Skip to main content

Who is this article for?

CrashPlan Cloud
CrashPlan for Small Business

Find your product plan in the Code42 console on the Account menu.
Not a CrashPlan Cloud customer? Search or browse CrashPlan for Small Business or Incydr and Instructor.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, no.

CrashPlan Cloud, yes.

Retired product plans, yes.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Search Audit Log events with the CrashPlan API

Overview

You can use the Code42 API to search Audit Log events and export the results in CSV, CEF, or JSON format to integrate with other security tools. This article provides an introduction to those APIs.

The Code42 Audit Log is a record that shows who did what and when in the Code42 environment. The Audit Log can help you do many things, including:

  • Determine how the Code42 environment ended up in its current state.
  • Spot check the work of security analysts to prevent abuse of privileged access.
  • Identify areas of training for users who caused inadvertent changes.

You can also view the Audit Log from the Administration > Status > Audit Log menu of the Code42 console to quickly search events for spot checking and export events to a CSV file. See these other articles to learn more about the Audit Log in the Code42 console:

For a detailed description of all the fields in the Audit Log in the Code42 console, see Audit Log for CrashPlan.

Code42 Developer Portal
This article applies to non-Incydr product plans. If you have an Incydr product plan, see the Code42 Developer Portal for API documentation and resources. The portal provides:

Considerations

  • The Audit Log records events for only the last 90 days. If you want to maintain Audit Log output for longer than that time, export the results in CSV, CEF, or JSON format to save them to your own systems.
  • While there is no limit to the number of events recorded in Audit Log, you can only export a maximum of 100,000 file events at once. To export a set of results greater than 100,000, adjust your filters to reduce the number of events returned by any given call to be less than 100,000, then make multiple calls to export the entire set of events.
  • The search-results-export  API command allows you to export up to 100,000 results at once, and is the preferred API to use for data export. The search-audit-log API command allows you to export only up to 10,000 results at at time.
  • The tasks in this article require use of the Code42 API.
    • If you are not familiar with the Code42 API, review CrashPlan API syntax and usage.
    • For assistance with the Code42 API, contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team. 
  • In addition to searching Audit Log events using APIs, you can also use py42 to query the Audit Log.

Search Audit Log events

Use the rpc/search/  resource to search for events in the Audit Log and output to CEF, CSV, or JSON format. For more information about this resource, see the API summary section below. 

To search for events use the rpc/search/search-results-export  API command as shown in the following example.

Copied!
curl --location --request POST '<RequestURL>/rpc/search/search-results-export' \
--header '<AcceptHeader>' \
--header 'Authorization: Bearer <AuthToken>' \
--header 'Content-Type: application/json' \
--data-raw '{"type$":"audit_log::audit_log_queries.search_audit_log/1","dateRange":{"<Dates>"},"eventTypes":["<Types>"],"userTypes":[],"actorIds":["<UserUid>"],"actorNames":["<Username>"],"actorIpAddresses":["<IpAddresses>"],"affectedUserIds":[],"affectedUserNames":[],"page":0,"pageSize":100}'

In the preceding example:

  • Replace <RequestURL> with the request URL of your Code42 cloud instance, for example, 
    'https://console.us2.crashplan.com/rpc/search/search-results-export/'  
  • Replace <AcceptHeader> with the header for the output format you want. For example:
    • CEF: --header 'Accept: text/x-cef' 
    • CSV: --header 'Accept: text/csv' 
    • JSON: Omit the acceptance header, since JSON is the default response type.
  • Replace <AuthToken> with the authentication token.
  • Filter events using the --data-raw parameters:
    • Replace <Dates> with the date range and include time in UTC format. For example, 
      dateRange:{"startTime":"2020-07-30T13:41:52.871287Z","endTime":"2020-08-30T13:41:52.871287Z"}
    • Leave <Types> empty to return all event types, or enter the event types to search. Separate multiple event types with commas.
      Add underscores to event names to create search strings
      To determine the string to use for an event type, query for all events to find the event type names, and then add underscores to the event names to create the search event type string. For example, for LoggedIn use "logged_in", for SearchIssued use "search_issued", for LocalAuthOnlyChanged use "local_auth_only_changed", and so on.
    • Replace <UserUid> with the Code42 userUid. Separate multiple IDs with commas.
    • Replace <Username> with the Code42 username. Separate multiple usernames with commas. The username is assigned when the user is added to Code42.
    • Replace <IpAddresses> with the IP addresses to filter. Separate multiple IP addresses with commas.
    • If you leave a parameter empty, all events are returned. For example:"dateRange":{},"eventTypes":[],"actorIds":[],"actorNames":[],"actorIpAddresses":[]  
      You may omit a query parameter altogether if you do not want to use it to filter results.
    • For "affectedUserUids" use the {{c42}} userUid of the individual affected by the event. Separate multiple IDs with commas. 
    • For "affectedUsernames" use the Code42 username of the individual affected by the event. Separate multiple usernames with commas. 
    • For CSV output, specify the "page" and "pageSize"  parameters. These parameters are ignored for CEF and JSON output.
  • To export search output to a file, use your favorite method. For example, to export to a text file, you can end the request with -o file_example.txt 

