Cloud SWG (formerly known as WSS) logs each time a user signs in/out or performs an action (such as editing or emailing a report). Admin Role users can review these transactions:
Note:
The data can be downloaded from the WSS portal under Account Configuration > Account Auditing.
Click Download (.csv) to open or save the list in a comma-separated value (CSV) file, which can be opened by Microsoft Excel or a similar spreadsheet application.
To automate the downloading of Web Security Service Audit Logs for archiving, Symantec provides a REST API you can use with your internal systems.
https://portal.threatpulse.com/api/rest/audit/download?startDate=YYYY-MM-DD&endDate=YYYY-MM-DD&format=[CSV | JSON]
curl -o test.output -u 4da191e3:653a5307 -v "https://portal.threatpulse.com/api/rest/audit/download?startDate=2019-01-01&endDate=2019-08-01&format=CSV"
curl -o test.output -u 4da191e3:653a5307 -v "https://portal.threatpulse.com/api/rest/audit/download?startDate=2019-01-01&endDate=2019-08-01&format=JSON"
Where 4da191e3:653a5307 is the username and password, respectively, as generated Step 1 - Generate WSS API Credentials.
You can add one or more of the following filters.
curl -o test.output -u 4da191e3:653a5307 -v "https://portal.threatpulse.com/api/rest/audit/download?startDate=2019-01-01&endDate=2019-08-01&operationType=create&format=JSON"