/portalAPI/SystemAudit/*

9 min. readlast update: 01.08.2025

This article will encompass all portalAPI calls that are related to /portalapi/SystemAudit/* endpoints

 

Be sure to input the instance your organization exists on for each call. This is indicated with the "INSTANCE" text in each endpoint. Linked here is a KB to find your instance: 

Locating Your Organization's Instance | ThreatLocker Help Center

 

SystemAuditGetByParameters

https://portalapi.INSTANCE.threatlocker.com/portalapi/SystemAudit/SystemAuditGetByParameters

  • Method: POST
  • Description: This API is used to get all the System Audit logs on the System Audit page in the ThreatLocker Portal. In addition, this API can include any child and grandchild organizations of the currently logged in/managed organization. If looking to view the System Audit logs only for a different organization than the currently logged in/managed organization, utilize the managedOrganizationId header as described below. Various fields are described below that can be changed to search and sort like you can on the System Audit page itself in the Portal. 
  • Required Body/Parameters
    • Valid APIKey/Authorization Token in header
    • Fields
      • startDate: This field specifies when the search in the System Audit will start at. This expects a time entered in UTC in format "YYYY-MM-DDTHH:MM:SSZ", where YYYY is the year, the first MM is the month, DD is the day, HH are the hours, the second MM are the minutes, and SS are the seconds. The T must be included to designate the time and should not be changed or removed.
        • Expects start date and time in format: "YYYY-MM-DDTHH:MM:SSZ"
      • endDate: This field specifies when the search in the System Audit will stop at. This expects a time entered in UTC in format "YYYY-MM-DDTHH:MM:SSZ", where YYYY is the year, the first MM is the month, DD is the day, HH are the hours, the second MM are the minutes, and SS are the seconds. The T must be included to designate the time and should not be changed or removed.
        • Expects end date and time in format: "YYYY-MM-DDTHH:MM:SSZ"
      • pageNumber and pageSize: This field determines how many System Audit logs will be returned as if the response was on the System Audit page. However, this field does not follow the same conventions of the pageNumber and pageSize values as the Portal does (pageSize in the Portal is 25, 100, 200, 500). Any valid integer can be entered and it will return in the selected formatting. For instance, if there are 5 logs to be returned but “pageNumber” : 1 and “pageSize” : 2, 2 entries will be returned per page and the first two logs will be shown.
        • Expects: An Integer value
    • Required body:

{

"startDate": "YYYY-MM-DDTHH:MM:SSZ",
"endDate": "YYYY-MM-DDTHH:MM:SSZ",
"pageSize": <Integer>,
"pageNumber": <Integer>

}

  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
    • Fields
      • username: This field will narrow the search through the System Audit logs to specific usernames. The usernames that will be searched are the administrator accounts listed in the ThreatLocker Portal. When you enter your username, do not include any wildcards (*) in what you enter. Wildcards will be accounted for automatically depending on your input.
        • Expects: Text of either the entire username or part of the username
      • action: This field will narrow the search to just certain action types completed within the System Audit. This field expects the text from one of the below options to be entered exactly as they appear.
        • Create
        • Delete
        • Logon
        • Modify
        • Read
      • ipAddress: This field will narrow the search to just the IP address you enter. The IP address is searched based on the IP of the administrator that completed said action at that time. When you enter your IP address, do not include any wildcards (*) in what you enter. Wildcards will be accounted for automatically depending on your input.
        • Expects: Text of either the entire IP address or part of the IP address
      • effectiveAction: This field will narrow the search based on the effective action taken on the logged action in the System Audit. This field expects the text from one of the below options to be entered exactly as they appear.
        • Denied
        • Permitted
      • details: This field will narrow the search based on the text in the System Audit log. Only partial audit logs can be searched using this field. For instance, if the log in the System Audit reads "Audit - View Page - Viewed page", the text "Audit", "View Page", and "Viewed page" could be searched separately, but the entire log of "Audit - View Page - Viewed page" could not be searched at once. When you enter the details of the message you want to search for, do not include any wildcards (*) in what you enter. Wildcards will be accounted for automatically depending on your input.
        • Expects: Text of part of the System Audit log
      • viewChildOrganizations: This field will determine whether the logs from all child organizations will be returned or not. When set to true, all logs from all child organizations, including grandchild organizations, will be returned based on the other fields utilized. 
        • Expects: true or false
      • objectId: This field will only display System Audit logs related to the specific Id provided. This can be any Id associated with a ThreatLocker asset, including but not limited to, organizationId, applicationId, policyId, and computerId. The Id provided should be in the below format.
        • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
    • Optional body:
{
"username": "<String>",
"action": "<String>",
"ipAddress": "<String>",
"effectiveAction": "<String>",
"details": "<String>",
"startDate": "YYYY-MM-DDTHH:MM:SSZ",
"endDate": "YYYY-MM-DDTHH:MM:SSZ",
"pageSize": <Integer>,
"pageNumber": <Integer>,
"viewChildOrganizations": <Boolean>,
"objectId: "00000000-0000-0000-0000-000000000000"
}
  • Permissions Needed for User
    • View System Audit

 

SystemAuditGetForHealthCenter

https://portalapi.INSTANCE.threatlocker.com/portalapi/SystemAudit/SystemAuditGetForHealthCenter

  • Method: POST
  • Description: This API is utilized on the Health Center page in the ThreatLocker Portal under the Login Attempts section to display the list of Login Attempts, either successful or denied, for the currently managed organization. If looking to view the logins from a different organization than the currently logged in/managed organization through API, utilize the managedOrganizationId header as described below. Various fields are described below that can be changed to search like you can on the Health Center page itself in the Portal.
  • Required Body/Parameters
    • Valid APIKey/Authorization Token in header
    • Fields
      • days: This field will determine how many days back this API will search for login attempts as per the other fields entered. This will take into account the current day automatically; it will be how many days back from the current day. In the ThreatLocker Portal, this is limited to a maximum of 30 days and has other options to show 7 and 14 days back from the current day. However, when using this endpoint through API, any integer value can be entered.
        • Expects: An Integer value
      • isLoggedIn: This field will determine whether the successful or denied login attempts will be displayed. True will display successful logins and denied will display unsuccessful logins.
        • Expects: true or false
      • pageSize and pageNumber: This field determines how many login logs from the System Audit will be returned as if the response was on the Health Center page. However, this field does not follow the same conventions of the pageNumber and pageSize values as the Portal does (pageSize in the Portal is 25). Any valid integer can be entered and it will return in the selected formatting. For instance, if there are 5 logs to be returned but “pageNumber” : 1 and “pageSize” : 2, 2 entries will be returned per page and the first two logs will be shown.
        • Expects: An Integer value
    • Required body:

{

"days": <Integer>,

"isLoggedIn": <Boolean>,

"pageSize": <Integer>,

"pageNumber": <Integer>

}

  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
    • Fields
      • searchText: This field will help to search the results based on one of the below fields that are returned when calling this endpoint. Use one of the fields below as a basis for what you enter into the search. For instance, if looking to narrow your search to a specific username, enter the username in the searchText field, ensuring that only one specific username is entered, and their login attempts will be displayed based on the other fields. When you enter the text you want to search for, do not include any wildcards (*) in what you enter. Wildcards will be accounted for automatically depending on your input:
        • Username
        • ipAddress
        • Country
        • Region
        • City
    • Optional body:

{

"days": <Integer>,

"searchText": "<String>",

"isLoggedIn": <Boolean>,

"pageSize": <Integer>,

"pageNumber": <Integer>

}

  • Permissions Needed for User
    • View Health Center
Was this article helpful?