Overview
You can use the CrashPlan API to search Audit Log events and export the results in CSV, CEF, or JSON format to integrate with other security tools. This article provides an introduction to those APIs.
The CrashPlan Audit Log is a record that shows who did what and when in the CrashPlan environment. The Audit Log can help you do many things, including:
- Determine how the CrashPlan environment ended up in its current state.
- Spot check the work of security analysts to prevent abuse of privileged access.
- Identify areas of training for users who caused inadvertent changes.
You can also view the Audit Log from the Administration > Status > Audit Log menu of the CrashPlan console to quickly search events for spot checking and export events to a CSV file. See these other articles to learn more about the Audit Log in the CrashPlan console:
For a detailed description of all the fields in the Audit Log in the CrashPlan console, see Audit Log for CrashPlan.
Considerations
- The Audit Log records events for only the last 90 days. If you want to maintain Audit Log output for longer than that time, export the results in CSV, CEF, or JSON format to save them to your own systems.
- While there is no limit to the number of events recorded in Audit Log, you can only export a maximum of 100,000 file events at once. To export a set of results greater than 100,000, adjust your filters to reduce the number of events returned by any given call to be less than 100,000, then make multiple calls to export the entire set of events.
- The
search-results-export
API command allows you to export up to 100,000 results at once, and is the preferred API to use for data export. Thesearch-audit-log
API command allows you to export only up to 10,000 results at at time. - The tasks in this article require use of the CrashPlan API.
- If you are not familiar with the CrashPlan API, review CrashPlan API syntax and usage.
- For assistance with the CrashPlan API, contact your Customer Success Manager (CSM) to engage the CrashPlan Professional Services team.
Search Audit Log events
Use the rpc/search/
resource to search for events in the Audit Log and output to CEF, CSV, or JSON format. For more information about this resource, see the API summary section below.
To search for events use the rpc/search/search-results-export
API command as shown in the following example.
curl --location --request POST '<RequestURL>/rpc/search/search-results-export' \
--header '<AcceptHeader>' \
--header 'Authorization: Bearer <AuthToken>' \
--header 'Content-Type: application/json' \
--data-raw '{"type$":"audit_log::audit_log_queries.search_audit_log/1","dateRange":{"<Dates>"},"eventTypes":["<Types>"],"userTypes":[],"actorIds":["<UserUid>"],"actorNames":["<Username>"],"actorIpAddresses":["<IpAddresses>"],"affectedUserIds":[],"affectedUserNames":[],"page":0,"pageSize":100}'
In the preceding example:
- Replace <RequestURL> with the request URL of your CrashPlan cloud instance, for example,
'https://console.us2.crashplan.com/rpc/search/search-results-export/'
- Replace <AcceptHeader> with the header for the output format you want. For example:
- CEF:
--header 'Accept: text/x-cef'
- CSV:
--header 'Accept: text/csv'
- JSON: Omit the acceptance header, since JSON is the default response type.
- CEF:
- Replace <AuthToken> with the authentication token.
- Filter events using the
--data-raw
parameters:- Replace <Dates> with the date range and include time in UTC format. For example,
dateRange:{"startTime":"2020-07-30T13:41:52.871287Z","endTime":"2020-08-30T13:41:52.871287Z"}
- Leave <Types> empty to return all event types, or enter the event types to search. Separate multiple event types with commas. Add underscores to event names to create search strings
To determine the string to use for an event type, query for all events to find the event type names, and then add underscores to the event names to create the search event type string. For example, for LoggedIn use"logged_in"
, for SearchIssued use"search_issued"
, for LocalAuthOnlyChanged use"local_auth_only_changed"
, and so on. - Replace <UserUid> with the CrashPlan userUid. Separate multiple IDs with commas.
- Replace <Username> with the CrashPlan username. Separate multiple usernames with commas. The username is assigned when the user is added to CrashPlan.
- Replace <IpAddresses> with the IP addresses to filter. Separate multiple IP addresses with commas.
