- 6 Minutes to read
- Print
- PDF
How to use SAFE’s Audit APIs
- 6 Minutes to read
- Print
- PDF
By default, SAFE provides a downloadable audit log within the application. For details, see Advanced Settings.
Overview
SAFE provides the capability to access security information, which can be integrated into a customer's chosen Security Information and Event Management (SIEM) platform. This integration is facilitated through a generic interface that makes relevant information available to the target SIEM. Additionally, SAFE supports the integration process to ensure seamless connection with the customer's platform. The logs provided will include the following details:
Timestamp
Source IP and Port
Username
Action/Activity — This may include activities such as:
Application login/logout
Modifications to integrations (initial setup, updates, testing, and starting/stopping synchronizations)
Changes to groups (creation, updates, and deletions)
Alterations in risk scenarios (creation, updates, and deletions)
Updates to any questionnaires
These logs are provided in a JSON format for easy integration and readability.
For customers who have purchased the "Bring Your Own Account (BYOA)" option, AWS CloudWatch logs will also be made accessible for integration into their chosen SIEM system.
If the customer requires custom modifications to the generic interface for better compatibility with their SIEM, such work will be defined and agreed upon through a specific Statement of Work (SOW).
This solution caters to customers seeking enhanced visibility into user actions, including login and logout activities on the SAFE platform, within their SIEM.
Architecture
SAFE Application Overview
The diagram in Figure 1 illustrates the architecture of the SAFE Application, which efficiently forwards application audit logs to a CloudWatch Log Group. SIEM tools, equipped with appropriate Add-ons and Plugins, can directly retrieve these logs from the CloudWatch Log Group, facilitating streamlined integration and monitoring.
SAFE Application Workflow
In Figure 2, we detail the SAFE Application's workflow for transmitting application audit logs to a CloudWatch Log Group. Simultaneously, AWS CloudTrail forwards infrastructure-level audit logs to an S3 bucket. SIEM tools can seamlessly access these logs from both CloudWatch Log Group and the S3 bucket using enhanced Add-ons and Plugins. This functionality is specifically available to Bring Your Own Account (BYOA) customers who manage their own AWS accounts for CloudTrail log ingestion.
Prerequisites
SIEM Compatibility: Ensure that the customer's SIEM tool is compatible with AWS services and can ingest logs from CloudWatch and S3, either through native integrations or using available plugins and add-ons.
IAM Role Configuration: SAFE must set up an IAM role within the AWS account with permissions to read logs from CloudWatch and S3. This role should be assumable by the SIEM tool to securely access the logs.
Network Connectivity: Verify that the customer's network infrastructure allows outbound connections to AWS services. This includes configuring firewalls and security groups to permit traffic to necessary AWS endpoints.
Notes:
For customers who prefer not to have live integration with dynamic updates, scripting can be built to periodically query our APIs:
POST /api/v3/audit-logs/export: This API takes the number of days as a payload and returns a UUID, which must be used with the subsequent API call.
GET /api/v3/audit-logs/export/: With the UUID, this API allows customers to retrieve data daily and dump it to an S3 or similar location for post-processing.
GET /api/v3/users:
To fetch the list of users onboarded to the SAFE One Application
This API allows users to GET the list of SAFE users currently onboarded to their SAFE application. It provides important details such as the user's First Name, Last Name, Email Address, Last Login Time, and Role as part of the response.
This API needs to be called for Audit Logs, as:
Audit logs represent users by their UUID (User ID column).
The user API will provide ‘uuid’ to user mapping for your reference.
Note: This API is now available in Swagger as well.
Parameters
Example Request:
Responses
User details are presented as an array of individual user object Response Information
Media type application/json Controls Accept header. Example Value Schema { "size": 1, "page": 1, "pagelen": 10, "previous": null, "next": "https://example-domain.safeone.ai/api/v3/users?page=2&pagelen=100", "values": [ { "peopleId": 1, "emailId": "john.doe@domain.com", "firstName": "John", "lastName": "Doe", "uuid": "12345678-1234-1234-1234-123456789012", "updatedAt": "2022-01-13T05:03:50.428Z", "lastLoginTime": "2022-01-13T05:03:50.428Z", "role": "Admin", "authenticationType": "Native" } ] } |
—----------------------------------------------------------------------------------------------------------------------------
POST /api/v3/reports:
This API helps SAFE users to trigger reports. We can use the same API to trigger Audit Logs export. It will return a UUID which needs to be used in the next API.
Parameters
Example Request:
The following example shows how SAFE users can call this POST API via cURL to request the audit logs for the past 1 day:
Responses
GET /api/v3/reports/<uuid>:
This API allows SAFE users to retrieve the Audit logs using UUID generated from the previous API i.e., POST /api/v3/reports.
Parameters
Example Request:
The following example shows how SAFE users can call this GET API via cURL to get the audit logs for the past 1 day by providing the UUID:
Note: Replace the UUID (highlighted in bold above) with your UUID generated from the previous API.
Responses
|