Export Cloud SWG Audit log data
search cancel

Export Cloud SWG Audit log data

book

Article ID: 169161

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Cloud SWG (formerly known as WSS) logs each time a user signs in/out or performs an action (such as editing or emailing a report).  Admin Role users can review these transactions: 

  1. Navigate to: Account Configuration >  Account Auditing.
  2. Find the related operation.

    Object Type: PolicyRule/Report/User/..
    Operation Type: Delete/Execute/Login/Logout/..

Note:

  • Account Auditing data is available for 1 year.
  • There is no alert notification of any operation action from the Cloud SWG Portal, however, a notification alert can be created using your SIEM once the data has been ingested.

Resolution

Exporting Data


Manually

The data can be downloaded from the WSS portal under Account Configuration > Account Auditing.

Click Download (.csv) to open or save the list in a comma-separated value (CSV) file, which can be opened by Microsoft Excel or a similar spreadsheet application.

REST API:

To automate the downloading of Web Security Service Audit Logs for archiving, Symantec provides a REST API you can use with your internal systems.

  • Requires a WSS API Key credentials and basic authentication.
  • The Output format can be CSV or JSON.
  • Filter results based on start date, end date, object type, operation type.

Step 1 - Generate WSS API Credentials

    1. Navigate to  Account Configuration > API Credentials
    2. Click Add API Credentials. The WSS displays the New API Credential dialog, which contains the random characters Username and  Password
    3. Select the API Expiry
      • Time-based —You define the date and time when this token expires
      • Never expires
      • Select Audit Logs
      • (Optional) Enter a comment that defines the token's purpose. A helpful description informs other Admins of the purpose
      • Copy the Username and\ Password to a file for use in the REST API

Step 2 - Use the REST API

The REST API:
https://portal.threatpulse.com/api/rest/audit/download?startDate=YYYY-MM-DD&endDate=YYYY-MM-DD&format=[CSV | JSON]
Examples:

Use the API using cURL and outputting to a CSV 
curl -o test.output -u 4da191e3:653a5307 -v "https://portal.threatpulse.com/api/rest/audit/download?startDate=2019-01-01&endDate=2019-08-01&format=CSV"
Use the API using cURL and outputting to a JSON
curl -o test.output -u 4da191e3:653a5307 -v "https://portal.threatpulse.com/api/rest/audit/download?startDate=2019-01-01&endDate=2019-08-01&format=JSON"

Where 4da191e3:653a5307 is the username and password, respectively, as generated Step 1 - Generate WSS API Credentials.

Filter Options

You can add one or more of the following filters.

    • objectType=option
    • operationType=option
Example:
curl -o test.output -u 4da191e3:653a5307 -v "https://portal.threatpulse.com/api/rest/audit/download?startDate=2019-01-01&endDate=2019-08-01&operationType=create&format=JSON"

Additional Information

Review Cloud SWG User Access

Download Audit Logs with REST API

Powered by Wolken Software