Audit API

Note

API Version: 1.0.0
Base URL: https://next.itrslab.com/audit/api

The Audit API provides functionality to publish and query audit events within the ITRS system. This API allows you to track user actions, system events, and other auditable activities across your infrastructure.

Audit API endpoints Copied

Audit Events Copied

Publish an Audit Event Copied

POST /v1/audit-events

Publishes a new audit event to the system.

Parameters

Parameter Type Location Required Description
auditEvent AuditEvent Request Body Yes The audit event data to be published

Request Body

{
  "auditEvent": {
    "user": "string",
    "sourceDimensions": [
      {
        "key": "string",
        "value": "string"
      }
    ],
    "targetDimensions": [
      {
        "key": "string",
        "value": "string"
      }
    ],
    "outcome": "success",
    "action": "login",
    "timestamp": "2023-11-15T10:30:00Z",
    "context": {
      "sessionId": "sess_123456",
      "userAgent": "Mozilla/5.0"
    },
    "eventReporter": {
      "namespace": "authentication",
      "name": "login-service"
    }
  }
}

Response

Status Code: 200 OK

{}

Query Audit Events Copied

POST /v1/audit-events/query

Queries audit events based on specified criteria including time range, filters, and search terms.

Parameters

Parameter Type Location Required Description
from string (date-time) Request Body Yes Get audit events after this point in time
to string (date-time) Request Body No Get audit events before this point in time (defaults to now)
filter AuditEventFilter Request Body No Optional filter to restrict results
globalSearchTerm string Request Body No Global search term to match across all string fields
pagingToken string Request Body No Token for pagination (for subsequent pages)
pageSize integer Request Body No Maximum number of events to return (default: 100, max: 1000)

Request Body

{
  "from": "2023-11-15T00:00:00Z",
  "to": "2023-11-15T23:59:59Z",
  "filter": {
    "filteredFieldTerms": [
      {
        "stringFieldFilter": {
          "filteredField": {},
          "filterTerms": [
            {
              "filterValue": "login",
              "matchType": "MATCH_TYPE_EXACT"
            }
          ]
        }
      }
    ]
  },
  "globalSearchTerm": "john.doe",
  "pageSize": 50
}

Response

Status Code: 200 OK

{
  "auditEvents": [
    {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "auditEvent": {
        "user": "john.doe@example.com",
        "sourceDimensions": [
          {
            "key": "hostname",
            "value": "workstation-01"
          }
        ],
        "targetDimensions": [
          {
            "key": "application",
            "value": "user-management-system"
          }
        ],
        "outcome": "success",
        "action": "login",
        "timestamp": "2023-11-15T10:30:00Z",
        "context": {
          "sessionId": "sess_123456",
          "userAgent": "Mozilla/5.0"
        },
        "eventReporter": {
          "namespace": "authentication",
          "name": "login-service"
        }
      }
    }
  ],
  "pagingToken": "eyJvZmZzZXQiOjUwfQ=="
}

Schemas Copied

AuditDataField Copied

Fields of the audit event data, used for the application of filters and retrieval of values for a specific field.

Type: object

Properties: None (empty object)

AuditEvent Copied

Representation of an audit event.

Type: object

Properties:

Property Type Required Description
user string No User responsible for making this audit event
sourceDimensions array[Dimension] No Ordered list of dimensions of where the event was generated, for example where the user logged on from. Source dimensions DO correspond to an entity in the system
targetDimensions array[Dimension] No Ordered list of dimensions of the destination, for example what the user logged on to. Target dimensions are not guaranteed to correspond to an entity in the system
outcome string No The result of this event, for example access denied or remote execution success
action string No What was done, for example a logon, remote execution or logoff
timestamp string (date-time) No Timestamp of event initiation
context object (key-value pairs) No Catch-all map to give specific context to this audit event
eventReporter NamespacedName No The reporter of the audit event (required)

AuditEventFilter Copied

An audit event filter contains 1+ filter terms where each term may target any of the audit data fields. All filter terms are logically ANDed together.

Type: object

Properties:

Property Type Required Description
filteredFieldTerms array[AuditEventFilter_FilteredFieldTerm] No A list of filter terms that are logically ANDed together to limit the audit events returned. At most, one ‘FilteredFieldTerm’ may be defined for each field type. If empty, no filtering is applied

AuditEventFilter_FilteredFieldTerm Copied

Each instance of this message describes a filter expression for a single data field. Within each field’s filter expression, there may be multiple filter terms on that field. Support for that, as well as determining how multiple terms are combined, is defined by the type of filter expression used for that field.

Type: object

Properties:

Property Type Required Description
sourceDimensionFilter DimensionValueFilterExpression No Restrict results to events whose source dimensions match this filter
targetDimensionFilter DimensionValueFilterExpression No Restrict results to events whose target dimensions match this filter
stringFieldFilter StringFieldFilterExpression No Restrict results to events whose “string fields” (user, action, outcome, reporter_name, reporter_namespace) match this filter. Even though context map keys and values are themselves string fields, they cannot be filtered using string filters
contextFilter ContextFilterExpression No Restrict results to events whose context map matches this filter

ContextFilterExpression Copied

Defines a filter on context map data in audit events. The terms within this filter expression are logically ORed together, thus enabling filtering based on multiple context key, value, or key/value data.

