Audit logs API

Audit logs API

ThoughtSpot cloud deployments allow you to collect security audit events and send them to your Security information and event management (SIEM) application in real-time. These events can help your security operations personnel in detecting potential security threats or compromised user accounts in your organization.

The log API endpoint allows you to programmatically fetch security audit logs from the ThoughtSpot system.

Supported operationsπŸ”—

API endpointAvailable from

GET /tspublic/v1/logs/topics/{topic}
Gets security audit logs from the ThoughtSpot system.

ThoughtSpot Cloud ts7.april.cl
ThoughtSpot Software Not applicable

Required permissionsπŸ”—

Requires administrator privilege.

Resource URLπŸ”—

GET /tspublic/v1/logs/topics/{topic}

Request parametersπŸ”—

By default, the API retrieves logs for the last 24 hours. You can set a custom duration in EPOCH time. Make sure the log duration specified in your API request doesn’t exceed 24 hours. If you must fetch logs for a longer time range, modify the duration and make multiple sequential API requests.

ParameterTypeDescription

topic

Path

String. Type of the log. The valid value is security_logs.

fromEpoch
Optional

Query

Epoch time string. The EPOCH time in milliseconds to set the start time for streaming logs. For example, to set the timestamp as June 1, 2021 8 am, specify 1622534400000.

toEpoch
Optional

Query

Epoch time string. The EPOCH time in milliseconds to set the end time for streaming logs. To set the timestamp as June 2, 2021, 8 am, specify 1622620800000.

Example requestπŸ”—

cURL
curl -X GET \
--header 'Accept: application/json' \
'https://{ThoughtSpot-Host}/callosum/v1/tspublic/v1/logs/topics/security_logs'
Request URL
https://{ThoughtSpot-Host}/callosum/v1/tspublic/v1/logs/topics/security_logs

Example responseπŸ”—

Upon successful execution, the API returns logs with the following information:

  • timestamp of the event

  • event ID

  • event type

  • Name and GUID of the user

  • IP address of the ThoughtSpot instance

[
  {
    "date": "2023-06-08T11:15:26.421996Z",
    "log": "{\"version\":\"1.1\",\"id\":\"TS-0f31addf-fb94-445c-9af6-318975cea9cb\",\"ts\":\"2023-06-08T11:15:26Z\",\"orgId\":0,\"userGUID\":null,\"userName\":null,\"cIP\":null,\"type\":\"LOGIN_FAILED\",\"desc\":\"User login failed\",\"data\":{\"userName\":\"system\"}}"
  },
  {
    "date": "2023-06-08T11:15:59.385943Z",
    "log": "{\"version\":\"1.1\",\"id\":\"TS-2026d1e7-df48-442f-b4ab-f512d4b0a86f\",\"ts\":\"2023-06-08T11:15:59Z\",\"orgId\":0,\"userGUID\":\"67e15c06-d153-4924-a4cd-ff615393b60f\",\"userName\":\"system\",\"cIP\":null,\"type\":\"LOGOUT_SUCCESSFUL\",\"desc\":\"User logout successful\",\"data\":{}}"
  },
  {
    "date": "2023-06-08T11:37:55.662295Z",
    "log": "{\"version\":\"1.1\",\"id\":\"TS-6ed05559-7c4e-44b1-8f37-712269f4750c\",\"ts\":\"2023-06-08T11:37:55Z\",\"orgId\":0,\"userGUID\":\"59481331-ee53-42be-a548-bd87be6ddd4a\",\"userName\":\"tsadmin\",\"cIP\":\"10.254.3.248\",\"type\":\"LOGIN_SUCCESSFUL\",\"desc\":\"User login successful\",\"data\":{\"userName\":\"tsadmin\"}}"
  },
  {
    "date": "2023-06-09T04:32:50.383520Z",
    "log": "{\"version\":\"1.1\",\"id\":\"TS-cc66980a-db77-452b-9516-c9006e23a659\",\"ts\":\"2023-06-09T04:32:50Z\",\"orgId\":0,\"userGUID\":\"67e15c06-d153-4924-a4cd-ff615393b60f\",\"userName\":\"system\",\"cIP\":null,\"type\":\"LOGOUT_SUCCESSFUL\",\"desc\":\"User logout successful\",\"data\":{}}"
  }
]

Response codesπŸ”—

HTTP status codeDescription

200

Successful retrieval of the log

400

Invalid parameter values