Audit Logs API

the audit logs api lets you to programmatically retrieve audit logs for your organization within a specified time range this api is useful for security monitoring, compliance auditing, and tracking user activities within the resolve ai platform audit logging in the resolve satellite /resolve satellite md provides detailed tracking and monitoring of all http requests made through the satellite to external integrations it's designed to give you visibility into what requests are being made, their success/failure status, and detailed request/response information authentication to use the audit logs api, you must first create an api token from the resolve ai web application this token is used to authenticate your requests steps to create an api token navigate to api tokens in the sidebar https //app0 resolve ai/admin/api tokens https //app0 resolve ai/admin/api tokens click create api token provide a name for your token copy and store the token securely this is the only time you will see it click “i copied the token\\!” to save and exit you must include the token in the authorization header of your api requests as a bearer token authorization bearer \<your token here> api endpoint get /audit logs/\ orgid base url https //api app0 resolve ai/audit logs/\ orgid https //api app0 resolve ai/audit logs/\ orgid path parameters orgid (string, required) your organization's unique identifier query parameters name type required description start string optional iso8601 date string for start time (e g , 2025 07 01t00 00 00z ) end string optional iso8601 date string for end time (e g , 2025 07 07t23 59 59z ) limit string optional max limit 1000 pagination the audit logs api supports pagination based on log timestamps by default, the api returns up to 1000 records per request if there are more logs available within the requested time range, an “end\\ before“ token will be included in the response you can use this token in a subsequent request to fetch the next page of results behavior default page size 1000 logs custom limit you can pass a limit query parameter to request fewer logs (must be between 1 and 1000) pagination token if the result set is exactly equal to the page size, the response will include an end\\ before timestamp (iso 8601 string) this represents the timestamp of the last log in the current response minus 1 millisecond to fetch the next page, re issue the request with end=\\\<end\\ before\\ value\\> to get logs before that point in time query example get /audit logs/org abc123?start=2025 07 01t00 00 00z\&end=2025 07 07t00 00 00z\&limit=500 sample response (paginated) { "logs" \[ { "organization id" "org abc123", }, ], "end before" "2025 07 06t23 59 59 999z" } you can then request the next page get /audit logs/org abc123?start=2025 07 01t00 00 00z\&end=2025 07 06t23 59 59 999z\&limit=500 note pagination is based on descending timestamps (newest to oldest) the end parameter is treated as an exclusive upper bound time range rules if both start and end are omitted defaults to the last 24 hours if only start is provided end defaults to start \\+ 1 day if only end is provided start defaults to end \\ 1 day maximum allowed range 7 days start must be before end if the request violates these rules, you will receive a 400 bad request with an error message event schema definitions the resolve ai platform logs security and operational events in compliance with the open cybersecurity schema framework (ocsf) version 1 5 0 each log entry is structured according to one of three standard schema classes authentication , authorization , or api activity these schemas ensure consistent structure for downstream consumption (e g , siem tools, compliance pipelines) and simplify audit review by standardizing field names and meanings authentication logs class ocsf authentication description captures user login and logout events, including success/failure status, protocol used, and device/network metadata common fields organization id organization where the event originated activity id type of authentication action (e g , logon, logoff) auth protocol id auth protocol used (e g , saml, oauth2) category uid, class uid, type uid ocsf taxonomy identifiers status id outcome (success, failure) user { name, email } time iso 8601 timestamp of event service name e g , "resolve web app" http request { user agent, url } metadata { product, version } src endpoint { ip, type id } — source ip and endpoint type dst endpoint { hostname } — target host accessed is remote whether the session was remote sample authentication log { "organization id" "org abc123", "activity id" 1, "auth protocol id" 3, "category uid" 6, "class uid" 6001, "type uid" 600101, "status id" 1, "is remote" true, "time" "2025 07 09t14 22 30 135z", "user" { "name" "alex morgan", "email" "alex\@company