post https://{tenant_url}/v1.0/reports/
This endpoint is used to run most of the reports. Provide the report name and request payload in the body section.
Entitlements required: readReports or manageReports.
POST /reporting/v1.0/reports/{report_name} - API is used to get the first batch of events.
POST /reporting/v1.0/reports/{report_name}_search_after - API to get the remaining events.
For example, to get the authentication event attributes that are included in the table for authentication activity, you can use the following payloads:
| Report Name | Example Payload Request |
|---|---|
| auth_audit_trail | { "FROM":"now-24h", "TO":"now", "SIZE":"10", "SORT_BY":"time", "SORT_ORDER":"asc" } |
| auth_audit_trail_search_after | { "FROM":"now-24h", "TO":"now", "SIZE":"10", "SORT_BY":"time", "SORT_ORDER":"asc", "SEARCH_AFTER":""1554479231870","30f5a726-0e11-4066-a49f-e1e1d03a62b4"" } The SEARCH_AFTER value is an array of the timestamp and ID of the last response entry from the auth_audit_trail report. |
| auth_audit_trail with SUBTYPE filter | { "FROM":"now-24h", "TO":"now", "SIZE":"10", "SUBTYPE":""mfa","federation"", "SORT_BY":"time", "SORT_ORDER":"asc" } |
Note: Filter values must be in a comma separated list that is surrounded by quotation marks and the quotation marks must be escaped.