Log Events API
Table of Contents
Expand all | Collapse all
-
-
- Allowed List of IP Addresses
-
- Begin Scanning a Bitbucket App
- Begin Scanning a Box App
- Begin Scanning ChatGPT Enterprise App
- Begin Scanning a Cisco Webex Teams App
- Begin Scanning a Confluence App
- Begin Scanning a Confluence Data Center App
- Begin Scanning a Dropbox App
- Begin Scanning a GitHub App
- Begin Scanning a Gmail App
- Begin Scanning a Google Drive App
- Begin Scanning a Jira App
- Begin Scanning a Jira Data Center App
- Begin Scanning a Microsoft Exchange App
- Begin Scanning Office 365 Apps
- Begin Scanning a Microsoft Teams App
- Begin Scanning a Salesforce App
- Begin Scanning a ServiceNow App
- Begin Scanning a ShareFile App
- Begin Scanning a Slack Enterprise App
- Begin Scanning a Slack for Pro and Business App
- Begin Scanning a Workday App (Beta)
- Begin Scanning a Zendesk App
- Begin Scanning a Zoom App
- Reauthenticate to a Cloud App
- Verify Permissions on Cloud Apps
- Start Scanning a Cloud App
- Rescan a Managed Cloud App
- Delete Cloud Apps Managed by Data Security
- API Throttling
- Configure Classification Labels
- Microsoft Labeling for Office 365
- Google Drive Labeling
- Configure Phishing Analysis
- Configure WildFire Analysis
-
-
-
- What is an Incident?
- Assess New Incidents on Data Security
- Filter Incidents
- Configure Slack Notification Alerts on Data Security
- Security Controls Incident Details
- Track Down Threats with WildFire Report
- Customize the Incident Categories
- Close Incidents
- Download Assets for Incidents
- View Asset Snippets for Incidents
- Analyze Inherited Exposure
- Email Asset Owners
- Modify Incident Status
-
-
-
- What’s SaaS Security Inline?
- Navigate To SaaS Security Inline
- SaaS Visibility for NGFW
- SaaS Visibility and Controls for NGFW
- SaaS Visibility for Prisma Access
- SaaS Visibility and Controls for Panorama Managed Prisma Access
- SaaS Visibility and Controls for Cloud Managed Prisma Access
- Activate SaaS Security Inline for NGFW
- Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits
- Activate SaaS Security Inline for Prisma Access
- Connect SaaS Security Inline and Strata Logging Service
- Integrate with Azure Active Directory
-
-
- SaaS Policy Rule Recommendations
- App-ID Cloud Engine
- Guidelines for SaaS Policy Rule Recommendations
- Predefined SaaS Policy Rule Recommendations
- Apply Predefined SaaS Policy Rule Recommendations
- Create SaaS Policy Rule Recommendations
- Delete SaaS Policy Rule Recommendations
- Enable SaaS Policy Rule Recommendations
- Modify Active SaaS Policy Rule Recommendations
- Monitor SaaS Policy Rule Recommendations
-
- Enable Automatic Updates for SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Import New SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Update Imported SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Remove Deleted SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Manage Enforcement of Rule Recommendations on NGFW
- Manage Enforcement of Rule Recommendations on Panorama Managed Prisma Access
- Change Risk Score for Discovered SaaS Apps
-
-
-
-
- Onboarding Overview for Supported SaaS Apps
- Onboard an Aha.io App to SSPM
- Onboard an Alteryx Designer Cloud App to SSPM
- Onboard an Aptible App to SSPM
- Onboard an ArcGIS App to SSPM
- Onboard an Articulate Global App to SSPM
- Onboard an Atlassian App to SSPM
- Onboard a BambooHR App to SSPM
- Onboard a Basecamp App to SSPM
- Onboard a Bitbucket App to SSPM
- Onboard a BlueJeans App to SSPM
- Onboard a Box App to SSPM
- Onboard a Bright Security App to SSPM
- Onboard a Celonis App to SSPM
