Audit Log API

The Audit Log API endpoint provides access to dataflow audit logs, allowing you to track administrative changes to categories, datasets, and policies within the Cyberhaven platform.

Endpoint

POST /api/rest/v1/audit-log/dataflow/list

Request Format

Basic Request

curl -H 'content-type: application/json' \
  -H "Authorization: Bearer $TOKEN" \
  https://$DEPLOYMENT/api/rest/v1/audit-log/dataflow/list \
  -k --data '{}'

Request with Filters

curl -H 'content-type: application/json' \
  -H "Authorization: Bearer $TOKEN" \
  https://$DEPLOYMENT/api/rest/v1/audit-log/dataflow/list \
  -k --data '{
    "filters": {
      "types": ["created_category", "edited_dataset"],
      "users": ["admin@company.com"],
      "include_cyberhaven": false
    },
    "page_size": 50
  }'

Request Parameters

Filter Parameters

Parameter	Type	Description
`category_id`	string	Filter by specific category ID
`dataset_id`	string	Filter by specific dataset ID
`include_cyberhaven`	boolean	Include system-generated events
`types`	array[string]	Filter by event types
`users`	array[string]	Filter by user emails

Pagination Parameters

Parameter	Type	Description
`page_id`	string	Token for next page
`page_size`	integer	Number of results per page (max 1000, default 50)

Event Types

Category Events

Type	Description
`created_category`	New category created
`deleted_category`	Category deleted
`edited_category`	Category properties modified
`renamed_category`	Category name changed
`edited_policy_for_category`	Category policy rules updated

Dataset Events

Type	Description
`created_dataset`	New dataset created
`deleted_dataset`	Dataset deleted
`edited_dataset`	Dataset properties modified
`renamed_dataset`	Dataset name changed
`edited_policy_for_dataset`	Dataset policy rules updated

System Events

Type	Description
`none`	No specific event type

Response Format

Response Structure

{
  "events": [
    {
      "time": "2024-01-15T10:30:00Z",
      "type": "created_category",
      "user": {
        "id": "user-123",
        "name": "John Doe",
        "email": "john.doe@company.com"
      },
      "data": {
        "category": {
          "id": "cat-456",
          "name": "Financial Data",
          "description": "Financial information protection",
          "severity": 3,
          "dataset_ids": ["ds-789", "ds-101"]
        }
      },
      "prev": null
    },
    {
      "time": "2024-01-15T11:15:00Z",
      "type": "edited_dataset",
      "user": {
        "id": "user-124",
        "name": "Jane Smith",
        "email": "jane.smith@company.com"
      },
      "data": {
        "dataset": {
          "id": "ds-789",
          "name": "Credit Card Numbers - Updated",
          "description": "Updated credit card detection rules",
          "sensitivity": 4
        }
      },
      "prev": {
        "dataset": {
          "id": "ds-789",
          "name": "Credit Card Numbers",
          "description": "Credit card detection rules",
          "sensitivity": 3
        }
      }
    }
  ],
  "total": 250,
  "next_page_id": "eyJwYWdlIjoyLCJzaXplIjo1MH0="
}

Response Fields

Field	Type	Description
`events`	array[AdminEvent]	Array of audit log events
`total`	integer	Total number of matching events
`next_page_id`	string	Token for next page (if available)

AdminEvent Object Fields

Field	Type	Description
`time`	string	When the event occurred (ISO 8601)
`type`	string	Type of administrative event
`user`	object	User who performed the action
`data`	object	Current state after the change
`prev`	object	Previous state before the change (if applicable)

User Object Fields

Field	Type	Description
`id`	string	Unique user identifier
`name`	string	User's display name
`email`	string	User's email address

Data/Prev Object Fields

The data and prev objects contain either a category or dataset object depending on the event type:

Category Object

Field	Type	Description
`id`	string	Category identifier
`name`	string	Category name
`description`	string	Category description
`severity`	integer	Severity level (0-4)
`dataset_ids`	array[string]	Associated dataset IDs

Dataset Object

Field	Type	Description
`id`	string	Dataset identifier
`name`	string	Dataset name
`description`	string	Dataset description
`sensitivity`	integer	Sensitivity level

Example Requests

Get All Recent Events

{
  "page_size": 100
}

Get Category Creation Events

{
  "filters": {
    "types": ["created_category"]
  },
  "page_size": 50
}

Get Events for Specific User

{
  "filters": {
    "users": ["admin@company.com"],
    "include_cyberhaven": false
  }
}

Get Events for Specific Category

{
  "filters": {
    "category_id": "cat-456",
    "types": ["created_category", "edited_category", "deleted_category"]
  }
}

Get Dataset Modification Events

{
  "filters": {
    "types": ["created_dataset", "edited_dataset", "renamed_dataset"],
    "include_cyberhaven": false
  }
}

Filtering Options

Include System Events

By default, events generated by the Cyberhaven system are excluded. To include them:

