Exporting logs using API

Forcepoint Data Security Cloud | SSE Log Export REST API allows customers to query and pull Cloud and Access Logs.

For authorizing users, refer to Configuring API authentication.

Note: Customers with Splunk or QRadar can instead utilize the Bitglass Splunk App or the Bitglass QRadar App instead to make pulling logs easier. You can learn how to setup each app by going to their respective pages (Integrating Splunk application with Forcepoint Data Security Cloud | SSE or Integrating QRadar application with Forcepoint Data Security Cloud | SSE). Once configured, you will be able to view any of your Forcepoint Data Security Cloud | SSE logs (API, Proxy, Health, Admin, etc) within your app instance.

API Calls

All calls require the following:

  • Method = HTTP POST
  • URI Params define the type of operation and action to perform
    Type:
    • type = access
    • type = cloudsummary
    • type = cloudaudit
    • type = admin
    • type = swgweb
    • type = swgwebdlp
    • type = healthproxy
    • type = healthapi
    • type = healthsystem
    • type = ztna
  • HTTP body as JSON

    URL: https://portal.bitglass.com/api/bitglassapi/logs/v1/

Query Parameters

Parameter Name Value Description Notes Cloud Access Web Proxy Web DLP Health
startdate datetime Specifies the start datetime for which the logs need to be returned. The first request must always include this parameter UTC X X X X X
responseformat Specifies the format in which the user expects the response Acceptable values are: "json" "csv" Default - csv X X X X X
type string Specifies the type of logs to be fetched.Acceptable values are: "cloudsummary", "cloudaudit", " access", "admin", "swgweb", "swgwebdlp", "healthproxy", "healthapi", "healthsystem" X X X X X
nextpagetoken string Should be a part of subsequent requests after the first one. Opaque token used for pagination. X X X X X
cv (collector version) string Is required to specify the version of the log collector. X X X X X

Response

{
    "status": "...",
    "nextpagetoken": "...",   
    "response": {
        "dataformat": "...",
        "dataencoding": "...",
        "data": [...]
    }
}

Response Keys

Key Description
status Success, Unauthorized
nextpagetoken Pagination token
response container for response
dataformat csv or json
dataencoding utf-8
data Described in Data Keys table below

Response Codes

Response Code Message Notes Cloud Access
503 Temporarily unavailable X X
429 You have exceeded your allowance of 300 requests per day for <log type> logs. Limit will reset at <Current Date +1> 00:00:00+00:00

Too many requests. You will need to wait for the limit to reset before proceeding.

Information regarding the rate limit can be seen in the X-RateLimit-* headers.

X-RateLimit-Limit: max amount of requests allowed

X-RateLimit-Remaining: How many requests left

X-RateLimit-Reset: Time your limit will reset.

X X
403 Unauthorized User is not a sysadmin or API livesetting is not enabled for the company X X
401 Invalid credentials User does not exist or invalid password X X
401 Authorization required Authorization header missing X X
401 Basic auth required Authorization is not basic X X
400 Invalid responseformat: <response format>. Supported values: csv, json Invalid response format X X
400 Start date and nextpagetoken is missing startdate and nextpagetoken missing X X
400 Provide either the start date or nextpagetoken Both startdate and nextpagetoken provided X X
400 Invalid type: <type>. Supported types are: cloudsummary, cloudaudit, and access Invalid value for type X X
400 Invalid start date format <user startdate> Expected format: %Y-%m-%dT%H:%M:%SZ Invalid start date format X X
400 Invalid next page token Invalid next page token X X
200 Request was successful X X