- Onboard a Cisco Meraki App to SSPM
- Onboard a ClickUp App to SSPM
- Onboard a Confluence App to SSPM
- Onboard a Contentful App to SSPM
- Onboard a Convo App to SSPM
- Onboard a Couchbase App to SSPM
- Onboard a Coveo App to SSPM
- Onboard a Crowdin Enterprise App to SSPM
- Onboard a Customer.io App to SSPM
- Onboard a Databricks App to SSPM
- Onboard a Datadog App to SSPM
- Onboard a DocHub App to SSPM
- Onboard a DocuSign App to SSPM
- Onboard an Envoy App to SSPM
- Onboard an Expiration Reminder App to SSPM
- Onboard a Gainsight PX App to SSPM
- Onboard a GitLab App to SSPM
- Onboard a Google Analytics App to SSPM
- Onboard a Google Workspace App to SSPM
- Onboard a GoTo Meeting App to SSPM
- Onboard a Grammarly App to SSPM
- Onboard a Harness App to SSPM
- Onboard a Hellonext App to SSPM
- Onboard an IDrive App to SSPM
- Onboard an Intercom App to SSPM
- Onboard a Jira App to SSPM
- Onboard a Kanbanize App to SSPM
- Onboard a Kanban Tool App to SSPM
- Onboard a Kustomer App to SSPM
- Onboard a Lokalise App to SSPM
- Onboard a Microsoft Azure AD App to SSPM
- Onboard a Microsoft Outlook App to SSPM
- Onboard a Microsoft Power BI App to SSPM
- Onboard a Miro App to SSPM
- Onboard a monday.com App to SSPM
- Onboard a MongoDB Atlas App to SSPM
- Onboard a MuleSoft App to SSPM
- Onboard a Mural App to SSPM
- Onboard an Office 365 App to SSPM
- Onboard an Okta App to SSPM
- Onboard a PagerDuty App to SSPM
- Onboard a RingCentral App to SSPM
- Onboard a Salesforce App to SSPM
- Onboard an SAP Ariba App to SSPM
- Onboard a ServiceNow App to SSPM
- Onboard a Slack Enterprise App to SSPM
- Onboard a Snowflake App to SSPM
- Onboard a SparkPost App to SSPM
- Onboard a Tableau Cloud App to SSPM
- Onboard a Webex App to SSPM
- Onboard a Workday App to SSPM
- Onboard a Wrike App to SSPM
- Onboard a YouTrack App to SSPM
- Onboard a Zendesk App to SSPM
- Onboard a Zoom App to SSPM
- Onboarding an App Using Azure AD Credentials
- Onboarding an App Using Okta Credentials
- Register an Azure AD Client Application
- View the Health Status of Application Scans
- Delete SaaS Apps Managed by SSPM
Log Events API
Learn about each example response and available response
fields for log events retrieved by an API client for Data Security.
A registered API
client on Data Security can long poll the log events endpoint
to retrieve events as they occur:
You
can retrieve the following log events:
All requests must
use the region-specific
host. The examples below use AMER region.
Get Log Events
A GET request to the /api/v1/log_events endpoint
with api_access scope is used to access the
client’s event stream. One event will be returned for each call
or nothing when there is a Request Timeout.
Example
Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: application/json'
Example Request Body
GET /api/v1/log_events HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ Accept: application/json Host: api.aperture.paloaltonetworks.com
Request Timeout
Requests time out after 20 seconds and an http
response with code 204 is returned.
After receiving the response, you can initiate a new request.
Example
Request
$ curl 'https://api.aperture.paloaltonetworks.com/api/v1/log_events' -i -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Accept: application/json'
Example Request Body
GET /api/v1/log_events HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ Accept: application/json Host: api.aperture.paloaltonetworks.com
Example Response
HTTP/1.1 204 No Content Content-Type: application/json; charset=utf-8 x-response-time: 1019ms
There is no response body in
the response of a request timeout.
