262-299-4600 • Email us

Auditlog API

This page explains how to get your auditlog data extracted. Note that the example array of audit log entries further down shows only the first entry and a subset of scan results for readability. You can use query parameters to filter your search.





Resources

/auditlogReturns an array of auditlog entriesGET
/auditlog/{id}Returns one auditlog entryGET
/computers/{computername}/auditlogReturns an array of auditlog entries for a certain computerGET
/users/{user}/auditlogReturns an array of auditlog entries for a certain user (user account or full name)GET
/auditlog/deltaReturns an array of changed auditlog entries since last call (see further down)GET
Note that the prefix of urls above depend on which data center you belong to. Please log in to see the full url.

Headers

apikeyYour apikey listed in your settings to retrieve the dataint

Filters

Filters can be supplied either as URL parameters or headers.

startidThe starting ID you wish to receive. Can be used for incremental offload of data to your own systemint
takeMaximum number of resources to return. Default is 50 to preserve bandwidth, maximum is 10000. For queries with more than 10000 records, pagination is mandatoryint
lastEntries are retrieved in ascending order by default. Last returns the latest X number of entries in descending order. Maximum is 10000.int
wantscandetailsUse this filter, if you wish to receive detailed lists of scan results. The default is to give you the overall result onlybit
typeOnly return either "Run As Admin" (type=app) or "Admin Sessions" (type=session) entries.string
statusOnly return entries from Requests - value can be "Pending", "Approved", "Denied" or "Quarantined" entries.string
daysBy default, entries up to 30 days are returned, unless specied otherwise. If startdate is specified, days is not used.int
startdateOnly return entries after the specified start date (format: yyyy-mm-dd).date
enddateOnly return entries before and including the specified end date (format: yyyy-mm-dd).date
  • Example filtered url to get 10 entries: /auditlog?startid=4050334&take=10&wantscandetails=1
  • Pagination works by using the last id in the list and feeding it as startid in the next query
  • To copy new data to your own system, we recommend to store the highest id (last entry in list) you have retrieved from a previous call and pass this number plus 1 as "startid"
  • Do NOT consistently use a high "take" number or flood the api. We will automatically throttle your account

Delta data

To avoid having to download a full auditlog to find changed auditlog data, you can ask for changed entries (delta). A scenario could be a request is made by a user (new entry). Then it is approved by an administrator (changed entry) and in turn being used by the end user (changed entry again). To get changed entries, follow this procedure:
  • Call /auditlog/delta without parameters one time to get an initial "timeNow"
  • Use this time to get delta data since last call. In the case below, the next call should be /auditlog/delta?deltaTime=637795099840708375
  • Repeat the process of saving "timeNow" to feed to next call as "deltaTime" parameter. In the example below, there were no changes in the interval.
  • Note that timeNow is often the same value from call to call. This is intended, as it is represents the time of the last change - not the actual time now.
{
  "entries": [],
  "timeNow": 637795099840708375
}


