Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Search Audit Log events with the Code42 API

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

You can use the Code42 API to search Audit Log events and export the results in CSV, CEF, or JSON format to integrate with other security tools. This article provides an introduction to those APIs.

The Code42 Audit Log is a record that shows who did what and when in the Code42 environment. The Audit Log can help you do many things, including:

  • Determine how the Code42 environment ended up in its current state.
  • Spot check the work of security analysts to prevent abuse of privileged access.
  • Identify areas of training for users who caused inadvertent changes.

You can also view the Audit Log from the Reporting > Audit Log menu of the Code42 console to quickly search events for spot checking and export events to a CSV file. See these other articles to learn more about the Audit Log in the Code42 console:

Considerations

  • The Audit Log is in early access Early access icon. While in early access, the Audit Log is limited to Forensic Search events. If there are no events in the Audit Log during early access, either your product plan does not include Forensic Search, or no searches have been made in the last 90 days.
  • To perform tasks in this article, you must have the Customer Cloud Admin role.
  • The Audit Log records events for only the last 90 days. If you want to maintain Audit Log output for longer than that time, export the results in CSV, CEF, or JSON format to save them to your own systems.
  • While there is no limit to the number of events recorded in Audit Log, the maximum number of events that can be exported at once is 10,000. To export a set of results greater than 10,000, adjust your filters to reduce the number in any given call to be below 10,000, then make multiple calls to export the entire set of events.
  • The tasks in this article require use of the Code42 API.

Search Audit Log events

Use the rpc/search/  resource to search for events in the Audit Log and output to CEF, CSV, or JSON format. For more information about this resource, see the API summary section below. 

To search for events use the rpc/search/search-audit-log  API command as shown in the following example.

Copied!
curl --location --request POST '<RequestURL>/rpc/search/search-audit-log' \
--header '<AcceptHeader>' \
--header 'Authorization: Bearer <AuthToken>' \
--header 'Content-Type: application/json' \
--data-raw '{"type$":"audit_log::audit_log_queries.search_audit_log/1","dateRange":{"<Dates>"},"eventTypes":["<Types>"],"actorIds":["<Code42UserUid>"],"actorNames":["<Code42Username>"],"actorIpAddresses":["<IpAddresses>"],"page":0,"pageSize":100}'

In the preceding example:

  • Replace <RequestURL> with the request URL of your Code42 cloud instance, for example, 
    'https://default-auditlog.us2.code42.com/rpc/search/search-audit-log/'  
  • Replace <AcceptHeader> with the header for the output format you want. For example:
    • CEF: --header 'Accept: text/x-cef' 
    • CSV: --header 'Accept: text/csv' 
    • JSON: Omit the acceptance header, since JSON is the default response type.
  • Replace <AuthToken> with the authentication token you obtained in the Authentication section.
  • Filter events using the --data-raw parameters:
    • Replace <Dates> with the date range and include time in UTC format. For example, 
      dateRange:{"startTime":"2020-07-30T13:41:52.871287Z","endTime":"2020-08-30T13:41:52.871287Z"}
    • Leave <Types> empty  to return all event types.
      While in early access, the only available event type is "search_issued" (for Forensic Search).  
    • Replace <Code42UserUid> with the Code42 userUid. Separate multiple IDs with commas.
    • Replace <Code42Username> with the Code42 username. Separate multiple usernames with commas. The username is assigned when the user is added to Code42.
    • Replace <IpAddresses> with the IP addresses to filter. Separate multiple IP addresses with commas.
    • If you leave a parameter empty, all events are returned. For example:"dateRange":{},"eventTypes":[],"actorIds":[],"actorNames":[],"actorIpAddresses":[]  
      You may omit a query parameter altogether if you do not want to use it to filter results.
    • For CSV output, specify the "page" and "pageSize"  parameters. These parameters are ignored for CEF and JSON output.
  • To export search output to a file, use your favorite method. For example, to export to a text file, you can end the request with -o file_example.txt 

An excerpt of an example successful response:

