I’m looking to get a list of all events using the GET /public/events api call from the doc here. The issue is that it provides nothing meaningful. An example output is listed below which shows that a user changed their master password but it doesn’t say who.
The API provides data that isn’t stored encrypted - for example, the GUIDs in the response. The way to match that data up with more context is using the CLI tool.
Using the CLI tool, you can get full data from the organization and use the GUIDs as foreign keys.
@witness777 the Bitwarden CLI tool (more about that here) you can export the data in JSON format to ingest into your SIEM. The CLI tool is needed due to our end-to-end encryption - as the CLI is a full client and can generate the keys needed to decrypt the vault and organization data.
We have a fantastic Integration team that can help out, too. I’d recommend reaching out to them here: Get in Touch | Bitwarden and they can absolutely walk you through it!
Ah got it! So in short, if I don’t use the CLI, I will get exactly that output like the example I provided. From what you’re saying, to get anything meaningful, I have to use the CLI to do so.
I got a hold of support and basically told me that they don’t have any examples or a way to show me how I can use the cli and api to pull an meaningful logs. Pretty much since we’re not using splunk as our SIEM, there’s no way of pulling meaningful logs.