Skip to content

GraphQL Audit Endpoint

The GraphQL audit endpoint provides visibility into system events, allowing users to track changes and activities within BoostSecurity. This documentation outlines how to access, query, and filter audit events through the API.

Accessing the Endpoint

The audit endpoint is available at: 

https://api.boostsecurity.io/audit/graphql

To retrieve the GraphQL schema from the introspection endpoint, use the following command:

python3 -m pip install gql[all]
gql-cli -H "Authorization: ApiKey $BOOST_API_KEY" --schema-download --print-schema https://api.boostsecurity.io/audit/graphql | jq

Querying the Endpoint

To retrieve events from the audit endpoint, use a GraphQL query like the following:

Example Query

Save the following query in a file named audit.gql:

query getevents($filters: AuditEventFilters = {}, $first: Int, $page: Int) {
    audit {
        events(filters: $filters, first: $first, page: $page) {
            edges {
                node {
                    id
                    eventType
                    eventDetail
                    timestamp
                }
            }
            totalCount
            pageInfo {
                hasNextPage
            }
        }
    }
}

Executing the Query

To retrieve the first 100 UserAdded events during February, use the following command:

cat audit.gql | \
gql-cli https://api.boostsecurity.io/audit/graphql -H "Authorization: ApiKey $BOOST_API_KEY" \
-V 'filters:{"timestamp":{"gt":"2025-02-01T00:00:00+00:00","lt":"2025-03-01T00:00:00+00:00"},"eventTypes":["UserAdded"]}' first:100

Available Filters

When querying the audit API, the following filters can be applied:

  • ids: A list of event IDs.
  • eventTypes: A list of event types to filter by.
  • timestamp.gt: Greater than a specified timestamp.
  • timestamp.lt: Less than a specified timestamp.

List of Audited Events

Below is a list of event types that can be queried:

AddRuleset, AssetAdded, AssetAnalyzersDataRemoved, AssetDataRemoved, AssetPolicyUpdated,
Auth0LoginFailed, Auth0LoginSuccess, IntegrationAdded, IntegrationRemoved, OneTimeScan,
PolicyAdded, PolicyReScanned, PolicyRemoved, PolicyUpdated, RemoveConfiguration,
RemoveRuleset, ScanTriggerSuccess, ScannerProvisioningAdded, ScannerProvisioningRemoved,
UpdateRuleset, UpsertGlobalConfiguration, UserAdded, ZtpDisabled, ZtpEnabled, ZtpInitiated

Retrieving Event Details

To retrieve details of a specific event type, such as Auth0LoginSuccess, use the following command:

cat audit.gql | \
gql-cli https://api.boostsecurity.io/audit/graphql -H "Authorization: ApiKey $BOOST_API_KEY" \
   -V 'filters:{"eventTypes":["Auth0LoginSuccess"]}' first:1 | \
  jq --raw-output '.audit.events.edges[].node.eventDetail'

This will return the event details in JSON format.