com" }, "service" { "name" "resolve web app" }, "http request" { "user agent" "mozilla/5 0 (macintosh; intel mac os x 13 5 2)", "url" "\<https //app resolve ai/login>" }, "metadata" { "product" "resolve web app", "version" "v2 3 1" }, "src endpoint" { "ip" "192 0 2 15", "type id" 2 }, "dst endpoint" { "hostname" "resolve ai" } } authorization logs class ocsf authorize session description logs session level privilege or group assignment actions such as role changes, session establishment, or group binding events common fields organization id org associated with the event activity id authorization related activity category uid, class uid, type uid ocsf classification status id outcome status (e g , success, failure) severity id informational, warning, etc event time iso 8601 timestamp user { name, email } groups array of assigned groups, if applicable session uid session identifier (optional) http request { user agent, url } metadata { product, version } src endpoint { ip, type id } message human readable explanation or annotation (optional) sample authorization log { "auditable" true, "organization id" "org abc123", "activity id" 21, "category uid" 6, "class uid" 6002, "type uid" 600202, "status id" 1, "severity id" 2, "event time" "2025 07 09t15 03 50 541z", "user" { "name" "jordan lee", "email" "jordan\@company com" }, "groups" \[ { "name" "admin" }, { "name" "editor" } ], "session" { "uid" "ssn 9fa283ca e441" }, "http request" { "user agent" "mozilla/5 0 (windows nt 10 0; win64; x64)", "url" "\<https //app resolve ai/users/permissions>" }, "metadata" { "product" "resolve web app", "version" "v2 3 1" }, "message" "user added to admin and editor groups", "src endpoint" { "ip" "203 0 113 48", "type id" 1 } } api activity logs class ocsf api activity description tracks api requests made by users, capturing request and response details, trace identifiers, endpoint activity, and session metadata common fields organization id source organization activity id activity type (e g , create, read, update, delete) category uid, class uid, type uid ocsf identifiers status id whether the request was successful severity id severity of the request (typically informational) time iso timestamp of request message custom message (e g , “user fetched timeline”) method http method (get, post, etc ) endpoint api endpoint accessed actor { user, session uid } http request { url, http headers } (sensitive values redacted) http response { status code, http headers } src endpoint { ip } dst endpoint { hostname, port } metadata { product, environment } sample api activity log { "organization id" "org abc123", "activity id" 2, "category uid" 3, "class uid" 6003, "type uid" 600302, "status id" 2, "severity id" 1, "time" "2025 07 09t15 30 11 884z", "message" "timeline data retrieval", "method" "get", "endpoint" "/timeline", "actor" { "user" "nina patel", "session uid" "sess 12de98f3fa7" }, "http request" { "url" "/timeline", "http headers" { "user agent" "mozilla/5 0 (macintosh; intel mac os x 13 5 2)", "accept" " / ", "authorization" "redacted", "x generated nonce" "redacted" } }, "http response" { "status code" 200, "http headers" { "content type" "application/json", "x remix response" "yes", "set cookie" "redacted" } }, "src endpoint" { "ip" "198 51 100 77" }, "dst endpoint" { "hostname" "api resolve ai", "port" 443 }, "metadata" { "product" "resolve web app", "environment" "production" } } examples request & response curl h "authorization bearer \<your token>" \\\\\\\ "\<https //api app0 resolve ai/audit logs/test org?start=2025 07 01t00 00 00z\&end=2025 07 07t00 00 00z>" \[ { "organization id" "test org", "activity id" 2, "category uid" 6, "class uid" 6003, "type uid" 600302, "time" "2025 02 29t00 08 40 835z", "severity id" 1, "status id" 2, "method" "get", "endpoint" "/chat data", "actor" { "user" "tom jones", "session uid" " " }, "http request" { "url" "/chat data", "http headers" { "host" "localhost 3000", "user agent" " ", "accept" " / ", " " " " } }, "http response" { "status code" 200, "http headers" { "content type" "text/x script; charset=utf 8", "set cookie" " " } }, "src endpoint" { "ip" "1 2 3 4" }, "dst endpoint" { "hostname" "app0 resolve ai", "port" 443 }, "metadata" { "product" "resolve web app" }, } ] error responses status code reason 400 invalid or missing time range, malformed dates, or range exceeds 7 days 401 missing or invalid bearer token 404 organization not found 500 internal server error or downstream failure security notes treat api tokens like passwords do not expose them in client side code tokens can be revoked at any time through the ui headers in the http\ request and http\ response fields are partially redacted for security ip addresses may appear as "unknown ip" for localhost or proxy calls all timestamps are in iso8601 utc format