?resource_type=users&action_type=create&start=1697765051&end=1697765555&per_page=100' \
     --header 'Authorization: Bearer <User API Key>' \
     --header 'accept: application/json'

Audit Log Return

{
  "actor": {
    "type": "user",
    "user": {
      "id": "62f0ec2d95918d0012bba5553",
      "email": "[email protected]"
    }
  },
  "action_type": "update",
  "context": {
    "actor_access": {
      "ip_address": "::ffff:10.12.55.55",
      "user_agent": "axios/0.24.0"
    }
  },
  "resource_type": "users",
  "resource_id": "631471d494528700126ca555",
  "timestamp": 1662284339,
  "object": {
    "createdAt": 1662284244,
    "lastLoginAt": 1662284281,
    "name": "Nataly",
    "state": "valid",
    "firstLoginAt": 1662284281,
    "username": "[email protected]",
    "id": "631471d494528700126a5559"
  }
}
In this section: