Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Audit Trail

The audit trail report returns a comma-separated list of the Audit Log from SSE. The Audit Trail keeps track of users who interact with SSE and lists out the actions they take.

Endpoint Name

  • queryAuditTrails

Required Headers

  • Authorization: User name and password used to access SSE.
  • Content-Type: Application/json

Required Parameters

There are no parameters required. However, sending the request without using the optional parameters to filter results may result in a large file.

Optional Parameters

  • Match: A single-word search term to filter the results; searches the DESCRIPTION and EVENTINFO fields, but cannot perform multiple searches and cannot use “AND” or “OR” operators.
  • eventTypes: Filters the results by a specific event action. Each action is mapped to a numeric value. Enter that value in the request:
    • LOGIN (1, User logged in)
    • LOGOUT (2, User logged out)
    • SIGNUP (3, User self-sign on)
    • DASHBOARD (4, User landed on dashboard page)
    • SERVICE_DETAILS (5, Show service details)
    • DATA_DETAILS (6, Show data details)
    • ANOMALIES (7, Show anomalies)
    • SETTINGS_DATA_FEEDS (8, Edit settings for data feed)
    • MANAGED_SERVICES (9, View managed services)
    • MENU_NAVIGATION (10, Application navigation)
    • LOGIN_FAILED (11, User login failed)
    • SETTINGS_DATA_FEEDS_DOWNLOAD_CLICKED (12, User clicked on download script)
    • MANUAL_UPLOAD_STARTED (13, Manual upload started)
    • MANUAL_UPLOAD_FINISHED_SUCCESS (14, Manual upload finished successfully)
    • MANUAL_UPLOAD_FAILED (15, Manual upload failed)
    • PROXY_CREATION (16, Proxy Creation)
    • ED_SHOW_LESS (17, Enterprise Dashboard Show Less view)
    • ED_SHOW_MORE (18, Enterprise Dashboard Show More view)
    • APP_LOAD_TIMING (19, Application load timings)
    • USER_AUDIT_EVENT (20, User management action)
    • RISK_CUSTOMIZATION_EVENT (21, Risk scoring model change)
    • PROXY_BUNDLE (22, Bundle pushed to Proxy)
    • DEFAULT_BUNDLE (23, Default bundle pushed to Proxy)
  • fromTime/toTime: Used to filter the response to a specific time period. Leave either or both as null to not set an upper or lower time bound. Enter the time and date in milliseconds, calculated from Unix Epoch Time.

For a complete list of event categories, event type IDs, and their descriptions, see AuditTrail_EventsList.xlsx.

Sample Request

{"auditFilter":{"dataSetId":-1,"match":null,"eventTypes":1"fromTime": 1425301837000,"toTime":null}}

Sample with curl:

curl -v -u "USERNAME:PASSWORD" \
--request POST '' \
--header 'Content-Type: application/json' \
--data-raw '{"auditFilter": {"dataSetId": -1,"match": null,"eventTypes": 1,"fromTime": 1630487137000,"toTime": null}}'

Sample Response

TimeStamp,Event Type,Description,Additional Info,User Name
Mon Mar 02 13:10:37 UTC 2015,User logged in,,User,sample_sampleson
  • Was this article helpful?