- If you leave a parameter empty, all events are returned. For example:
You may omit a query parameter altogether if you do not want to use it to filter results."dateRange":{},"eventTypes":[],"actorIds":[],"actorNames":[],"actorIpAddresses":[]
- For "affectedUserUids" use the {{c42}} userUid of the individual affected by the event. Separate multiple IDs with commas.
- For "affectedUsernames" use the CrashPlan username of the individual affected by the event. Separate multiple usernames with commas.
- For CSV output, specify the
"page"
and"pageSize"
parameters. These parameters are ignored for CEF and JSON output.
- Replace <Dates> with the date range and include time in UTC format. For example,
- To export search output to a file, use your favorite method. For example, to export to a text file, you can end the request with
-o file_example.txt
An excerpt of an example successful response:
- CSV
SearchIssued,2020-08-13T15:52:40.240585Z,clay.inger@code42.com,910391548587130243,192.0.2.0,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36","{""groups"":[{""filters"":[{""term"":""eventTimestamp"",""operator"":""WITHIN_THE_LAST"",""value"":""P30D"",""display"":null}],""filterClause"":""AND"",""display"":""{\""data\"":{\""isMultivalue\"":false},\""version\"":\""v1\""}""},{""filters"":[{""term"":""exposure"",""operator"":""IS"",""value"":""ApplicationRead"",""display"":null}],""filterClause"":""OR"",""display"":""{\""data\"":{\""isMultivalue\"":true
- CEF
CEF:0|N/A|N/A|N/A|SearchIssued|[]|0|ActorName=clay.inger@code42.com ActorId=910391548587130243 ActorIP=192.0.2.0 ActorAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 EventTime=2020-08-13T15:52:40.240585Z
- JSON
{"type$":"audit_log::audit_log_queries.search_audit_log.response/1","events":[{"type$":"audit_log::search_issued/1","actorId":"910391548587130243","actorName":"clay.inger@code42.com","actorAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36","actorIpAddress":"192.0.2.0","timestamp":"2020-08-13T15:52:40.240585Z","success":true,"type":"query","requestJson":"{\"groups\":[{\"filters\":[{\"term\":\"eventTimestamp\",\"operator\":\"WITHIN_THE_LAST\",\"value\":\"P30D\",\"display\":null}],\"filterClause\":\"AND\",\"display\":\"{\\\"data\\\":{\\\"isMultivalue\\\":false},\\\"version\\\":\\\"v1\\\"}\"},{\"filters\":[{\"term\":\"exposure\",\"operator\":\"IS\",\"value\":\"ApplicationRead\",\"display\":null}],\"filterClause\":\"OR\",\"display\":\"{\\\"data\\\":{\\\"isMultivalue\\\":true},\\\"version\\\":\\\"v1\\\"}\"}],\"groupClause\":\"AND\",\"pgSize\":100,\"pgNum\":1,\"srtKey\":null,\"srtDir\":\"desc\",\"purpose\":\"USER_EXECUTED_SEARCH\"}","resultCount":15},
Audit Log API structure and syntax
Summary
-
Request URL
- United States:
- If you sign in to the CrashPlan console at https://console.us1.crashplan.com (US1), use:
https://console.us1.crashplan.com/<resource>
- If you sign in to the CrashPlan console at https://console.us2.crashplan.com (US2), use:
https://console.us2.crashplan.com/<resource>
- If you sign in to the CrashPlan console at https://console.us1.crashplan.com (US1), use:
- Ireland:
- If you sign in to the CrashPlan console at https://console.eu5.cpg.crashplan.com (EU5), use:
https://console.eu5.cpg.crashplan.com/<resource>
- If you sign in to the CrashPlan console at https://console.eu5.cpg.crashplan.com (EU5), use:
- United States:
-
Resources
-
Log search controller:
/rpc/search/
-
search-audit-log
: Search and export Audit Log events (limit of 10,000) -
search-results-export
: Search and export Audit Log events (limit of 100,000)
-
-
Log search controller:
- Authentication method: Include an authentication token in the request header.