Audit | Python SDK

The audit API is designed for recording a trail of application-based user activity in a scalable, tamper-proof log.

Audit client

Audit(token, config, private_key_file, public_key_info, tenant_id, logger_name, config_id)

Initializes a new Audit client.

token

str

Pangea API token.

config

PangeaConfig | None

Configuration.

private_key_file

str

Private key filepath.

public_key_info

dict[str, str]

Public key information.

tenant_id

str | None

Tenant ID.

logger_name

str

Logger name.

config_id

str | None

Configuration ID.

config = PangeaConfig(domain="pangea_domain")
audit = Audit(token="pangea_token", config=config)

Download file

Audit.download_file(url, filename)

Download a file from the specified URL and save it with the given filename.

url

str

URL of the file to download

filename

str | None

Name to save the downloaded file as. If not provided, the filename will be determined from the Content-Disposition header or the URL.

Download search results

Audit.download_results(result_id, format, request_id, return_context)

Get all search results as a compressed (gzip) CSV file.

result_id

Optional[str]

ID returned by the search API.

format

DownloadFormat

Format for the records.

request_id

Optional[str]

ID returned by the export API.

return_context

bool

Return the context data needed to decrypt secure audit events that have been redacted with format preserving encryption.

URL where search results can be downloaded.

response = audit.download_results(
    result_id="pas_[...]",
    format=DownloadFormat.JSON,
)

Export from the audit log

Audit.export(format, start, end, order, order_by, verbose)

Bulk export of data from the Secure Audit Log, with optional filtering.

format

DownloadFormat

Format for the records.

start

Optional[datetime.datetime]

The start of the time range to perform the search on.

end

Optional[datetime.datetime]

The end of the time range to perform the search on. If omitted, then all records up to the latest will be searched.

order

Optional[SearchOrder]

Specify the sort order of the response.

order_by

Optional[str]

Name of column to sort the results by.

verbose

bool

Whether or not to include the root hash of the tree and the membership proof for each record.

export_res = audit.export(verbose=False)

# Export may take several dozens of minutes, so polling for the result
# should be done in a loop. That is omitted here for brevity's sake.
try:
    audit.poll_result(request_id=export_res.request_id)
except AcceptedRequestException:
    # Retry later.

# Download the result when it's ready.
download_res = audit.download_results(request_id=export_res.request_id)
download_res.result.dest_url
# => https://pangea-runtime.s3.amazonaws.com/audit/xxxxx/search_results_[...]

Log an entry

Audit.log(message, actor, action, new, old, source, status, target, timestamp, verify, sign_local, verbose, tenant_id)

Create a log entry in the Secure Audit Log.

message

str, dict

A message describing a detailed account of what happened.

actor

str

Record who performed the auditable activity.

action

str

The auditable action that occurred.

new

str, dict

The value of a record after it was changed.

old

str, dict

The value of a record before it was changed.

source

str

Used to record the location from where an activity occurred.

status

str

Record whether or not the activity was successful.

target

str

Used to record the specific record that was targeted by the auditable activity.

timestamp

datetime

An optional client-supplied timestamp.

verify

bool

True to verify logs consistency after response.

sign_local

bool

True to sign event with local key.

verbose

bool

True to get a more verbose response.

tenant_id

string

Used to record the tenant associated with this activity.

A PangeaResponse where the hash of event data and optional verbose results are returned in the response.result field. Available response fields can be found in our API documentation.

log_response = audit.log(
    message="hello world",
    verbose=True,
)

Log multiple entries

Audit.log_bulk(events, sign_local, verbose)

Create multiple log entries in the Secure Audit Log.

events

List[dict[str, Any]]

events to be logged

sign_local

bool

True to sign event with local key.

verbose

bool

True to get a more verbose response.

A PangeaResponse where the hash of event data and optional verbose results are returned in the response.result field. Available response fields can be found in our API documentation.

log_response = audit.log_bulk(
    events=[{"message": "hello world"}],
    verbose=True,
)

Log multiple entries asynchronously

Audit.log_bulk_async(events, sign_local, verbose)

Asynchronously create multiple log entries in the Secure Audit Log.

events

List[dict[str, Any]]

events to be logged

sign_local

bool

True to sign event with local key.

verbose

bool

True to get a more verbose response.