Fields

idThe unique ID of this entry. This ID can be used to query updated information on this entry by appending it to the url to request this resource onlyint
traceNoThe trace number to find this entry in the portal auditlogint
settingsNameThe name of the matching subsettings or "Global" if no subsetting was matchedint
typeType of request (possible values: Run As Admin, Admin Session, Server Session)string
typeCode0 = Run As Admin, 1 = Admin Session, 2 = Server Sessionint
statusStatus of the request (possible values: Open, Running, Finished, Denied, Pending approval, Quarantined)string
statusCode0 = Open, 1 = Running, 2 = Finished, 3 = Denied, 4 = Pending Approval, 5 = Quarantined, 6 = Expiredint
reasonReason supplied by end userstring
approvedByName of person that approved the requeststring
deniedReasonReason for denying the request supplied by an administratorstring
deniedByName of person denying the requeststring
requestTimeTime of a request by end userdatetime
requestTimeUTCRequest time in Coordinated Universal Time (UTC). Will default to requestTime if not available.datetime
responseTimeTime between a request and approval by an administratortimespan
startTimeStart time of running the application or starting a sessiondatetime
startTimeUTCStart time in Coordinated Universal Time (UTC). Will default to startTime if not available.datetime
endTimeTime when the application or session finisheddatetime
startTimeUTCEnd time in Coordinated Universal Time (UTC). Will default to endTime if not available.datetime
ssoValidatedIf the request was validated by Single Sign-On (SSO) on the endpointbit
auditlogLinkLink to this request in the auditlog on www.adminbyrequest.comstring
user.accountThe user account the end user used to log on to the computerstring
user.fullNameThe full name of the user userstring
user.emailThe user's email address supplied on the request formstring
user.phoneThe user's phone number supplied on the request formstring
user.isAdminDetermines if the is administratorbit
computer.nameThe name of the computer executing the requeststring
computer.platformOperating system platform (possible values: Windows, Mac, Server)string
computer.platformCode0 = Windows, 1 = Mac, 2 = Server, int
computer.makeThe vendor of the machine, as it appears in the inventorystring
computer.modelThe model of the machine, as it appears in the inventorystring
application.fileThe file name of the file executed using Run As Adminstring
application.pathThe file path of the executed applicationstring
application.nameThe name of the application (description property of file)string
application.vendorThe vendor of the applicationstring
application.versionThe version of the filestring
application.sha256The checksum of the filestring
application.scanResultMalware scan result (possible values: Clean, Malicious, Suspicious)string
application.scanResultCode0 = Clean, 1 = Malicious, 2 = Suspiciousint
application.threatName of malware, if file is malicious or suspiciousstring
application.virustotalLinkLink to the file (checksum) on virustotal.comstring
application.preapprovedIf the file was pre-approved to runbit
installs[].applicationThe name of the application (description property of file)string
installs[].vendorThe vendor of the applicationstring
installs[].versionThe version of the applicationstring
uninstalls[].applicationThe name of the application (description property of file)string
uninstalls[].vendorThe vendor of the applicationstring
uninstalls[].versionThe version of the applicationstring
elevatedApplications[].fileThe file name of the file executedstring
elevatedApplications[].pathThe file path of the executed applicationstring
elevatedApplications[].nameThe name of the application (description property of file)string
elevatedApplications[].vendorThe vendor of the applicationstring
elevatedApplications[].versionThe version of the filestring
elevatedApplications[].sha256The checksum of the filestring
elevatedApplications[].scanResultMalware scan result (possible values: Clean, Malicious, Suspicious)string
elevatedApplications[].scanResultCode0 = Clean, 1 = Malicious, 2 = Suspiciousint
elevatedApplications[].threatName of malware, if file is malicious or suspiciousstring
elevatedApplications[].virustotalLinkLink to the file (checksum) on virustotal.comstring
scanResults[].scanResultMalware scan result (possible values: Clean, Malicious, Suspicious)string
scanResults[].scanResultCode0 = Clean, 1 = Malicious, 2 = Suspiciousint
scanResults[].engineName of the antivirus engine with this resultstring
scanResults[].threatName of malware, if file is malicious or suspiciousstring

