Skip to main content

SIEM Integration

Use our API to pull audit log records out programmatically and send to your SIEM

Alex Montgomery avatar
Written by Alex Montgomery
Updated over a month ago

See this article to get a Bearer Token

Pulling Audit logs to integrate with your SIEM:

Now that everything is configured, and the token itself has been stored securely for use, it can be used to export system logs. The external API url that will be used with this token is https://app.govworx.net/api/v1/external/logs. The authorization will be Bearer {insert token here}. The default return for this API is going to be an array of system log entries from the last 24 hours with a limit of 1,000 entries. At the end of the array will be a pagination object for letting the external system know if there are more records than what was returned. If there are more than 1,000 entries, then timestamp-based pagination will suggest the next date to query from to get the next “batch” (explained more in detail below). Below are the parameters used to further filter log records as desired:

Query Parameters:

  • from - timestamp in the format YYYY-MM-DDTHH:MM:SSZ to start from (default = 24 hrs ago)

  • to - timestamp in the format YYYY-MM-DDTHH:MM:SSZ to stop at (default = present)

  • limit - a number of records to limit the response to (default = 1,000)

Default response body JSON:

{
  "data": [
    {
      "id": "number",
      "timestamp": "timestamp",
      "eventType": "string",
      "actorName": "string",
      "actorUsername": "string",
      "details": "string",
      "createdBy": "number",
      "updatedAt": "timestamp",
      "updatedBy": "number"
    }
  ],
  "pagination": {
    "truncated": true,
    "suggestedNextFrom": "null or timestamp",
    "recordsReturned": "number",
    "timeRange": {
      "from": "timestamp",
      "to": "timestamp"
    }
  }
}

NOTE: "data" will contain an array of logs, where each object inside of it is a separate log entry, each with it’s own unique "id" number.

Timestamp-Based Pagination Example:

Default pagination JSON:

{
  "pagination": {
    "truncated": "true or false",
    "suggestedNextFrom": "null or timestamp",
    "recordsReturned": "number",
    "timeRange": {
      "from": "timestamp",
      "to": "timestamp"
    }
  }
}

Say the user queried from a time period that had exactly 21 records. As expected (because there is no defined limit parameter), all 21 records are returned. Also, the “truncated” value is false because we were able to return all of the records under the default parameters.

{
  "pagination": {
    "truncated": false,
    "suggestedNextFrom": null,
    "recordsReturned": 21,
    "timeRange": {
      "from": "2025-09-12T15:34:50Z",
      "to": "2025-09-12T16:28:12Z"
    }
  }
}

Now, after adding a query parameter limit of 20 (?limit=20), the value for “truncated” is true because we have 21 records and our limit of 20 “cut off” one record. The result of the truncated field being true has created a value for suggestedNextFrom . This is the timestamp we need to add as a from parameter to get that next “batch” of records.

{
  "pagination": {
    "truncated": true,
    "suggestedNextFrom": "2025-09-12T16:21:37Z",
    "recordsReturned": 20,
    "timeRange": {
      "from": "2025-09-12T15:34:50Z",
      "to": "2025-09-12T16:28:39Z"
    }
  }
}

Now if the query is changed with from being the "suggestedNextFrom" (still with the limit of 20), it will return that last record. Also the value for truncated has gone back to false and there is no suggestedNextFrom, meaning that all records have been retrieved.

{
  "pagination": {
    "truncated": false,
    "suggestedNextFrom": null,
    "recordsReturned": 1,
    "timeRange": {
      "from": "2025-09-12T16:21:37Z",
      "to": "2025-09-12T16:29:24Z"
    }
  }
}
Did this answer your question?