Type: object

Properties:

Property Type Required Description
contextFilterTerms array[ContextFilterExpression_ContextFilterTerm] No List of context filter terms that are ORed together to create the filter expression

ContextFilterExpression_ContextFilterTerm Copied

Defines a filter term on the audit event data’s ‘context’ field to restrict query results to events matching this context filter term. An instance of this MUST define either a ‘keyFilter’, a ‘valueFilter’, or both. If both are provided, both must be true for context to match. To create a more complex filter, multiple filter terms may be defined for an expression, then each of the terms is ORed together.

Type: object

Properties:

Property Type Required Description
keyFilter string No Restrict results to events whose context map contains a matching key
keyMatchType string (enum) No The match type for the key filter (EXACT, CONTAINS, STARTS_WITH)
valueFilter string No Restrict results to events whose context map contains a matching value
valueMatchType string (enum) No The match type for the value filter (EXACT, CONTAINS, STARTS_WITH)

Enum Values for Match Types:

Dimension Copied

A single Entity dimension.

Type: object

Properties:

Property Type Required Description
key string No The dimension key
value string No The dimension value

DimensionValueFilterExpression Copied

Defines a filter expression by combining 1+ filter terms. The dimensions to which the filter expression applies (source or target) is defined by the message in which this filter expression is defined. The terms are ANDed together.

Type: object

Properties:

Property Type Required Description
dimensionFilterTerms array[DimensionValueFilterExpression_DimensionValueFilterTerm] No A list of filter terms that are applied to the appropriate field’s audit event dimensions. Dimension filters are case-sensitive
dimensionMatchType string (enum) No Defines how the dimension filter terms are matched against dimension data

Enum Values for Dimension Match Types:

DimensionValueFilterExpression_DimensionValueFilterTerm Copied

Defines a filter term on dimension key/value data to restrict query results.

Type: object

Properties:

Property Type Required Description
keyFilter string No Restrict results to events whose dimensions contain a matching key
keyMatchType string (enum) No The match type for the key filter
valueFilter string No Restrict results to events whose dimensions contain a matching value
valueMatchType string (enum) No The match type for the value filter

GetAuditEventsResponsePage Copied

List of audit events that satisfy the request.

Type: object

Properties:

Property Type Required Description
auditEvents array[ReturnedAuditEvent] No List of audit events matching the query
pagingToken string No Token for retrieving the next page (missing if no more pages)

NamespacedName Copied

A namespaced name identifier.

Type: object

Properties:

Property Type Required Description
namespace string No Namespace (max 128 characters)
name string No Name (non-blank, max 64 characters)

PublishAuditEventRequest Copied

Request to publish an audit event.

Type: object

Properties:

Property Type Required Description
auditEvent AuditEvent Yes AuditEvent data (required). Invalid audit event data will be rejected with an INVALID_ARGUMENT error

PublishAuditEventResponse Copied

Empty response to the request to publish an audit event.

Type: object

Properties: None (empty object)

QueryAuditEventsRequest Copied

Request to query audit events with filtering and pagination options.

Type: object

Properties:

Property Type Required Description
from string (date-time) Yes Get audit events after this point in time
to string (date-time) No Get audit events before this point in time (defaults to now)
filter AuditEventFilter No Optional filter, default behaviour is to return everything between from/to
globalSearchTerm string No Global match term, where user, action, outcome, source dimensions, target dimensions and context map all searched for containing this string
pagingToken string No If the paging_token is not set, the first page of results will be returned. If the paging_token is set, the returned page of audit events will contain events that occurred immediately after the events from the previous page
pageSize integer No Maximum number of events to return (default: 100, max: 1000)

ReturnedAuditEvent Copied

An audit event returned in query results.

Type: object

Properties:

Property Type Required Description
id string No UUID of the audit event (guaranteed unique)
auditEvent AuditEvent No The audit event data

StringFieldFilterExpression Copied

Defines a collection of filter terms on an ‘AuditEvent’s string field (i.e. ‘reporter_name’, ‘reporter_namespace’, ‘user’, ‘action’, or ‘outcome’) to restrict query results to events matching the condition created by logically ORing each of the terms together.

Type: object

Properties:

Property Type Required Description
filteredField AuditDataField Yes The field whose data is filtered by the ORed combination of the provided filter terms. This must be a string field, but CONTEXT_KEY and CONTEXT_VALUE are not supported
filterTerms array[StringFieldFilterExpression_StringFieldFilterTerm] Yes The collection of filter terms which are logically ORed together to create the filter expression. This list must not be empty

StringFieldFilterExpression_StringFieldFilterTerm Copied

Defines a filter term on an ‘AuditEvent’s string field (i.e. ‘reporter_name’, ‘reporter_namespace’, ‘user’, ‘action’, or ‘outcome’) to restrict query results to events matching this string field filter term.

Type: object

Properties:

Property Type Required Description
filterValue string Yes The filter value against which ‘AuditEvent’ data (from the ‘filtered_field’) is compared
matchType string (enum) No The filter match type dictates how data from the specified field is compared to the ‘filter_value’ value in order to determine if it should be included in the query results. If not specified, the default is ‘MATCH_TYPE_EXACT’

Enum Values:

Error Handling Copied

The API returns standard HTTP status codes:

Error responses include additional details in the response body when applicable.

["ITRS Analytics"] ["ITRS Analytics > API Gateway"] ["User Guide"]

Was this topic helpful?