Audit Events OCSF
audit_events_ocsfQuery OCSF-formatted audit events from Automox by required date and optional event filters, with cursor-based pagination for large result sets.
Instructions
Query OCSF-formatted audit events from the Automox Audit Service v2. Filter by date (required) and event type name. The category_name filter is applied client-side against the event type_name prefix: the upstream events do NOT carry a category_name field, only an integer category_uid that maps 1:N across categories, so category filtering matches the type_name label prefix (authentication/entity_management/web_resource_activity are live-verified prefixes; account_change/user_access are spec-derived and unverified live). An unmappable category token leaves results unfiltered and sets metadata.applied_filters.category_name_matched=false (so an empty result is never mistaken for 'no activity'); metadata.events_before_filter reports the unfiltered count. category_uid/type_uid/class_uid/activity_id are raw OCSF taxonomy integers with no decode table in the upstream spec — prefer the human-readable sibling strings type_name and activity. Uses cursor-based pagination for large result sets. Event time is an ISO 8601 UTC string (converted from the upstream epoch-seconds value). The date parameter selects events by event date; the timezone of that date boundary is not stated by the upstream spec (unverified). severity/status labels follow the OCSF scales (severity: informational/low/medium/high/critical/fatal; status: success/failure/other) and are filled from severity_id/status_id when the upstream omits the string. Permissions: as of 2025-10-27 the upstream endpoint requires the API key to have BOTH organization:manage and users:read scopes; keys missing either scope return 403.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| date | Yes | ||
| limit | No | ||
| cursor | No | ||
| type_name | No | ||
| category_name | No | ||
| output_format | No | json |