Exporting logs using API

Forcepoint ONE SSE Log Export REST API allows customers to query and pull Cloud and Access Logs.

  • Cloud (API): Logs generated by cloud apps as seen on the Analyze > Logs > API dashboard page.
    • Cloud Summary: Displays the current status of the files in the applications.
    • Cloud Audit: Displays every scan result for each file in your corporate account.
  • Access (Proxy): Logs generated by application activity as seen on the Analyze > Logs > Proxy dashboard page.
  • Admin: All admin events within the admin portal as seen on the Analyze > Logs > Admin dashboard page.
  • SWG Web: Logs generated from general web traffic from users using the SmartEdge agent, pulls logs from the Analyze > Logs > Web dashboard page.
  • SWG DLP: Logs generated from DLP specific policy actions under the Web Browsing Policy actions as seen on the Analyze > Logs > Web DLP dashboard page.
  • Health: The Health dashboard allows admins to identify if issues that users encounter are brought on by Forcepoint ONE SSE or the backend server (for example, Google, Exchange, Salesforce, etc). You can access the System and Proxy Health Logs by navigating to Analyze > Logs > Health.
  • ZTNA: The ZTNA Logs page is where all the ZTNA events by the end-users are displayed. You can access the ZTNA logs page by navigating to Analyze > Logs > ZTNA.

For authorizing users, refer to Configuring API authentication.

Note: Customers with Splunk or QRadar can instead utilize the Bitglass Splunk App or the Bitglass QRadar App instead to make pulling logs easier. You can learn how to setup each app by going to their respective pages (Integrating Splunk application with Forcepoint ONE SSE or Integrating QRadar application with Forcepoint ONE SSE). Once configured, you will be able to view any of your Forcepoint ONE SSE logs (API, Proxy, Health, Admin, etc) within your app instance.

API Calls

All calls require the following:

  • Method = HTTP POST
  • URI Params define the type of operation and action to perform
    Type:
    • type = access
    • type = cloudsummary
    • type = cloudaudit
    • type = admin
    • type = swgweb
    • type = swgwebdlp
    • type = healthproxy
    • type = healthapi
    • type = healthsystem
  • HTTP body as JSON

    URL: https://portal.bitglass.com/api/bitglassapi/logs/v1/

Query Parameters

Parameter Name Value Description Notes Cloud Access Web Proxy Web DLP Health
startdate datetime Specifies the start datetime for which the logs need to be returned. The first request must always include this parameter UTC X X X X X
responseformat Specifies the format in which the user expects the response Acceptable values are: "json" "csv" Default - csv X X X X X
type string Specifies the type of logs to be fetched.Acceptable values are: "cloudsummary", "cloudaudit", " access", "admin", "swgweb", "swgwebdlp", "healthproxy", "healthapi", "healthsystem" X X X X X
nextpagetoken string Should be a part of subsequent requests after the first one. Opaque token used for pagination. X X X X X
cv (collector version) string Is required to specify the version of the log collector. X X X X X

Response

{
    "status": "...",
    "nextpagetoken": "...",   
    "response": {
        "dataformat": "...",
        "dataencoding": "...",
        "data": [...]
    }
}

Response Keys

Key Description
status Success, Unauthorized
nextpagetoken Pagination token
response container for response
dataformat csv or json
dataencoding utf-8
data Described in Data Keys table below

Data Keys

Key Description Notes Cloud (API) Access (Proxy) Admin Web Proxy Web DLP Health API Version
syslogheader Syslog header X X X 1.0.1
filename Name of the file scanned via the application api X X X 1.0.1
time Log creation time - UTC YYYY-MM-DDThh:mm:ssZ X X X X X X 1.0.1
size Size of the file X 1.0.1
owner Owner of the file Owner's email address X X 1.0.1
application The application to which the file belongs X X X X X X 1.0.1
status

Current status of the file. Can have below values

"Private", "Public", "Internal", "External", "DLP", "Renamed", "Moved"

X 1.0.1
action

The action enforced by Forcepoint ONE SSE according to the set policy. Can have values

"Allowed", "Quarantined", "Alert", "NotifyAdmin", "NotifyOwner"

X X X X X 1.0.1
folder The location of the file X 1.0.1
fileid The unique id for identifying a file. Can be used to dedup logs. X X 1.0.1
patterns DLP patterns matched with the file along with the keywords matched for each file. for example, Sensitive Keywords (confidential) X 1.0.1
filelink Link to view the file. X 1.0.1
sharedwith Users with whom the current file is shared X 1.0.1
user Name of the Forcepoint ONE SSE user initiating the transaction X X X 1.0.1
email Email of the Forcepoint ONE SSE user initiating the transaction X X X X X 1.0.1
device OS and Version parsed from user agent by cloud dataplane need version 1.1.0 for web dlp logs X X X X 1.0.1
ipaddress Device IP Address of the user internal to the customers network X X X X X 1.0.1
location Location of the user X X X 1.0.1
activity

Specifies the activity that the user performs.

Can have values: Access, Accounts, Attachment, Downloaded, Email, Edit, Files, Report, Uploaded, Users etc.