Activity Monitoring
Example Response
HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: public_api:test:0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 17 Feb 2017 00:18:59 GMT Content-Length: 361 { "log_type" : "activity_monitoring", "item_type" : "File", "item_name" : "My File", "user" : "John Smith", "source_ip" : "10.10.10.10", "location" : "Somewhere, USA", "action" : "delete", "target_name" : null, "target_type" : null, "serial" : "mySerial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-02-17T00:18:58.961Z" }
Response Fields
Path | Type | Description |
---|---|---|
log_type | String | Event type. |
item_type | String | Item type (File, Folder,
or User) |
item_name | String | Name of the file, folder, or user associated
with the event. |
item_unique_id | String | Unique ID number for an asset’s related
asset. |
user | String | Cloud app user that performed the action. |
source_ip | String | Original session source IP address. |
location | String | Location of the cloud app user that performed
the event. |
action | String | Action performed. |
target_name | Null | Target name. |
target_type | Null | Target type. |
serial | String | Serial number of the organization using
the service (tenant). |
cloud_app_instance | String | Cloud app name (not cloud app type). |
timestamp | String | ISO8601 timestamp to show when the event
occurred. |
Incidents
Example
Response
HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: public_api:test:0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 17 Feb 2017 00:18:58 GMT Content-Length: 520 { "log_type": "incident", "severity": 1.0, "item_type": "File", "item_name": "helloworld.java", "asset_id": "5e9e38823cedb43cb015b460", "item_owner": "Admin User", "container_name": null, "item_creator": "Admin User", "exposure": "COMPANY", "occurrences_by_rule": null, "item_owner_email": "owner@emaildomain.com", "item_creator_email": "owner@emaildomain.com", "serial": null, "cloud_app_instance": "Office 365 8", "timestamp": "2020-05-08T23:50:55Z", "incident_id": "5eb5ed492021c32b37588a6c", "policy_rule_name": "java", "incident_category": null, "incident_owner": null, "collaborators": "", "datetime_edited": "2020-05-08T23:50:55Z", *"item_cloud_url": "https://www.sharepoint.com/sites/site/Shared%20Documents/foldername/helloworld.java", "item_owner_group": "O365_1_all", "item_sha256": "4953946b0bbcd10d872d09561bf0f0988e186b625e4af65c64691adf5af279d4", "item_size": 1335, "item_verdict": "not available"* }
Response Fields
Path | Type | Description |
---|---|---|
log_type | String | Event type. |
severity | Number | Incident severity. Values are 0 to 5. |
item_type | String | Item type (File, Folder,
or User) |
item_name | String | Name of the file, folder, email subject,
or user associated with the event. |
item_unique_id | String | Unique ID number for an asset’s related
asset. |
asset_id | String | Unique ID number for the asset identified
as a risk. |
item_owner | String | User who owns the asset identified as a
risk. |
container_name | String | Value of bucket name for
AWS S3, Google Cloud Platform, and Microsoft Azure assets. Value
is null for the remaining apps. |
item_creator | String | User who created the asset identified as
a risk. |
exposure | String | Exposure level (Public, External, Company,
or Internal) |
occurrences_by_rule | Number | Number of times the asset violated the policy. |
item_owner_email | String | Email address of the item owner. |
item_creator_email | String | Email address of the item creator. |
serial | String | Serial number of the organization using
the service (tenant) |
cloud_app_instance | String | Cloud app name (not cloud app type). |
timestamp | String | ISO8601 timestamp to show when the event
occurred. |
incident_id | String | Unique ID number for the incident. |
policy_rule_name | String | Names of one or more policy rules (not policy
types) that were matched. |
incident_category | String | Category of the incident. For example, Personal or Business Justified. |
incident_owner | String | Administrator assigned to the incident. |
collaborators | String | List of collaborators for file, or recipients
of email. |
datetime_edited | String | Last time file was edited. |
item_cloud_url | String | File URL associated with the incident and
used to download or view the asset. |
item_owner_group | String | AD groups to which the asset owner belongs. |
Remediation
Example
Response
HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY X-Application-Context: public_api:test:0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 17 Feb 2017 00:18:56 GMT Content-Length: 468 { "log_type" : "remediation", "item_type" : "File", "item_name" : "My File", "asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741", "item_owner" : "John Smith", "item_creator" : "John Smith" "container_name": "test-container", "action_taken" : "quarantine", "action_taken_by" : "John Smith", "serial" : "mySerial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-02-17T00:18:55.581Z", "incident_id" : "9610efdcd8a74a259bf031843eac0309", "policy_rule_name" : "PCI Policy" "item_owner_email": "owner@email-domain.com", "item_creator_email": "owner@email-domain.com", }
