Audit Log Events
In the Carbon Black Cloud, audit logs are records of various organization-wide events, such as:
Log in attempts by users
Updates to connectors
Creation of connectors
LiveResponse events
The Audit Log API allows these records to be retrieved in JSON format, sorted by time in ascending order (oldest records come first). The API call returns only new audit log records that have been added since the last time the call was made using the same API Key ID. Once records have been returned, they are cleared and will not be included in future responses.
When reading audit log records using a new API key, the queue for reading audit logs will begin three days earlier. This may lead to duplicate data if audit log records were previously read with a different API key.
Note
Future versions of the Carbon Black Cloud and this SDK will support a more flexible API for finding and retrieving audit log records. This Guide will be rewritten to cover this when it is incorporated into the SDK.
API Permissions
To call this API function, use a custom API key created with a role containing the READ
permission on
org.audits
.
Example of API Usage
import time
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import AuditLog
cb = CBCloudAPI(profile='yourprofile')
running = True
while running:
events_list = AuditLog.get_auditlogs(cb)
for event in events_list:
print(f"Event {event['eventId']}:")
for (k, v) in event.items():
print(f"\t{k}: {v}")
# omitted: decide whether running should be set to False
if running:
time.sleep(5)
Check out the example script audit_log.py
in the examples/platform directory on GitHub.