Using the SaaS Alerts API

Refer to the API documentation. Supplemental information applies to Version 0.20.0.

Clicking GET APIKEY will generate an API key and display it in the user interface. Be sure to copy the key if you intend to use it for third-party integrations. As soon as you navigate away from this page, the key will no longer be visible.

If using the API directly to extract customer event information for third-party tools integration or development, this function of the API requires that you copy your API key to the following:

Use the API explorer.
For use with Postman or other API exploration tools.
For use in your own code to call the API to extract event information for use with other tools.

The Saas Alerts Reports API is very simple and contains a relatively small number of methods that are directly usable by the API consumer (eight methods). However, in combination with method parameters, the API is capable of producing complex data returns that can be imported to virtually any reporting, ticket workflow, or BI tool. Three of the API methods are documented as POST methods. These methods do not permit the API consumer to post data into SaaS Alerts. Rather, these POST methods are used to POST queries in JSON format directly to the SaaS Alerts data indexes and retrieve information through use of a standard JSON data return.

Event type reference for “Get /reports/events” method

Available values: eventTypes (jointTypes)

cross.ip.connections

oauth.granted.permission

file.sharing.internal

file.sharing.external

file.download.local.device

orphaned.links

app.perm.shared.with.add.app

link.cross.sharing

new.device

password.reset

password.change // Dropbox specific

account.locks

security.group.changes

security.policy.changes

user.promoted.to.admin

outside.own.location

multiple.connection.diff.ip

sf.external.datasource.added

sf.external.obh.add.updates

multiple.login.diff.ip

unable.refresh.token

multiple.password.reset

db.team.policies.changed

multiple.account.locks

integration.detail.link.shared

application.event.saas.integration

domain.access.attempt

alertStatus reference for “Post /reports/event/query”

{

"term": {

"alertStatus.keyword": "critical"

}

Available values - alertStatus

low
medium
critical

jointDesc reference for “Post /reports/event/query”

{

"term": {

"jointDesc.keyword": "IAM Event - Authentication Failure”

}

Available values - jointDesc

IAM Event - Authentication Failure

IAM Event - Authentication Success

IAM Event - Multiple SaaS Connections From Different IP Addresses

File Share Event - Local Download

IAM Event - Multiple Authentication Failures

IAM Event - User Location - Outside approved location

File Share Event - External

Application Integration Detail - SaaS Application link Share

File Share Event - Internal

IAM Event - Account Locked

IAM Event - Multiple Login Connections From Different IP Addresses

Policy Event - Security Group Change

Policy Event - Security Policy Change

File Share Event - FileDownloaded

IAM Event - Oauth Access Used for Foreign Application

IAM Event - Multiple Password Reset

Device Event - New Device

IAM Event - Password Reset

File Share Event - PageViewed

IAM Event - Multiple Account Locks

File Share Event - SearchQueryPerformed

File Share Event - FolderModified

Policy Event - Admin Access Granted

File Share Event - ListViewed

File Share Event - CompanyLinkCreated

Application Event - SaaS Integration

File Share Event - SharingSet

File Share Event - PagePrefetched

IAM Event - Application password updated

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.