DocumentationAPI ExplorerRecipesCommunityChangelogRSS
Back to All
improved

Vulnerability Management: Activity Log Improvements

4 months ago by Lance Duvall

Tenable has made several improvements to the View activity log endpoint that enables users to have more granular control when searching activity logs.

  1. Added support for ISO-8601 date and time values for the date filter. For example, all of the following date formats are now valid:
    • date.gt:2021-06-03
    • date.gt:2021-06-03T20:00:00Z
    • date.gt:2021-06-03T15:00:00-0500
  2. Added new operators for use with the date filter. The new operators are greater than or equal (gte) and less than or equal (lte).
  3. Added support for cursor-based pagination. The new pagination method enables users to retrieve more than 10,000 records.

To support cursor-based pagination, a new query parameter called next was added. The new parameter is described in the following table:

ParameterTypeDescription
nextQueryFor cursor-based pagination, the cursor position for the next page. For the initial request, use a value 0. For subsequent requests, set this parameter to the value found in the pagination.next property of the previous response.

Examples

Filter activity logs by date using the new operators

To filter activity logs by date using multiple conditions, including conditions using the new greater than or equal (gte) operator and less than or equal (lte) operator, you could use the following cURL request:

curl --request GET \
     --url 'https://cloud.tenable.com/audit-log/v1/events?f=date.gte:2024-01-02T13:14:15.678Z&f=date.lte:2024-01-03T21:00:00Z' \
     --header 'X-ApiKeys: accessKey=<YOURKEY>;secretKey=<YOURKEY>' \
     --header 'accept: application/json'

Page through results using cursor-based pagination

To page through results using cursor-based pagination, use a value of 0 for the next query parameter to retrieve the first page of the result set:

curl --request GET \
     --url 'https://cloud.tenable.com/audit-log/v1/events?f=date.gt:2024-01-11T13:14:15.678Z&next=0' \
     --header 'X-ApiKeys: accessKey=<YOURKEY>;secretKey=<YOURKEY>' \
     --header 'accept: application/json'

The response looks like the following:

{
  "events": [
    {
      "id": "2b0aa55fcbd14aa18778e6f4c2997b72",
      "action": "user.authenticate.password",
      "crud": "u",
      "actor": {
        "id": "b63d99b9-e5ae-459e-a8e1-3971bb5e8e40",
        "name": "[email protected]"
      },
      "target": {
        "id": "b63d99b9-e5ae-459e-a8e1-3971bb5e8e40",
        "name": "[email protected]",
        "type": "User"
      },
      "description": null,
      "is_anonymous": null,
      "is_failure": false,
      "fields": [
        {
          "key": "X-Forwarded-For",
          "value": "2503:7000:7e00:7126:cd7e:84e1:f69f:efcd, 2603:7000:7e00:7126:cd7e:84e1:f69f:efcd, 10.200.23.13"
        },
        {
          "key": "X-Request-Uuid",
          "value": "1e3704b484f2d241106aa21a6999a9aa:8663a5e5ce309ad74fad:dadb6b3adb1132ec548f"
        }
      ],
      "received": "2024-01-16T15:12:47.334Z"
    }
  ],
  "pagination": {
    "offset": 0,
    "limit": 50,
    "count": 1,
    "total": 70,
    "next": "AAABjRLVBuYAAAAAAAAAAQAbCqVfy9FKoYd45vTCmXty"
  }
}

To retrieve the next page of results, use the value of the pagination.next property in the previous response as the value of the next parameter in your next request:

curl --request GET \
     --url 'https://cloud.tenable.com/audit-log/v1/events?f=date.gt:2024-01-11T13:14:15.678Z&next=AAABjRLVBuYAAAAAAAAAAQAbCqVfy9FKoYd45vTCmXty' \
     --header 'X-ApiKeys: accessKey=<YOURKEY>;secretKey=<YOURKEY>' \
     --header 'accept: application/json'