Pull Audit Logs

4 min

description retrieves a filtered set of audit log activities from wiz based on specified criteria like action, status, or user endpoint method post inputs json body (object) – required variables (object) – required first (number) – required use as a pagination argument to refine your results possible values 1 5000 after (string) use as a pagination argument to refine your results use the value returned by pageinfo endcursor from the previous response filterby (object) timestamp (object) after (string) datetime in iso 8601 format before (string) datetime in iso 8601 format action (string) filter by specific action name in wiz search (string) filter by string matching id or request id status (array) filter by audit log event status you can specify multiple values user (array) filter by specific user ids or service account ids usertype (array) filter audit logs entries by the type of user you can specify multiple values useragent (string) filter by user agent sourceip (string) filter audit log entries by source ip output example \[ { "status code" 200, "response headers" { "date" "mon, 31 jul 2023 06 44 55 gmt", "content type" "application/json; charset=utf 8", "content length" "922", "connection" "keep alive", "content security policy" "default src 'self';base uri 'self';font src 'self' https data ;form action 'self';frame ancestors 'self';img src 'self' data ;object src 'none';script src 'self';script src attr 'none';style src 'self' https 'unsafe inline';upgrade insecure requests", "cross origin embedder policy" "require corp", "cross origin opener policy" "same origin", "cross origin resource policy" "same origin", "x dns prefetch control" "off", "x frame options" "sameorigin", "strict transport security" "max age=15552000; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "origin agent cluster" "?1", "x permitted cross domain policies" "none", "referrer policy" "no referrer", "x xss protection" "0", "vary" "origin, accept encoding", "access control allow credentials" "true", "etag" "w/\\"39a 3ewlc7rs4ipo79rd3kdsyt1sjge\\"" }, "reason" "ok", "json body" { "data" { "auditlogentries" { "nodes" \[ { "id" "d1589462 1a93 4556 901c 1616c2abc1f4", "action" "login", "requestid" "d1589462 1a93 4556 901c 1616c2abc1f4", "status" "success", "timestamp" "2023 07 31t06 44 53 680535z", "actionparameters" { "clientid" "kr7ngoiolk3d9i8ravmuutlb6", "groups" null, "name" "swim lane", "products" \[ " " ], "role" "", "scopes" \[ "read\ resources", "read\ users", "read\ issues", "read\ reports", "read\ vulnerabilities", "read\ cloud configuration", "update\ issues", "update\ reports", "create\ reports", "admin\ audit" ], "useremail" "", "userid" "mlipebtwsndhxdmnzdwrxzmioinxkwjchfjvh4u7bj7467e53y2hg", "userpoolid" "us east 2 gq3gwvxsq" }, "useragent" null, "sourceip" null, "serviceaccount" { "id" "mlipebtwsndhxdmnzdwrxzmioinxkwjchfjvh4u7bj7467e53y2hg", "name" "swim lane" }, "user" null } ], "pageinfo" { "hasnextpage" true, "endcursor" "eyjmawvszhmiolt7ikzpzwxkijoivgltzxn0yw1wiiwivmfsdwuioiiymdizlta3ltmxvda2ojq0ojuzljy4mduznvoifv19" } } } } } ] output parameters status code (number) reason (string) json body (object) data (object) auditlogentries (object) nodes (array) id (string) action (string) requestid (string) status (string) timestamp (string) actionparameters (object) clientid (string) groups (object) name (string) products (array) role (string) scopes (array) useremail (string) userid (string) userpoolid (string) useragent (object) sourceip (object) serviceaccount (object) id (string) name (string) user (object) pageinfo (object) hasnextpage (boolean) endcursor (string) response headers header type date string content type string content length string connection string content security policy string cross origin embedder policy string cross origin opener policy string cross origin resource policy string x dns prefetch control string x frame options string strict transport security string x download options string x content type options string origin agent cluster string x permitted cross domain policies string referrer policy string x xss protection string vary string access control allow credentials string etag string