Review events in the audit log

Trend Cloud One logs administrative and account-related events. You can view these events from the Audit Log page in Trend Cloud One. The events include:

Account creation and updates
API key creation, updates, and deletion
User invitation creation and updates
User updates and deletion

Trend Cloud One retains these audit events for 1 year. Customers requiring longer retention should consider using the Audit Log API to store these events to an external storage system.

To view the events:

On the main page of the Trend Cloud One console, select Audit Log.
A list of events is displayed. Click an event to see its details, including the following:
Time: The timestamp of the event, in UTC time
Event: A description of the event
Principal URN: If available, the URN of the object relating to the event (such as the user or invitation)
Event ID: The unique identifier of the specific event. A unique value is generated for every event.
Type: The unique identifier of the event type
Account ID: The account ID of the Trend Cloud One account where the event occurred
Details: Additional details about the event

List of audit events

Event	Event Type	Description
Account Created	audit.account_created.v1
Account Modified	audit.account_updated.v1
ApiKey Created	audit.apiKey_created.v1
ApiKey Modified	audit.apiKey_updated.v1
ApiKey Deleted	audit.apiKey_deleted.v1
Invitation Created	audit.invitation_created.v1
Invitation Modified	audit.invitation_updated.v1
Role Created	audit.role_created.v1
Role Modified	audit.role_updated.v1
User Modified	audit.user_updated.v1
User Deleted	audit.user_deleted.v1
User Signed In	audit.user-signed-in.v1	An authentication token has been created.
User Signed Out	audit.user-signed-out.v1	An authentication token was revoked. This can occur if you log out of Trend Micro Cloud One, when you switch accounts, or if your session times out.

API guide

Prerequisite

You need the following:

The region of your Trend Cloud One account.
A valid API key (see this guide to get one).
Python installed if you are using Approach 1.

Approach 1: using a premade Python script

Make a new Python file called AuditLogs.py.

Copy the following code:

import requests
import json
import time

# Configuration

###################################################
region = "us-1" # Options: us-1
key = "Enter your API key" # Cloud One API key
###################################################

logs = []

url = "https://audit." + region + ".cloudone.trendmicro.com/api/logs?limit=25"
extra = ""
headers = {"Api-Version": "v1", "Authorization": "ApiKey " + key,}

while True:
    r = requests.get(url + extra, headers=headers)


    if r.status_code == 429:
        time.sleep(0.5)
        r = requests.get(url + extra, headers=headers)
        if r.status_code == 429:
            time.sleep(1)
            r = requests.get(url + extra, headers=headers)
            if r.status_code == 429:
                time.sleep(2)
                r = requests.get(url + extra, headers=headers)

    if r.status_code == 200:
        responseObject = r.json()
        logs += responseObject["logs"]
    else:
        print("Failed to get the audit logs")
        print(r.text)
        break

    try:
        next = responseObject["next"]
        extra = "&cursor=" + next
    except KeyError:
        break

with open("AuditLogs.json", "w") as file:
    json.dump(logs, file)

Fill in the correct configuration for region and key.
In the same folder where you created this Python file, run the following:
```
python AuditLogs.py
```
A file named AuditLogs.json should have been created containing all of your audit logs.

Approach 2: using a curl command

Open your terminal.
Enter the following commands to store the details of your request:
- region=<your region>
  
  Regions to choose from: us-1
- key=<your API key>
  
  A valid API key. (Refer to this guide to get one)
- file=<your file path>
  
  The complete file path you want the audit logs to be stored in. The suggested format is .json.

Make the first curl command by copying this into your terminal:

curl -X GET -H "Api-Version: v1" -H "Authorization: ApiKey $key" "https://audit.$region.cloudone.trendmicro.com/api/logs?limit=25" > $file

Find and open the file you specified in step 2 to see your audit logs.

About pagination

Every time you make an API call to the audit API endpoint, you only retrieve a page of a maximum of 25 audit logs. To get the audit logs of the next page, follow instructions provided in Getting the next page.
How do I know I received the last page? If the next page exists, you will see the next parameter in the response. If there is no next page, it will be missing.

Getting the next page

Find the next attribute in the previous response. Can't find the next? That means there are no further pages.
Store new values for the next request. It is suggested to change the file so it does not overwrite the audit logs of the other pages:
- cursor=<your cursor>
  
  Value from the next attribute in the previous response.
- file=<your file>
  
  The file name in which you want the audit logs to be stored.

Make another curl command by copying this into your terminal:

curl -X GET -H "Api-Version: v1" -H "Authorization: ApiKey $key" "https://audit.$region.cloudone.trendmicro.com/api/logs?limit=25&cursor=$cursor" > $file

Repeat as needed.

Topics on this page