Fetch the logs that triggered a security event

POST /v2/security/rules/events/logs/search

Runs a search query in your Logz.io Log Monitoring account to fetch the logs that triggered the security rule and caused it to log a security event.

This query returns an array of parsed logs linked to a single event - it isn't a bulk action. Run this query to investigate an event and increase observability into details omitted from the security event log.

Note: Run this endpoint with an API token for your Logz.io Security account. Please ensure to change the region in the URL to match your account's region.

Request

application/json

Body

filter objectrequired

Filter by the event's unique GUID to retrieve only the logs relevant to the event under investigation.

alertEventId stringrequired

Unique GUID of the security event in Logz.io Cloud SIEM. The GUID is returned in the results when querying to fetch security events or by inspecting an event log in the UI under the field logzio-alert-event-id.

pagination object

Default pagination is a page of 25 results. Look for the total field in the response for the number of available results overall, and use the pagination function to page through the results.

pageNumber int32

Default value: 1

If you overshoot the page number, it will return empty with no results, but it won't fail the request.

pageSize int32

Possible values: <= 1000

Default value: 25

Controls the number of results per page. Valid inputs are 1 to 1000.

Responses

successful operation

Response Headers

application/json

Schema
Example (from schema)

Schema

total int32

Returns the total number of logs linked to the security event specified in the query. This number is fixed and not affected by pagination.

results object[]

Array of logs returned in answer to the query. The logs are returned in their entirety and parsed.

If the logs are no longer retained in the database, the request will return empty. You can check your account's log retention policy in your log monitoring account.