Audit logs API

Audit logs API

ThoughtSpot cloud deployments allow you to collect security audit events and send them to your Security information and event management (SIEM) application in real-time. These events can help your security operations personnel in detecting potential security threats or compromised user accounts in your organization.

The log API endpoint allows you to programmatically fetch security audit logs from the ThoughtSpot system.

Security EventsπŸ”—

The API returns audit logs for the following security events:

EventDescription

ACCOUNT_LOCKED

A local user fails to authenticate x times in a row, locking the account. Administrators can configure the number of authentication attempts before lockout within ThoughtSpot.

AUTH_TOKEN_CREATED_SUCCESSFULLY

Auth token creation succeeds.

CREATE_ANSWER

A user attempts to create a new Answer.

CREATE_CONNECTION

Connection created.

CREATE_CONNECTION_ATTEMPTED

Create connection attempted.

CREATE_PINBOARD

A user attempts to create a new Liveboard.

CREATE_RLS_RULE

A user creates an RLS (row-level-security) rule on a table.

CREATE_TABLES

A user attempts to create a new table.

CSV_UPLOAD_FINISHED

CSV upload finishes.

CSV_UPLOAD_STARTED

CSV upload starts.

DATA_UPLOAD_CONFIGURED

Data upload configured for a connection.

DELETE_ANSWERS

A user attempts to delete an Answer.

DELETE_CONNECTION

Connection deleted.

DELETE_CONNECTION_ATTEMPTED

Connection deletion attempted.

DELETE_PINBOARDS

A user attempts to delete a Liveboard.

DELETE_RLS_RULES

A user deletes an RLS rule on a table.

EDIT_CONNECTION

Connection edited.

EDIT_CONNECTION_ATTEMPTED

Connection edit attempted.

FAILED_TO_CREATE_AUTH_TOKEN

Authentication token creation fails.

LOGIN_FAILED

A user fails to log in due to an incorrect password, or IDP/ADP deny the authentication request.

LOGIN_SUCCESSFUL

A local, IDP or AD user logs in to ThoughtSpot.

LOGOUT_FAILED

User logout failed.

LOGOUT_SUCCESSFUL

A user logs out from ThoughtSpot.

PRINCIPALS_IN_GROUP_UPDATE

A user successfully or unsuccessfully attempts to add or remove users or groups from a group.

PRIVILEGE_CHANGES

A user adds or removes one or several privileges from a group.

ROLE_CREATED

Role creation attempted.

ROLE_DELETED

Role deletion attempted.

ROLE_UPDATED

Role update attempted.

ROLES_ASSIGNED

Roles assignment to group attempted.

ROLES_IMPORTED

Roles import attempted.

ROLES_REMOVED

Removal of roles from group attempted.

SHARE_OBJECTS

A user successfully or unsuccessfully attempts to share an object (Liveboard, Worksheet, Answer) with another user or group. The "discoverability" field indicates whether a shared object is discoverable to users of the same user group as the author who have access to the underlying data source.

UPDATE_ANSWERS

A user attempts to modify an existing Answer.

UPDATE_PASSWORD

A user successfully or unsuccessfully attempts to change their password.

UPDATE_PASSWORD_FAILED

A user fails to update their password.

UPDATE_PINBOARDS

A user attempts to modify an existing Liveboard.

UPDATE_RLS_RULE

A user modifies an RLS rule on a table.

USER_ACTIVATE

A user attempts to activate their account.

USER_GROUPS_CREATED

A user creates a new group, either manually through the Admin Portal, or through the internal API.

USER_GROUPS_DELETED

A user deletes a group, either manually through the Admin Portal, or through the internal API.

USER_GROUP_MODIFIED

A user modifies the properties of a group, either in Admin Portal or over internal API. (Properties include group name, display name, and sharing visibility.)

USERS_CREATED

A new user creates an account, either manually in the Admin Portal or through the internal API.

USERS_DELETED

A user account is deleted, either manually in the Admin Portal or through the internal API.

USERS_MODIFIED

A user profile changes, either manually in the Admin Portal or over SAML sync.

For more information about security event logs, see Collect security logs.