  • CSV
SearchIssued,2020-08-13T15:52:40.240585Z,clay.inger@code42.com,910391548587130243,192.0.2.0,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36","{""groups"":[{""filters"":[{""term"":""eventTimestamp"",""operator"":""WITHIN_THE_LAST"",""value"":""P30D"",""display"":null}],""filterClause"":""AND"",""display"":""{\""data\"":{\""isMultivalue\"":false},\""version\"":\""v1\""}""},{""filters"":[{""term"":""exposure"",""operator"":""IS"",""value"":""ApplicationRead"",""display"":null}],""filterClause"":""OR"",""display"":""{\""data\"":{\""isMultivalue\"":true
  • CEF
CEF:0|N/A|N/A|N/A|SearchIssued|[]|0|ActorName=clay.inger@code42.com ActorId=910391548587130243 ActorIP=192.0.2.0 ActorAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 EventTime=2020-08-13T15:52:40.240585Z
  • JSON
{"type$":"audit_log::audit_log_queries.search_audit_log.response/1","events":[{"type$":"audit_log::search_issued/1","actorId":"910391548587130243","actorName":"clay.inger@code42.com","actorAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36","actorIpAddress":"192.0.2.0","timestamp":"2020-08-13T15:52:40.240585Z","success":true,"type":"query","requestJson":"{\"groups\":[{\"filters\":[{\"term\":\"eventTimestamp\",\"operator\":\"WITHIN_THE_LAST\",\"value\":\"P30D\",\"display\":null}],\"filterClause\":\"AND\",\"display\":\"{\\\"data\\\":{\\\"isMultivalue\\\":false},\\\"version\\\":\\\"v1\\\"}\"},{\"filters\":[{\"term\":\"exposure\",\"operator\":\"IS\",\"value\":\"ApplicationRead\",\"display\":null}],\"filterClause\":\"OR\",\"display\":\"{\\\"data\\\":{\\\"isMultivalue\\\":true},\\\"version\\\":\\\"v1\\\"}\"}],\"groupClause\":\"AND\",\"pgSize\":100,\"pgNum\":1,\"srtKey\":null,\"srtDir\":\"desc\",\"purpose\":\"USER_EXECUTED_SEARCH\"}","resultCount":15},

Audit Log API structure and syntax

Summary

For more information about the Code42 API documentation viewer, see Code42 API documentation viewers. For more information about Code42 API syntax, see Code42 API syntax and usage.

Authentication

This API resource requires an authentication token in the header of all requests. To obtain an authentication token, use your Code42 administrator credentials to submit a GET request to:

  • United States: 
    • If you sign in to the Code42 console at https://www.crashplan.com/console, use: 
      https://www.crashplan.com/c42api/v3/auth/jwt?useBody=true
    • If you sign in to the Code42 console at https://console.us.code42.com/console, use: 
      https://console.us.code42.com/c42api/v3/auth/jwt?useBody=true
    • If you sign in to the Code42 console for the Code42 federal environment at https://console.gov.code42.com/console, use:
      https://console.gov.code42.com/c42api/v3/auth/jwt?useBody=true
  • Ireland: If you sign in to the Code42 console at https://console.ie.code42.com/console, use: 
    https://console.ie.code42.com/c42api/v3/auth/jwt?useBody=true

For example:

Copied!
curl -X GET -u "username" -H "Accept: application/json" "https://www.crashplan.com/c42api/v3/auth/jwt?useBody=true"

If your organization uses two-factor authentication for local users, you must also include a totp-auth header value containing the Time-based One-Time Password (TOTP) supplied by the Google Authenticator mobile app. The example below includes a TOTP value of 424242.

Copied!
curl -X GET -u "username" -H "totp-auth: 424242" "Accept: application/json" "https://www.crashplan.com/c42api/v3/auth/jwt?useBody=true"

A successful request returns an authentication token. For example:

{
    "v3_user_token": "eyJjdHkiO_bxYJOOn28y...5HGtGHgJzHVCE8zfy1qRBf_rhchA"
}
Token considerations
  • Use this authentication token in your requests.
  • Authentication tokens expire after 30 minutes.
  • You must have credentials for a Code42 user with the Customer Cloud Admin role.
  • The authentication example above only applies to users who authenticate locally with Code42. Single sign-on (SSO) users must also complete SAML authentication with their SSO provider. If you need assistance with this process, contact your SSO provider.

Related topics

  • Was this article helpful?