Get a list of audit logs

Get a list of all audit logs in the specified workspace. This call supports pagination; default page size includes 20 logs.

SecurityJWT

Request

query Parameters

ticketIds	Array of strings Example: ticketIds=GYDU-1212
remediation	boolean Filter by whether the log was part of a remediation action. Example: remediation=true
fromTime	number Start date/time (inclusive) in milliseconds. Example: fromTime=1754047435131
toTime	number End date/time (inclusive) in milliseconds. Example: toTime=1754047575801
types	Array of strings Items Enum: "account" "cloudApps" "device" "dlp" "deviceDlp" "email" "malware" "phishing" "undo" "users" "billing" "detectionLogs" "csvExport" "workspace" "msp" "siemConfigs" "apiCredentials" "workspaceReport" "workspaceScheduledReport" "soc" "mobile" "psa" "webhook" "mdmSystem" "mdmAction" "mdmDevice" "mdmDeviceAction" "securityAwareness" "mspPolicy" "securityGaps" Example: types=detectionLogs
subTypes	Array of strings Items Enum: "treatAsSafe" "treatAsMalicious" "removeFromAllowlist" "removeFromBlocklist" "usersCreation" "groupsCreation" "malwareSettings" "phishingSettings" "emailSettings" "deviceSettings" "devicePostureSettings" "dataLossSettings" "dataLossWizardSettings" "deviceEventsActions" "suspendUserFromService" "suspendUserFromAllServices" "removeFromProtection" "allowNoEncryption" "markAsProcessed" "markAsUnprocessed" "mfaConfigUpdate" "mfaLogin" "approveFile" "deleteFile" "moveToSuspectedFolder" "logForAuditReports" "unLogForAuditReports" "contactUser" "approveEmail" "deleteBackupFilesPrevented" "malwareFileQuarantined" "infectedProcessTerminated" "blockProcess" "unblockProcess" "allowProcess" "enableNetworkBlockMode" "disableNetworkBlockMode" "shutdownDevice" "rebootDevice" "networkSettings" "roleChange" "restoreBlockedEmailFromStorage" "failToRestoreEmailFromStorage" "deleteBlockedEmailFromStorage" "blockedEmail" "suspectedEmail" "proxySettings" "download" "siemConfig" "firewallSettings" "siteToSiteTunnels" "swg" "importClassificationsCsv" "archiveWorkspace" "unarchiveWorkspace" "mobileInvite" "mobileActivate" "mobileVerify" "mobileDeactivate" "mobileSessionRevoke" "mobileMergeDevices" "psa" "securityAwarenessModule" "securityAwarenessPhishingSimulations" "securityAwarenessTrainings" "securityGapFix" "securityGapRecalculate" Example: subTypes=markAsUnprocessed
autoGenerated	boolean Filter by whether the log was auto generated. Example: autoGenerated=true
pageSize	string [ 10 .. 500 ] Default: "20" API responses use pagination to reduce loading time. Return a maximum of this many items per page. Used only for the very first request subsequent request should use cursor value Example: pageSize=50
cursor	string A base64-encoded pagination cursor used to retrieve a specific page of results. This value should be taken from the nextPage or prevPage field in a previous response. If omitted, the API returns the first page of results. Use this parameter to navigate forward or backward through paginated data. Example: cursor=eyJzIjoxLCJwIjowfQ==

header Parameters

Workspace

required

string

Responses

200

Success

400

Bad request, validation error

401

Unauthorized request

403

Access forbidden

429

Too Many Requests

500

Internal server error

get/v1/audit-logs/search

Request samples

curl
JavaScript
Node.js

Response samples

application/json

{"items": [{"id": "fde97bd4-72d9-4814-bbe6-713af90d784c",
"date": 1662052343274,
"workspaceId": "corotest_123",
"type": "detectionLogs",
"subtype": "markAsUnprocessed",
"description": "Ticket GYDU-1212 has been re-opened",
"undone": true,
"operatorEmail": "john_doe@coro.net",
"ticketId": "GYDU-1212",
"remediation": true
}
],
"totalElements": 20,
"nextPage": "eyJzIjoxLCJwIjowfQ==",
"prevPage": "eyJzIjoxLCJwIjowfQ=="
}