Supported operationsπŸ”—

API endpointAvailable from

GET /tspublic/v1/logs/topics/{topic}
Gets security audit logs from the ThoughtSpot system.

ThoughtSpot Cloud ts7.april.cl
ThoughtSpot Software Not applicable

Required permissionsπŸ”—

Requires administrator privilege.

Resource URLπŸ”—

GET /tspublic/v1/logs/topics/{topic}

Request parametersπŸ”—

By default, the API retrieves logs for the last 24 hours. You can set a custom duration in EPOCH time. Make sure the log duration specified in your API request doesn’t exceed 24 hours. If you must fetch logs for a longer time range, modify the duration and make multiple sequential API requests.

ParameterTypeDescription

topic

Path

String. Type of the log. The valid value is security_logs.

fromEpoch
Optional

Query

Epoch time string. The EPOCH time in milliseconds to set the start time for streaming logs. For example, to set the timestamp as June 1, 2021 8 am, specify 1622534400000.

toEpoch
Optional

Query

Epoch time string. The EPOCH time in milliseconds to set the end time for streaming logs. To set the timestamp as June 2, 2021, 8 am, specify 1622620800000.

Example requestπŸ”—

cURL
curl -X GET \
--header 'Accept: application/json' \
'https://{ThoughtSpot-Host}/callosum/v1/tspublic/v1/logs/topics/security_logs'
Request URL
https://{ThoughtSpot-Host}/callosum/v1/tspublic/v1/logs/topics/security_logs

Example responseπŸ”—

Upon successful execution, the API returns logs with the following information:

  • timestamp of the event

  • event ID

  • event type

  • Name and GUID of the user

  • IP address of the ThoughtSpot instance

[
  {
    "date": "2023-06-08T11:15:26.421996Z",
    "log": "{\"version\":\"1.1\",\"id\":\"TS-0f31addf-fb94-445c-9af6-318975cea9cb\",\"ts\":\"2023-06-08T11:15:26Z\",\"orgId\":0,\"userGUID\":null,\"userName\":null,\"cIP\":null,\"type\":\"LOGIN_FAILED\",\"desc\":\"User login failed\",\"data\":{\"userName\":\"system\"}}"
  },
  {
    "date": "2023-06-08T11:15:59.385943Z",
    "log": "{\"version\":\"1.1\",\"id\":\"TS-2026d1e7-df48-442f-b4ab-f512d4b0a86f\",\"ts\":\"2023-06-08T11:15:59Z\",\"orgId\":0,\"userGUID\":\"67e15c06-d153-4924-a4cd-ff615393b60f\",\"userName\":\"system\",\"cIP\":null,\"type\":\"LOGOUT_SUCCESSFUL\",\"desc\":\"User logout successful\",\"data\":{}}"
  },
  {
    "date": "2023-06-08T11:37:55.662295Z",
    "log": "{\"version\":\"1.1\",\"id\":\"TS-6ed05559-7c4e-44b1-8f37-712269f4750c\",\"ts\":\"2023-06-08T11:37:55Z\",\"orgId\":0,\"userGUID\":\"59481331-ee53-42be-a548-bd87be6ddd4a\",\"userName\":\"tsadmin\",\"cIP\":\"10.254.3.248\",\"type\":\"LOGIN_SUCCESSFUL\",\"desc\":\"User login successful\",\"data\":{\"userName\":\"tsadmin\"}}"
  },
  {
    "date": "2023-06-09T04:32:50.383520Z",
    "log": "{\"version\":\"1.1\",\"id\":\"TS-cc66980a-db77-452b-9516-c9006e23a659\",\"ts\":\"2023-06-09T04:32:50Z\",\"orgId\":0,\"userGUID\":\"67e15c06-d153-4924-a4cd-ff615393b60f\",\"userName\":\"system\",\"cIP\":null,\"type\":\"LOGOUT_SUCCESSFUL\",\"desc\":\"User logout successful\",\"data\":{}}"
  }
]

Response codesπŸ”—

HTTP status codeDescription

200

Successful retrieval of the log

400

Invalid parameter values