How to check Audit logs under upi_api_audit_logs
The article contains useful queries about how to use the upt_api_audit_logs to capture audit log events.
The api_name column in the table suggests how the api call was made. the following are the different values that can be present:
Api call
| Query
| Api_name examples
|
UI
| To find the api calls from the UI:SELECT DISTINCT api_name
FROM upt_api_audit_logs
WHERE upt_day > 20200801
AND api_name NOT LIKE '%api%'
AND client_type IS NULL
| /api/version
/api/customers/<Customerid>/carves
/api/customers/<Customerid>/assets/count
/api/customers/<CustomerID>/tags
/api/customers/<CustomerID>notifications |
TLS logger
| To find the Api calls from the loggerSELECT DISTINCT api_name
FROM upt_api_audit_logs
WHERE upt_day > 20200801
AND api_name NOT LIKE '%api%'
AND client_type IS NULL | /config
/enroll
/distributed_write
/download/
/carve_continue
/carve |
Directly from the API
| To find calls directly from the API:
SELECT DISTINCT api_name
FROM upt_api_audit_logs
WHERE upt_day> 20200801
ANd api_name NOT LIKE '%Public%'
And client_type IS NULL | /public
|
- If you want to find that a support user has changed something on the customers environment, please run the following query:
Query
|
SELECT USER.NAME,
upt_api_audit_logs.api_name
FROM upt_api_audit_logs
INNER JOIN upt_users USER
ON USER.id = upt_api_audit_logs.created_by
WHERE upt_api_audit_logs.upt_day > 20200801
AND upt_api_audit_logs.api_name LIKE '%/api/%'
AND upt_api_audit_logs.client_type IS NULL
|
- In order to check which user did what on the UI, please run the following query:
Query
|
SELECT USER.NAME,
upt_api_audit_logs.api_name
FROM upt_api_audit_logs
INNER JOIN upt_users USER
ON USER.id = upt_api_audit_logs.created_by
WHERE upt_api_audit_logs.upt_day > 20200801
AND upt_api_audit_logs.api_name LIKE '%/api/%'
AND upt_api_audit_logs.client_type IS NULL
|
- To check if any user changed anything, we have the following:
Query
|
SELECT USER.NAME,
upt_api_audit_logs.api_name,
upt_api_audit_logs.api_body
FROM upt_api_audit_logs
INNER JOIN upt_users USER
ON USER.id = upt_api_audit_logs.created_by
WHERE upt_api_audit_logs.upt_day > 20200801
AND upt_api_audit_logs.api_name LIKE '%/api/%'
AND upt_api_audit_logs.client_type IS NULL
AND api_method = 'POST'
|
Related Articles
Provisioning roles using API
Overview Starting with Uptycs portal release 46025, Uptycs provides entity level granular user permissions through roles. This document outlines the process to create roles using API - with examples. Procedure -- Create a new role $ urestapi -k ...
Uptycs Alert Triggers API Call
This python module can be run to trigger Uptycs API calls from Uptycs alerts. Example: An alert is configured to fire when asset location is not in USA (possible GDPR issue). This python can then be run to automatically make an API call to disable ...
Python helper module for Uptycs API
The attached helper module (uptapi.py) and demo program (uptdemo.py) show how to access Uptycs API from Python 3.
Delete duplicate assets using the API
Duplicate asset (hostname) on Uptycs platform could be a result of particular asset being in rotation or being used a a loaner laptop in which case, uuid of the asset remains the same and the asset is recorded under different hostnames. Following ...
Create Custom Threat Source using API
The article includes the API query to create and update the threat source. We support uploading CSV as of now. To create Threat source: curl --location --request POST ...