{
  "filters": {
    "include_cyberhaven": true
  }
}

Filter by Multiple Event Types

{
  "filters": {
    "types": [
      "created_category",
      "edited_category", 
      "created_dataset",
      "edited_dataset"
    ]
  }
}

Filter by Multiple Users

{
  "filters": {
    "users": [
      "admin1@company.com",
      "admin2@company.com",
      "security-team@company.com"
    ]
  }
}

Error Responses

Common Error Codes

Code	Description	Solution
400	Invalid filter parameters	Check filter values and types
401	Authentication failed	Verify access token
403	Insufficient permissions	Contact administrator
500	Internal server error	Contact support

Error Response Format

{
  "error": {
    "code": "INVALID_EVENT_TYPE",
    "message": "Invalid event type provided",
    "details": {
      "field": "types",
      "value": "invalid_type"
    }
  }
}

Integration Examples

Python Example

import requests
import json
from datetime import datetime, timedelta

def get_audit_logs(token, deployment, filters=None):
    url = f"https://{deployment}/api/rest/v1/audit-log/dataflow/list"
    headers = {
        'Content-Type': 'application/json',
        'Authorization': f'Bearer {token}'
    }
    
    payload = {}
    if filters:
        payload['filters'] = filters
    
    response = requests.post(url, headers=headers, json=payload, verify=False)
    return response.json()

# Get recent category changes
filters = {
    "types": ["created_category", "edited_category", "deleted_category"],
    "include_cyberhaven": False
}

events = get_audit_logs(token, deployment, filters)
print(f"Found {events['total']} audit events")

for event in events['events']:
    print(f"{event['time']}: {event['type']} by {event['user']['email']}")

PowerShell Example

$headers = @{
    'Content-Type' = 'application/json'
    'Authorization' = "Bearer $token"
}

$body = @{
    filters = @{
        types = @("created_category", "edited_dataset")
        include_cyberhaven = $false
    }
    page_size = 50
} | ConvertTo-Json -Depth 3

$response = Invoke-RestMethod -Uri "https://$deployment/api/rest/v1/audit-log/dataflow/list" `
    -Method Post -Headers $headers -Body $body

Write-Output "Found $($response.total) audit events"

foreach ($event in $response.events) {
    Write-Output "$($event.time): $($event.type) by $($event.user.email)"
}

Bash Example

#!/bin/bash

# Get audit logs for specific user
curl -H 'content-type: application/json' \
  -H "Authorization: Bearer $TOKEN" \
  https://$DEPLOYMENT/api/rest/v1/audit-log/dataflow/list \
  -k --data '{
    "filters": {
      "users": ["admin@company.com"],
      "types": ["created_category", "edited_category"]
    },
    "page_size": 25
  }' | jq '.events[] | "\(.time): \(.type) by \(.user.email)"'

Use Cases

Compliance Auditing

Track all administrative changes for compliance reporting:

{
  "filters": {
    "include_cyberhaven": false
  },
  "page_size": 1000
}

Change Management

Monitor specific category or dataset modifications:

{
  "filters": {
    "category_id": "critical-data-category",
    "types": ["edited_category", "edited_policy_for_category"]
  }
}

User Activity Monitoring

Track actions by specific administrators:

{
  "filters": {
    "users": ["security-admin@company.com"],
    "include_cyberhaven": false
  }
}

Policy Change Tracking

Monitor policy rule modifications:

{
  "filters": {
    "types": ["edited_policy_for_category", "edited_policy_for_dataset"]
  }
}

Best Practices

Filter by Event Type: Use specific event types to reduce response size
Exclude System Events: Set include_cyberhaven: false for user-initiated changes only
Implement Pagination: Use page_size and next_page_id for large result sets
Monitor Critical Changes: Focus on policy and configuration modifications
Regular Auditing: Periodically review audit logs for compliance

Endpoints API - Query endpoint sensor status
Incidents API - Query security incidents
API v2 Overview - Enhanced API with additional audit capabilities

Endpoint​

Request Format​

Basic Request​

Request with Filters​

Request Parameters​

Filter Parameters​

Pagination Parameters​

Event Types​

Category Events​

Dataset Events​

System Events​

Response Format​

Response Structure​

Response Fields​

AdminEvent Object Fields​

User Object Fields​

Data/Prev Object Fields​

Category Object​

Dataset Object​

Example Requests​

Get All Recent Events​

Get Category Creation Events​

Get Events for Specific User​

Get Events for Specific Category​

Get Dataset Modification Events​

Filtering Options​

Include System Events​

Filter by Multiple Event Types​

Filter by Multiple Users​

Error Responses​

Common Error Codes​

Error Response Format​

Integration Examples​

Python Example​

PowerShell Example​

Bash Example​

Use Cases​

Compliance Auditing​

Change Management​

User Activity Monitoring​

Policy Change Tracking​

Best Practices​

Related Endpoints​