A PangeaResponse where the hash of event data and optional verbose results are returned in the response.result field. Available response fields can be found in our API documentation.

log_response = audit.log_bulk_async(
    events=[{"message": "hello world"}],
    verbose=True,
)

Log an event

Audit.log_event(event, verify, sign_local, verbose)

Create a log entry in the Secure Audit Log.

event

dict[str, Any]

event to be logged

verify

bool

True to verify logs consistency after response.

sign_local

bool

True to sign event with local key.

verbose

bool

True to get a more verbose response.

A PangeaResponse where the hash of event data and optional verbose results are returned in the response.result field. Available response fields can be found in our API documentation.

response = audit.log_event({"message": "hello world"}, verbose=True)

Log streaming endpoint

Audit.log_stream(data)

This API allows 3rd party vendors (like Auth0) to stream events to this endpoint where the structure of the payload varies across different vendors.

data

dict

Event data. The exact schema of this will vary by vendor.

data = {
    "logs": [
        {
            "log_id": "some log ID",
            "data": {
                "date": "2024-03-29T17:26:50.193Z",
                "type": "sapi",
                "description": "Create a log stream",
                "client_id": "some client ID",
                "ip": "127.0.0.1",
                "user_agent": "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0",
                "user_id": "some user ID",
            },
        }
        # ...
    ]
}

response = audit.log_stream(data)

Poll result

Audit.poll_result(exception)

Returns request's result that has been accepted by the server

exception

Optional[AcceptedRequestException]

Exception that was previously raised by the SDK on a call that is being processed.

PangeaResponse

response = service.poll_result(exception)

Results of a search

Audit.results(id, limit, offset, assert_search_restriction, verify_consistency, verify_events, return_context)

Fetch paginated results of a previously executed search.

id

string

the id of a search action, found in response.result.id

limit

integer

the maximum number of results to return, default is 20

offset

integer

the position of the first result to return, default is 0

assert_search_restriction

Dict[str, Sequence[str]]

Assert the requested search results were queried with the exact same search restrictions, to ensure the results comply to the expected restrictions.

verify_consistency

bool

True to verify logs consistency

verify_events

bool

True to verify hash events and signatures

return_context

bool

Return the context data needed to decrypt secure audit events that have been redacted with format preserving encryption.

response = audit.results(
    id="pas_sqilrhruwu54uggihqj3aie24wrctakr",
    limit=10,
    offset=0,
)

Tamperproof verification

Audit.root(tree_size)

Returns current root hash and consistency proof.

tree_size

int

The size of the tree (the number of records). If None, endpoint will return last tree root.

PangeaResponse[RootOutput]

response = audit.root(tree_size=7)

Search the log

Audit.search(query, order, order_by, last, start, end, limit, max_results, search_restriction, verbose, verify_consistency, verify_events, return_context)

Search for events that match the provided search criteria.

query

str

Natural search string; list of keywords with optional <option>:<value> qualifiers. The following optional qualifiers are supported:

• action
• actor
• message
• new
• old
• status
• target

order

SearchOrder

Specify the sort order of the response.

order_by

SearchOrderBy, str

Name of column to sort the results by.

last

str

Optional[str] = None,

start

datetime

An RFC-3339 formatted timestamp, or relative time adjustment from the current time.

end

datetime

An RFC-3339 formatted timestamp, or relative time adjustment from the current time.

limit

int

Optional[int] = None,

max_results

int

Maximum number of results to return.

search_restriction

Dict[str, Sequence[str]]

A list of keys to restrict the search results to. Useful for partitioning data available to the query string.

verbose

bool

If true, response include root and membership and consistency proofs.

verify_consistency

bool

True to verify logs consistency

verify_events

bool

True to verify hash events and signatures

return_context

bool

Return the context data needed to decrypt secure audit events that have been redacted with format preserving encryption.

A PangeaResponse[SearchOutput] where the first page of matched events is returned in the response.result field. Available response fields can be found in our API documentation. Pagination can be found in the search results endpoint.

response = audit.search(
    query="message:test",
    search_restriction={'source': ["monitor"]},
    limit=1,
    verify_consistency=True,
    verify_events=True,
)