Example successful request

[
  {
    "id": 615669,
    "traceNo": "34376579",
    "settingsName": "Global",
    "type": "Run As Admin",
    "typeCode": 0,
    "status": "Finished",
    "statusCode": 2,
    "reason": "Need to update reader. It says out of date when trying to open PDF files from our supplier.",
    "approvedBy": "Jim Kerr",
    "deniedReason": null,
    "deniedBy": null,
    "ssoValidated": false,
    "requestTime": "2020-04-01T12:03:00",
    "requestTimeUTC": "2020-04-01T12:03:00",
    "startTime": "2020-04-01T12:03:30",
    "startTimeUTC": "2020-04-01T12:03:30",
    "endTime": "2020-04-01T12:09:11",
    "endTimeUTC": "2020-04-01T12:09:11",
    "responseTime": "00:00:05.4100000",
    "auditlogLink": "https://www.adminbyrequest.com/AuditLog?Page=AppElevations&ID=34376579&ShowFilter=false",
    "user": {
      "account": "ACME\\PDH",
      "fullName": "Paul David Hewson",
      "email": "pdh@acme.com",
      "phone": "555.345.6789",
      "isAdmin": false
    },
    "computer": {
      "name": "W1005623",
      "platform": "Windows",
      "platformCode": 0,
      "make": "Dell Inc.",
      "model": "XPS 15 9550"
    },
    "application": {
      "file": "readerdc_uk_fb_crd_install.exe",
      "path": "C:\installers",
      "name": "Adobe Download Manager",
      "vendor": "Adobe Inc.",
      "version": "2.0.0.495s",
      "sha256": "9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99",
      "scanResult": "Clean",
      "scanResultCode": 0,
      "threat": null,
      "virustotalLink": "https://www.virustotal.com/latest-scan/9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99",
      "preapproved": false
    },
    "installs": [
      {
        "application": "Adobe Acrobat Reader DC",
        "version": "20.006.20042",
        "vendor": "Adobe Systems Incorporated"
      }
    ],
    "uninstalls": [
      {
        "application": "Adobe Reader XI (11.0.23)  MUI",
        "version": "11.0.23",
        "vendor": "Adobe Systems Incorporated"
      }
    ],
    "elevatedApplications": [
      {
        "name": "Adobe Download Manager",
        "path": "C:\\Users\\pdh\\Downloads",
        "file": "readerdc_uk_fb_crd_install.exe",
        "version": "2.0.0.495s",
        "vendor": "Adobe Inc.",
        "sha256": "9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99",
        "scanResult": "Clean",
        "scanResultCode": 0,
        "threat": null,
        "virustotalLink": "https://www.virustotal.com/latest-scan/9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99"
      },
      {
        "name": "Adobe Self Extractor",
        "path": "C:\\Users\\pdh\\AppData\\Local\\Adobe\\E1F06F26-140E-4556-A421-788F6C2015BD\\DA1C2141-106A-4BC6-B096-658FCF15DBFC",
        "file": "C12D10CF-96D9-4985-BE1E-00B35267FB0C",
        "version": "20.6.20042.371103",
        "vendor": "Adobe Inc.",
        "sha256": "912525F339CFC46D2CE7402366FC213084D79DEAD70D754F4A73C8BA4AA40650",
        "scanResult": "Clean",
        "scanResultCode": 0,
        "threat": null,
        "virustotalLink": "https://www.virustotal.com/latest-scan/912525F339CFC46D2CE7402366FC213084D79DEAD70D754F4A73C8BA4AA40650"
      },
      {
        "name": "Adobe Acrobat Reader DC",
        "path": "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader",
        "file": "AcroRd32.exe",
        "version": "20.6.20042.371103",
        "vendor": "Adobe Inc.",
        "sha256": "DCD82008D913BFB6FA1ACBC209CB113E24042919FBB8C3E4E9431F194C5B3B47",
        "scanResult": "Clean",
        "scanResultCode": 0,
        "threat": null,
        "virustotalLink": "https://www.virustotal.com/latest-scan/DCD82008D913BFB6FA1ACBC209CB113E24042919FBB8C3E4E9431F194C5B3B47"
      }
    ],
    "scanResults": [
      {
        "scanResult": "Clean",
        "scanResultCode": 0,
        "engine": "BitDefender",
        "threat": null
      },
      {
        "scanResult": "Clean",
        "scanResultCode": 0,
        "engine": "CrowdStrike",
        "threat": null
      },
      {
        "scanResult": "Clean",
        "scanResultCode": 0,
        "engine": "McAfee",
        "threat": null
      }
    ]
  }
]