Table of contents

Review events in the audit log

Trend Cloud One logs administrative and account-related events. You can view these events from the Audit Log page in Trend Cloud One. The events include:

  • Account creation and updates
  • API key creation, updates, and deletion
  • User invitation creation and updates
  • User updates and deletion

Trend Cloud One retains these audit events for 1 year. Customers requiring longer retention should consider using the Audit Log API to store these events to an external storage system.

To view the events:

  1. On the main page of the Trend Cloud One console, select Audit Log.
  2. A list of events is displayed. Click an event to see its details, including the following:

  3. Time: The timestamp of the event, in UTC time

  4. Event: A description of the event
  5. Principal URN: If available, the URN of the object relating to the event (such as the user or invitation)
  6. Event ID: The unique identifier of the specific event. A unique value is generated for every event.
  7. Type: The unique identifier of the event type
  8. Account ID: The account ID of the Trend Cloud One account where the event occurred
  9. Details: Additional details about the event

List of audit events

Event Event Type Description
Account Created audit.account_created.v1
Account Modified audit.account_updated.v1
ApiKey Created audit.apiKey_created.v1
ApiKey Modified audit.apiKey_updated.v1
ApiKey Deleted audit.apiKey_deleted.v1
Invitation Created audit.invitation_created.v1
Invitation Modified audit.invitation_updated.v1
Role Created audit.role_created.v1
Role Modified audit.role_updated.v1
User Modified audit.user_updated.v1
User Deleted audit.user_deleted.v1
User Signed In audit.user-signed-in.v1 An authentication token has been created.
User Signed Out audit.user-signed-out.v1 An authentication token was revoked. This can occur if you log out of Trend Micro Cloud One, when you switch accounts, or if your session times out.

API guide

Prerequisite

You need the following:

  • The region of your Trend Cloud One account.
  • A valid API key (see this guide to get one).
  • Python installed if you are using Approach 1.

Approach 1: using a premade Python script

  1. Make a new Python file called AuditLogs.py.
  2. Copy the following code:

    import requests
    import json
    import time
    
    # Configuration
    
    ###################################################
    region = "us-1" # Options: us-1
    key = "Enter your API key" # Cloud One API key
    ###################################################
    
    logs = []
    
    url = "https://audit." + region + ".cloudone.trendmicro.com/api/logs?limit=25"
    extra = ""
    headers = {"Api-Version": "v1", "Authorization": "ApiKey " + key,}
    
    while True:
        r = requests.get(url + extra, headers=headers)
    
    
        if r.status_code == 429:
            time.sleep(0.5)
            r = requests.get(url + extra, headers=headers)
            if r.status_code == 429:
                time.sleep(1)
                r = requests.get(url + extra, headers=headers)
                if r.status_code == 429:
                    time.sleep(2)
                    r = requests.get(url + extra, headers=headers)
    
        if r.status_code == 200:
            responseObject = r.json()
            logs += responseObject["logs"]
        else:
            print("Failed to get the audit logs")
            print(r.text)
            break
    
        try:
            next = responseObject["next"]
            extra = "&cursor=" + next
        except KeyError:
            break
    
    with open("AuditLogs.json", "w") as file:
        json.dump(logs, file)
    
  3. Fill in the correct configuration for region and key.

  4. In the same folder where you created this Python file, run the following:

    python AuditLogs.py
  5. A file named AuditLogs.json should have been created containing all of your audit logs.

Approach 2: using a curl command

  1. Open your terminal.
  2. Enter the following commands to store the details of your request:

    • region=<your region>

      Regions to choose from: us-1

    • key=<your API key>

      A valid API key. (Refer to this guide to get one)

    • file=<your file path>

      The complete file path you want the audit logs to be stored in. The suggested format is .json.

  3. Make the first curl command by copying this into your terminal:

    curl -X GET -H "Api-Version: v1" -H "Authorization: ApiKey $key" "https://audit.$region.cloudone.trendmicro.com/api/logs?limit=25" > $file
  4. Find and open the file you specified in step 2 to see your audit logs.

About pagination

  • Every time you make an API call to the audit API endpoint, you only retrieve a page of a maximum of 25 audit logs. To get the audit logs of the next page, follow instructions provided in Getting the next page.
  • How do I know I received the last page? If the next page exists, you will see the next parameter in the response. If there is no next page, it will be missing.

Getting the next page

  1. Find the next attribute in the previous response. Can't find the next? That means there are no further pages.
  2. Store new values for the next request. It is suggested to change the file so it does not overwrite the audit logs of the other pages:

    • cursor=<your cursor>

      Value from the next attribute in the previous response.

    • file=<your file>

      The file name in which you want the audit logs to be stored.

  3. Make another curl command by copying this into your terminal:

    curl -X GET -H "Api-Version: v1" -H "Authorization: ApiKey $key" "https://audit.$region.cloudone.trendmicro.com/api/logs?limit=25&cursor=$cursor" > $file
  4. Repeat as needed.