Table of contents

Review events in the audit log

Trend Micro Cloud One logs administrative and account-related events. You can view these events from the Audit Log page in Trend Micro Cloud One. The events include:

  • Account creation and updates
  • API key creation, updates, and deletion
  • User invitation creation and updates
  • User updates and deletion

Trend Micro Cloud One retains these audit events for 1 year. Customers requiring longer retention should consider using the Audit Log API to store these events to an external storage system.

To view the events:

  1. On the main page of the Trend Micro Cloud One console, select Audit Log.
  2. A list of events is displayed. Click an event to see its details, including:

  3. Time: The timestamp of the event, in UTC time

  4. Event: A description of the event
  5. Principal URN: If available, the URN of the object relating to the event (such as the user or invitation)
  6. Event ID: The unique identifier of the specific event. A unique value is generated for every event.
  7. Type: The unique identifier of the event type
  8. Account ID: The account ID of the Cloud One account where the event occurred
  9. Details: Additional details about the event

List of audit events

Event Event Type Description
Account Created audit.account_created.v1
Account Modified audit.account_updated.v1
ApiKey Created audit.apiKey_created.v1
ApiKey Modified audit.apiKey_updated.v1
ApiKey Deleted audit.apiKey_deleted.v1
Invitation Created audit.invitation_created.v1
Invitation Modified audit.invitation_updated.v1
Role Created audit.role_created.v1
Role Modified audit.role_updated.v1
User Modified audit.user_updated.v1
User Deleted audit.user_deleted.v1
User Signed In audit.user-signed-in.v1 An authentication token has been created.
User Signed Out audit.user-signed-out.v1 An authentication token was revoked. This can occur if you log out of Trend Micro Cloud One, when you switch accounts, or if your session times out.

API guide

Prerequisite

You will need to have:

  • The region of your Cloud One account
  • A valid API key (Refer to this guide to get one)
  • Python installed if you are using approach 1

Approach 1: using a premade Python script

  1. Make a new Python file called AuditLogs.py
  2. Copy the code below

    import requests
    import json
    import time
    
    # Configuration
    
    ###################################################
    region = "us-1" # Options: us-1
    key = "Enter your API key" # Cloud One API key
    ###################################################
    
    logs = []
    
    url = "https://audit." + region + ".cloudone.trendmicro.com/api/logs?limit=25"
    extra = ""
    headers = {"Api-Version": "v1", "Authorization": "ApiKey " + key,}
    
    while True:
        r = requests.get(url + extra, headers=headers)
    
    
        if r.status_code == 429:
            time.sleep(0.5)
            r = requests.get(url + extra, headers=headers)
            if r.status_code == 429:
                time.sleep(1)
                r = requests.get(url + extra, headers=headers)
                if r.status_code == 429:
                    time.sleep(2)
                    r = requests.get(url + extra, headers=headers)
    
        if r.status_code == 200:
            responseObject = r.json()
            logs += responseObject["logs"]
        else:
            print("Failed to get the audit logs")
            print(r.text)
            break
    
        try:
            next = responseObject["next"]
            extra = "&cursor=" + next
        except KeyError:
            break
    
    with open("AuditLogs.json", "w") as file:
        json.dump(logs, file)
    
  3. Fill in the correct configuration for region and key

  4. In the same folder where you created this Python file, run

    python AuditLogs.py
  5. A file named AuditLogs.json should have been created containing all of your audit logs

Approach 2: using a curl command

  1. Open your terminal
  2. Enter the following commands to store the details of your request

    • region=<your region>

      Regions to choose from: us-1

    • key=<your API key>

      A valid API key. (Refer to this guide to get one)

    • file=<your file path>

      The complete file path you want the audit logs to be stored in. The suggested format is .json

  3. Make the first curl command by copying this into your terminal

    curl -X GET -H "Api-Version: v1" -H "Authorization: ApiKey $key" "https://audit.$region.cloudone.trendmicro.com/api/logs?limit=25" > $file
  4. Find and open the file you specified in step 2 to see your audit logs

Information about pagination

  • Every time you make an API call to the audit API endpoint, you only retrieve a page of a maximum of 25 audit logs. To get the audit logs of the next page, follow the steps below.
  • How do I know I received the last page? If the next page exists, you will see the next parameter in the response. If there is no next page, it will be missing.

Getting the next page

  1. Find the next attribute in the previous response Can't find the next? That means there are no further pages
  2. Store new values for the next request. It is suggested to change the file so it won't overwrite the audit logs of the other pages

    • cursor=<your cursor>

      Value from the next attribute in the previous response.

    • file=<your file>

      The file name you want the audit logs to be stored in.

  3. Make another curl command by copying this into your terminal

    curl -X GET -H "Api-Version: v1" -H "Authorization: ApiKey $key" "https://audit.$region.cloudone.trendmicro.com/api/logs?limit=25&cursor=$cursor" > $file
  4. Repeat as needed