X X X 1.0.1
useragent User agent string X X X X X 1.0.1
request X X 1.0.1
transactionid Unique identifier for every transaction. Can be used to dedup logs. need version 1.1.0 for web dlp logs X X X X 1.0.1
emailfrom Email address of the user sending the email X X 1.0.1
emailto Email addresses of the recipients X X 1.0.1
emailsubject Email subject X X 1.0.1
emailcc Email address of the recipients in CC X X 1.0.1
emailbcc Email addresses of the recipients in Bcc X X 1.0.1
emailsenttime The time the email was sent X X 1.0.1
filename The name of the file X 1.0.1
dlppattern The DLP patterns that matched the content in the file, email subject or body along with the keywords that matched X X X 1.0.1
pagetitle X X 1.0.1
url X X X 1.0.1
orgid The Salesforce Org ID X 1.0.2
instancename The App Instance Name the event occurred in. X 1.0.2
activity Displays the current activity under the cloud audit logs. X 1.0.3
usergroup List of groups the user belongs to X X X X 1.0.4
deviceguid User's device GUID (if applicable) X X X X 1.0.4
attachments Lists attachments contained in the event X 1.0.5
dlpmatchlocations Displays the location of a DLP triggered match X 1.0.5
organization Displays the organization the file belongs to in Cisco Spark X 1.0.6
copies Displays the info of the copied file generated from a "create copy" action (filename, owner, path, status, link) Use Cloud Audit X 1.0.7
originalfolder Displays info about the origin folder of a file that was moved due to a quarantine action Use Cloud Summary X 1.0.8
originalpatterns Displays the pattern matched that triggered a quarantine action. Use Cloud Summary X 1.0.8
policyid Displays the policyid of the policy line that was triggered. Use Cloud Audit X X X X 1.0.9
arguments Resuest Args X X 1.1.0
bgcategories Domain Categories from Forcepoint ONE SSE Shadow IT Discovery Database X X 1.1.0
bgcloudscore Domain based cloud score from Forcepoint ONE SSE X X 1.1.0
customcategories Custom categories defined by customer X X 1.1.0
countrycode Country code based on gateway_ip X X 1.1.0
country Country based on gateway_ip X X 1.1.0
customlocation Custom location name X X X X 1.1.0
city City based on gateway_ip X X X 1.1.0
requestdomain Request domain X X 1.1.0
devicehostname 1.1.0
gatewayip The public IP of the gateway which Forcepoint ONE SSE sees X X 1.1.0
lat latitude based on gateway_ip X X 1.1.0
long Longitude based on gateway_ip X X 1.1.0
requestport Request Port X X 1.1.0
protocol Application layer protocol, e.g: http, ftp, etc X X 1.1.0
referrer Referrer header of request X X 1.1.0
size Same as downloaded_bytes X X 1.1.0
region Region based on gateway_ip X X 1.1.0
regioncode Region code based on gateway_ip X X 1.1.0
requestmethod HTTP request method Post/Get etc. X X 1.1.0
uploadedbytes Same as uploaded bytes X X 1.1.0
firstname First name of the user X X 1.1.0
lastname Last name of the user X X 1.1.0
url request URI (URL = domain+URI+args) X X 1.1.0
webcategoryclass Web Category class X X 1.1.0
webreputation Web Reputation X X 1.1.0
dlpaction DLP action X 1.1.0
doctype Type of the document X 1.1.0
docextension File extension of the document X 1.1.0
docsha1 Document SHA1 hash X 1.1.0
docsha256 Document SHA256 hash X 1.1.0
docmd5 Document MD5 hash X 1.1.0
keyword DLP keywords (comma separated string) X 1.1.0
threatindicator Malware threat indicators X 1.1.0
dlpip IP from the DLP engine logs X 1.1.0
application Application accessed over SmartEdge agent X X 1.1.1
requestport Port user was going over X X 1.1.1
url URL being accessed X X 1.1.1
policyid SWG Policy ID hit X X 1.1.1
filename Name of file that was being uploaded/downloaded X 1.1.1
activity The activity the user was performing X 1.1.1
classifylabels Classify label of the file scanned via the application API Use Cloud Summary X 1.1.2
responsecode HTTPs response code generated by the application or Forcepoint ONE SSE X 1.1.4
httpmethod The HTTP method being used X 1.1.4
enterprisename The Slack enterprise name pulled from API logs X 1.1.5
creationtime Time at which the file was created. X 1.1.6
modificationtime Last modified time of the file. X 1.1.6
actor The person who performed the given activity Use Cloud Audit X           1.1.7
actoripaddress IP address of the actor Use Cloud Audit X           1.1.7

To see what specific user Activity's and Action's Forcepoint ONE SSE tracks, view the respective event logs under Analyze > Logs.

Response Codes

Response Code Message Notes Cloud Access
503 Temporarily unavailable X X
429 You have exceeded your allowance of 300 requests per day for <log type> logs. Limit will reset at <Current Date +1> 00:00:00+00:00

Too many requests. You will need to wait for the limit to reset before proceeding.

Information regarding the rate limit can be seen in the X-RateLimit-* headers.

X-RateLimit-Limit: max amount of requests allowed

X-RateLimit-Remaining: How many requests left

X-RateLimit-Reset: Time your limit will reset.

X X
403 Unauthorized User is not a sysadmin or API livesetting is not enabled for the company X X
401 Invalid credentials User does not exist or invalid password X X
401 Authorization required Authorization header missing X X
401 Basic auth required Authorization is not basic X X
400 Invalid responseformat: <response format>. Supported values: csv, json Invalid response format X X
400 Start date and nextpagetoken is missing startdate and nextpagetoken missing X X
400 Provide either the start date or nextpagetoken Both startdate and nextpagetoken provided X X
400 Invalid type: <type>. Supported types are: cloudsummary, cloudaudit, and access Invalid value for type X X
400 Invalid start date format <user startdate> Expected format: %Y-%m-%dT%H:%M:%SZ Invalid start date format X X
400 Invalid next page token Invalid next page token X X
200 Request was successful X X