agilio | 2021-03-12 20:27:44 UTC | #1
We have a client whos security is logging for the following. With their move to the cloud and users working from anywhere this is something they are hoping can be provided via APIs
What the Information Security team is looking for is security relevant logs via an API for near Real-time access (e.g. query every 15 min for the prior 15 min of logs) logs from the phone system which:
When Time/Date (e.g. International Format or fully formatted with time zone) Where Application identifier (e.g. name, version) Application address (e.g. the cluster/hostname or IP of the Server and port) Service Name/identifier (e.g. Just a guess: Station, Web Chat, Web SMS, SoftPhone, back end administration) Who Source address e.g. user device/machine identifier, user’s IP address User identity (if authenticated otherwise unknown) What Type of Event Severity of event Description or code (if code; there must be a data dictionary that defines the code to an event/description) Success or Failure of the event
For Web Chat; We are needing at minimum when a chat starts; Available in real time for query (e.g. query ever 5 min for the prior 5 min). Ideally a start/stop event will occur. Maybe a subscription/notification but would need to understand and test this for instantaneous notification and evaluation.
When Time/Date of the Chat initiation, Where Referral URL (where the web chat was launched from), Source IP of the Agent User ID of the Agent Who Email of the customer/member source IP address of the Customer/Member user Agent of the Customer/Member browser What Type of Event Severity of event Description or code (if code; there must be a data dictionary that defines the code to an event/description) Success or Failure of the event
agilio | 2021-03-17 16:02:20 UTC | #2
Hi Any thoughts or comments regarding this?
Becky_Powell | 2021-03-17 17:22:29 UTC | #3
We currently provide an Audits API that customers can use to receive key details of certain changes, to include action taken, action details, and the user who executed the action. You can learn more about this API here and see the full catalog of supported actions here.
If there is a particular audit action that you need, but don't see listed in the catalog, please do let us know by logging an idea in our Ideas Portal. We're constantly adding new actions - we encourage you to share your priorities with us.
Additionally, you may be interested in the EventBridge integration, which is currently in beta. This integration would allow you to receive events in near-real time without needing to poll the APIs as you described above. You can learn more about this integration here. If you're interested in participating, please do let us know!
If neither of these solutions meets your needs entirely, I would urge you to contact your PSM so that we can have a larger discussion than what this forum provides.
Thank you! -Becky
agilio | 2021-03-19 15:04:31 UTC | #4
Hi Becky,
If I wanted to find out when a user logged into the system and their source address which of those APIs would you suggest I use as an example.
Thanks
AG
agilio | 2021-03-22 17:59:11 UTC | #5
Hi Becky any thoughts
If I wanted to find out when a user logged into the system and their source address which of those APIs would you suggest I use as an example.
Becky_Powell | 2021-03-22 20:02:27 UTC | #6
Hi there - I apologize that I missed your earlier message. We do have an audit event for AccessToken CREATE: https://developer.mypurecloud.com/api/rest/v2/audit/actioncatalog.html#peoplepermissions.
Thank you!
agilio | 2021-03-22 22:20:26 UTC | #7
Hi Becky thanks for getting back with me. When I run /api/v2/audits/query
{ "interval": "2021-03-22T07:00:00/2021-03-22T012:00:00", "serviceName": "PeoplePermissions", "filters": [ { "property": "EntityType", "value": "AccessToken" } ], "sort": [ { "name": "Timestamp", "sortOrder": "ascending" } ] }
I get the following response. Any guidance would be welcomed.
{ "message": "The request could not be understood by the server due to malformed syntax.", "code": "bad.request", "status": 400, "contextId": "0e569911-019a-45ab-be5e-8ee37c44797b", "details": [], "errors": [] }
anon11147534 | 2021-03-23 09:22:04 UTC | #8
Hi,
Your interval was slightly off, the correct timestamp format is: 2021-03-22T07:00:00.000Z/2021-03-22T12:00:00.000Z. The analytics-query-builder interval selector is helpful for creating ISO-8601 strings.
agilio | 2021-03-23 13:20:53 UTC | #9
Thanks I thought that was odd but I was trying to follow the documentation this is what is in the api explorer.
Interval
( string, required ): Date and time range of data to query. Intervals are represented as an ISO-8601 string. For example: YYYY-MM-DDThh:mm:ss/YYYY-MM-DDThh:mm:ss
agilio | 2021-03-23 13:24:59 UTC | #10
Unfortunately I'm still getting that error: Below is the updated post. I think it is something wrong with that servicename but please let me know your thoughts.
{ "interval": "2021-03-22T07:00:00.000Z/2021-03-22T12:00:00.000Z.", "serviceName": "PeoplePermissions", "filters": [ { "property": "EntityType", "value": "AccessToken" } ], "sort": [ { "name": "Timestamp", "sortOrder": "ascending" } ] }
{ "interval": "2021-03-22T07:00:00.000Z/2021-03-22T12:00:00.000Z.", "serviceName": "PeoplePermissions", "filters": [ { "property": "EntityType", "value": "AccessToken" } ], "sort": [ { "name": "Timestamp", "sortOrder": "ascending" } ] }
anon11147534 | 2021-03-23 14:10:07 UTC | #11
The Z is optional. In your first post body there was a leading 0 in 12:00:00. In your two latest post bodies there are trailing punctuation marks after the final Z.
This body will work:
{
"interval":"2021-03-22T07:00:00.000/2021-03-22T12:00:00.000",
"serviceName":"PeoplePermissions",
"filters":[
{
"property":"EntityType",
"value":"AccessToken"
}
],
"sort":[
{
"name":"Timestamp",
"sortOrder":"ascending"
}
]
}
system | 2021-04-23 14:10:11 UTC | #12
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 10262