Add documentation for the Audit Log GraphQL API

Signed-off-by: Ben Rockwood <[email protected]>
mondoohq · Mar 22, 2024 · 798ba88 · 798ba88
1 parent d2e9164
commit 798ba88
Showing 1 changed file with 117 additions and 0 deletions.
diff --git a/docs/platform/maintain/log.mdx b/docs/platform/maintain/log.mdx
@@ -35,6 +35,123 @@ Mondoo tracks administrative events, such as organization and access management
 
 3. Select **Audit Log**.
 
+## Using the Audit Log API
+
+Organization audit logs are available via our GraphQL API.  To access the API, you must have created an [API key](/platform/maintain/access/api-keys).
+
+The GraphQL query to get the audit log for an organization is:
+
+```
+{
+  "variables": {
+    "first": 25,
+    "resourceMrn": "//captain.api.mondoo.app/organizations/<REPLACE_WITH_ORGANIZATION_ID>"
+  },
+  "query": "query AuditLogForwardPagination($first: Int, $after: String, $orderBy: AuditLogOrder = {direction: DESC, field: TIMESTAMP}, $resourceMrn: String!) {
+               auditlog(
+                  first: $first
+                  after: $after
+                  orderBy: $orderBy
+                  resourceMrn: $resourceMrn
+               ) {
+                  totalCount
+                  edges {
+                     cursor
+                     node {
+                     identity {
+                        name
+                        mrn
+                     }
+                     resource
+                     action
+                     timestamp
+                     msg
+                     }
+                  }
+                  pageInfo {
+                     startCursor
+                     endCursor
+                     hasNextPage
+                  }
+            }
+         }"
+}
+```
+
+To test this using cURL, store the query in file named "query.json" and execute like so, being sure to have sepcified your organization ID in the query:
+
+```
+$ cat query.json
+{
+  "variables": {
+    "first": 25,
+    "resourceMrn": "//captain.api.mondoo.app/organizations/<REPLACE_WITH_ORGANIZATION_ID>"
+  },
+  "query": "query AuditLogForwardPagination($first: Int, $after: String, $orderBy: AuditLogOrder = {direction: DESC, field: TIMESTAMP}, $resourceMrn: String!) {
+  auditlog(
+    first: $first
+    after: $after
+    orderBy: $orderBy
+    resourceMrn: $resourceMrn
+  ) {
+    totalCount
+    edges {
+      cursor
+      node {
+        identity {
+          name
+          mrn
+        }
+        resource
+        action
+        timestamp
+        msg
+      }
+    }
+    pageInfo {
+      startCursor
+      endCursor
+      hasNextPage
+    }
+  }
+}"
+}
+
+$ curl -g -X POST -H "Authorization: Bearer $API_TOKEN" -H "Content-Type: application/json" -d @query.json   https://api.edge.mondoo.com/query | jq
+{
+  "data": {
+    "auditlog": {
+      "totalCount": 36,
+      "edges": [
+        {
+          "cursor": "172213",
+          "node": {
+            "identity": {
+              "name": "Jane Doe",
+              "mrn": "//captain.api.mondoo.app/users/26OR1GOGsqmfjXOOO8joxgJDdtM"
+            },
+            "resource": "//agents.api.mondoo.app/organizations/mondoo-organization-1/serviceaccounts/2e3NzLkD73yQe7MTJZLw3",
+            "action": "mondoo.agents.AgentManager.CreateServiceAccount",
+            "timestamp": "2024-03-22T17:46:03Z",
+            "msg": "created service account"
+          }
+        },
+        {
+          "cursor": "143156",
+          "node": {
+            "identity": {
+              "name": "John Smith",
+              "mrn": "//captain.api.mondoo.app/users/1zYNjiRERS59LsS8iCloxPxbxLo"
+            },
+            "resource": "//captain.api.mondoo.app/users/2AdPauBAGEqnOjIFXx6AIyWrhxh",
+            "action": "mondoo.captain.Captain.SetOrganizationMembership",
+            "timestamp": "2024-01-30T00:01:04Z",
+            "msg": "owner added"
+          }
+        },
+...
+```
+
 ## Get help
 
 Can't find what you need? Join our <a href="https://mondoo.link/slack">community Slack channel</a> to chat with us and other Mondoo users.