Response Fields
Path | Type | Description |
---|---|---|
log_type | String | Event type. |
item_type | String | Item type (File, Folder,
or User). |
item_name | String | Name of the file, folder, or user associated
with the event. |
serial | String | Serial number of the organization using
the service (tenant). |
cloud_app_instance | String | Cloud app name (not cloud app type). |
timestamp | String | ISO8601 timestamp to show when the remediation occurred. |
incident_id | String | Unique ID number for the remediated incident
(risk). |
asset_id | String | Unique ID number for the remediated asset. |
item_owner | String | User who owns the remediated asset. |
container_name | String | Value of bucket name for
AWS S3, Google Cloud Platform, and Microsoft Azure assets. Value
is null for the remaining apps. |
item_creator | String | User who created the remediated asset. |
policy_rule_name | String | Names of one or more policy rules (not policy
types) that were matched. |
action_taken | String | Action taken to remediate (Admin Quarantine, UserQuarantine,
or Remove Public Links). |
action_taken_by | String | Cloud app user who took the remediation
action. For automated remediation, value is Aperture. |
item_owner_email | String | Email address of the item owner. |
item_creator_email | String | Email address of the item creator. |
Policy Violation
Example Resposne
HTTP/1.1 200 OK { "log_type" : "policy_violation", "severity" : 3.0, "item_type" : "File", "item_name" : "My File", "item_owner" : "John Smith", "item_creator" : "John Smith", "action_taken" : "download", "action_taken_by" : "John Smith", "asset_id" : "ce7c9ed11e6f4891ae73c1601af7f741", "serial" : "serial", "cloud_app_instance" : "My Cloud App", "timestamp" : "2017-01-06T19:04:06Z", "policy_rule_name" : "Policy Rule", "incident_id" : "9610efdcd8a74a259bf031843eac0309" "item_owner_email": "owner@email-domain.com", "item_creator_email": "owner@email-domain.com",
Response
Fields
Path | Type | Description |
---|---|---|
log_type | String | Event type. |
item_type | String | Item type (File, Folder,
or User). |
item_name | String | Name of the file, folder, or user associated
with the event. |
serial | String | Serial number of the organization using
the service (tenant). |
cloud_app_instance | String | Cloud app name (not cloud app type) |
timestamp | String | ISO8601 timestamp to show when the policy
violation occurred |
incident_id | String | Unique ID number for the policy violation
incident (risk). |
asset_id | String | Unique ID number for the asset which violated
the policy. |
item_owner | String | User who owns the asset which violated the
policy. |
item_creator | String | User who created the asset which violated
the policy. |
policy_rule_name | String | Names of one or more policy rules (not policy
types) that were matched. |
action_taken | String | Action taken to fix the policy violation.
For example, Alerted Admin, Removed PublicLinks, Quarantine,
or EmailOwner. |
action_taken_by | String | Cloud app user who took the action. For
automated remediation, the value is Aperture. |
severity | Number | Incident severity. Values are 0
to 5. |
item_owner_email | String | Email address of the item owner.
This value is null for now. |
item_creator_email | String | Email address of the item creator. This
value is null for now. |
Admin Audit
Example Response
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 380 x-response-time: 297ms { "log_type" : "admin_audit", "admin_id" : "admin id", "admin_role" : "admin role", "ip" : "ip address", "event_type" : "event type", "item_type" : "File", "item_name" : "My File", "field" : "field", "action" : "action", "resource_value_old" : "old val", "resource_value_new" : "new val", "timestamp" : "2017-04-06T21:35:10.025Z", "serial" : "mySerial" }
Response Fields
Path | Type | Description |
---|---|---|
log_type | String | Event type. |
timestamp | String | ISO8601 timestamp to show when the event
occurred. |
serial | String | Serial number of the organization using
the service (tenant). |
admin_id | String | Email account associated with the administrative
user. |
admin_role | String | Role assigned to the administrative user: super_admin, admin, limited_admin, read_only |
ip | String | IP address of the administrative user who
performed the action. |
event_type | String | Type of configuration change event: settings, policy, remediationlogin |
item_type | String | Type of item in the configuration that changed: user, apps, settings, content_policy, file, risk, general_settings |
item_name | String | Name of the item that changed in the configuration. |
field | String | Name of the field associated with the configuration
change. |
action | String | Configuration change activity that occurred: create, edit, delete, login, logout |
resource_value_old | String | Value before the configuration change occurred. |
resource_value_new | String | Value after the configuration change occurred. |