umbrella-s3-audit-logs
Scan administrator audit log files from Cisco Umbrella S3 export bucket.
Syntax
umbrella-s3-audit-logs [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
Options
- profile=PROFILE
- Optional. Cisco Umbrella S3 connect profile code
- duration=NUM{mon|w|d|h|m|s}
- Optional. Scan only recent data. Use s(second), m(minute), h(hour), d(day), mon(month) time unit.
- from=yyyyMMddHHmmss
- Optional. Start time of range. yyyyMMddHHmmss format.
- to=yyyyMMddHHmmss
- Optional. End time of range. yyyyMMddHHmmss format.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | e.g. 2026-04-13 01:30:27 |
| profile | String | Profile | Cisco Umbrella S3 connect profile code |
| id | String | ID | e.g. 2041753245 |
| src_ip | IP address | Source IP | e.g. 198.51.100.1 |
| String | e.g. admin@example.com | ||
| user | String | User | e.g. John Doe |
| type | String | Type | e.g. users |
| action | String | Action | e.g. create |
| before | String | Before | Previous state |
| after | String | After | New state |