Topics on this page
Review events in the audit log
Trend Micro Cloud One logs administrative and account-related events. You can view these events from the Audit Log page in Trend Micro Cloud One. The events include:
- Account creation and updates
- API key creation, updates, and deletion
- User invitation creation and updates
- User updates and deletion
Trend Micro Cloud One retains these audit events for 1 year. Customers requiring longer retention should consider using the Audit Log API to store these events to an external storage system.
To view the events:
- On the main page of the Trend Micro Cloud One console, select Audit Log.
-
A list of events is displayed. Click an event to see its details, including:
-
Time: The timestamp of the event, in UTC time
- Event: A description of the event
- Principal URN: If available, the URN of the object relating to the event (such as the user or invitation)
- Event ID: The unique identifier of the specific event. A unique value is generated for every event.
- Type: The unique identifier of the event type
- Account ID: The account ID of the Cloud One account where the event occurred
- Details: Additional details about the event
List of audit events
Event | Event Type | Description |
---|---|---|
Account Created | audit.account_created.v1 | |
Account Modified | audit.account_updated.v1 | |
ApiKey Created | audit.apiKey_created.v1 | |
ApiKey Modified | audit.apiKey_updated.v1 | |
ApiKey Deleted | audit.apiKey_deleted.v1 | |
Invitation Created | audit.invitation_created.v1 | |
Invitation Modified | audit.invitation_updated.v1 | |
Role Created | audit.role_created.v1 | |
Role Modified | audit.role_updated.v1 | |
User Modified | audit.user_updated.v1 | |
User Deleted | audit.user_deleted.v1 | |
User Signed In | audit.user-signed-in.v1 | An authentication token has been created. |
User Signed Out | audit.user-signed-out.v1 | An authentication token was revoked. This can occur if you log out of Trend Micro Cloud One, when you switch accounts, or if your session times out. |
API guide
Prerequisite
You will need to have:
- The region of your Cloud One account
- A valid API key (Refer to this guide to get one)
- Python installed if you are using approach 1
Approach 1: using a premade Python script
- Make a new Python file called
AuditLogs.py
-
Copy the code below
import requests import json import time # Configuration ################################################### region = "us-1" # Options: us-1 key = "Enter your API key" # Cloud One API key ################################################### logs = [] url = "https://audit." + region + ".cloudone.trendmicro.com/api/logs?limit=25" extra = "" headers = {"Api-Version": "v1", "Authorization": "ApiKey " + key,} while True: r = requests.get(url + extra, headers=headers) if r.status_code == 429: time.sleep(0.5) r = requests.get(url + extra, headers=headers) if r.status_code == 429: time.sleep(1) r = requests.get(url + extra, headers=headers) if r.status_code == 429: time.sleep(2) r = requests.get(url + extra, headers=headers) if r.status_code == 200: responseObject = r.json() logs += responseObject["logs"] else: print("Failed to get the audit logs") print(r.text) break try: next = responseObject["next"] extra = "&cursor=" + next except KeyError: break with open("AuditLogs.json", "w") as file: json.dump(logs, file)
-
Fill in the correct configuration for
region
andkey
-
In the same folder where you created this Python file, run
python AuditLogs.py
-
A file named
AuditLogs.json
should have been created containing all of your audit logs
Approach 2: using a curl command
- Open your terminal
-
Enter the following commands to store the details of your request
-
region=<your region>
Regions to choose from:
us-1
-
key=<your API key>
A valid API key. (Refer to this guide to get one)
-
file=<your file path>
The complete file path you want the audit logs to be stored in. The suggested format is
.json
-
-
Make the first curl command by copying this into your terminal
curl -X GET -H "Api-Version: v1" -H "Authorization: ApiKey $key" "https://audit.$region.cloudone.trendmicro.com/api/logs?limit=25" > $file
-
Find and open the file you specified in step 2 to see your audit logs
Information about pagination
- Every time you make an API call to the audit API endpoint, you only retrieve a page of a maximum of 25 audit logs. To get the audit logs of the next page, follow the steps below.
- How do I know I received the last page? If the next page exists, you will see the
next
parameter in the response. If there is no next page, it will be missing.
Getting the next page
- Find the
next
attribute in the previous response Can't find thenext
? That means there are no further pages -
Store new values for the next request. It is suggested to change the file so it won't overwrite the audit logs of the other pages
-
cursor=<your cursor>
Value from the
next
attribute in the previous response. -
file=<your file>
The file name you want the audit logs to be stored in.
-
-
Make another curl command by copying this into your terminal
curl -X GET -H "Api-Version: v1" -H "Authorization: ApiKey $key" "https://audit.$region.cloudone.trendmicro.com/api/logs?limit=25&cursor=$cursor" > $file
-
Repeat as needed