An excerpt of an example successful response:

  • CSV
SearchIssued,2020-08-13T15:52:40.240585Z,clay.inger@code42.com,910391548587130243,192.0.2.0,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36","{""groups"":[{""filters"":[{""term"":""eventTimestamp"",""operator"":""WITHIN_THE_LAST"",""value"":""P30D"",""display"":null}],""filterClause"":""AND"",""display"":""{\""data\"":{\""isMultivalue\"":false},\""version\"":\""v1\""}""},{""filters"":[{""term"":""exposure"",""operator"":""IS"",""value"":""ApplicationRead"",""display"":null}],""filterClause"":""OR"",""display"":""{\""data\"":{\""isMultivalue\"":true
  • CEF
CEF:0|N/A|N/A|N/A|SearchIssued|[]|0|ActorName=clay.inger@code42.com ActorId=910391548587130243 ActorIP=192.0.2.0 ActorAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 EventTime=2020-08-13T15:52:40.240585Z
  • JSON
{"type$":"audit_log::audit_log_queries.search_audit_log.response/1","events":[{"type$":"audit_log::search_issued/1","actorId":"910391548587130243","actorName":"clay.inger@code42.com","actorAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36","actorIpAddress":"192.0.2.0","timestamp":"2020-08-13T15:52:40.240585Z","success":true,"type":"query","requestJson":"{\"groups\":[{\"filters\":[{\"term\":\"eventTimestamp\",\"operator\":\"WITHIN_THE_LAST\",\"value\":\"P30D\",\"display\":null}],\"filterClause\":\"AND\",\"display\":\"{\\\"data\\\":{\\\"isMultivalue\\\":false},\\\"version\\\":\\\"v1\\\"}\"},{\"filters\":[{\"term\":\"exposure\",\"operator\":\"IS\",\"value\":\"ApplicationRead\",\"display\":null}],\"filterClause\":\"OR\",\"display\":\"{\\\"data\\\":{\\\"isMultivalue\\\":true},\\\"version\\\":\\\"v1\\\"}\"}],\"groupClause\":\"AND\",\"pgSize\":100,\"pgNum\":1,\"srtKey\":null,\"srtDir\":\"desc\",\"purpose\":\"USER_EXECUTED_SEARCH\"}","resultCount":15},

Audit Log API structure and syntax

Summary

  • Request URL 
    • United States:
      • If you sign in to the Code42 console at https://console.us1.crashplan.com (US1), use: 
        https://console.us1.crashplan.com/<resource> 
      • If you sign in to the Code42 console at https://console.us2.crashplan.com (US2), use:
        https://console.us2.crashplan.com/<resource> 
    • Ireland: 
      • If you sign in to the Code42 console at https://console.eu5.cpg.crashplan.com (EU5), use: 
        https://console.eu5.cpg.crashplan.com/<resource> 
  • Resources
    • Log search controller:
      /rpc/search/
      • search-audit-log: Search and export Audit Log events (limit of 10,000)
      • search-results-export: Search and export Audit Log events (limit of 100,000)
  • Authentication method: Include an authentication token in the request header.

Related topics

  • Was this article helpful?