topic Re: API access to cdFMC audit log configuration changes in Network Security

API access to cdFMC audit log configuration changes

rc11 — Mon, 20 Oct 2025 19:53:59 GMT

My developer colleague and I (detection engineer) would like to call the following API endpoint:

GET/api/fmc_platform/v1/domain/{domainUUID}/audit/configchanges

However, according to the API documentation this call requires a parameter called snapshotId that is not documented anywhere else, and doesn't even show up anywhere in the GUI.

Does anyone know what this parameter represents, and how to get any or all valid snapshotId values for a tenant?

Thanks in advance.

Re: API access to cdFMC audit log configuration changes

Ben Weber — Mon, 17 Nov 2025 02:46:46 GMT

Hi @rc11

AFAIK, the snapshot-id parameter represents the UUID of a specific configuration snapshot or audit record that captures the state of the system at a given point in time.

You should be able to retrieve the list of snapshot-id variables by querying the /auditrecords endpoint?

Let me know if that works. Good luck!

Re: API access to cdFMC audit log configuration changes

rc11 — Mon, 17 Nov 2025 22:04:48 GMT

Hi Ben, we did get this suggestion on the DevNet forum, we tried it and the auditrecords IDs were not valid snapshot IDs.

Re: API access to cdFMC audit log configuration changes

Ben Weber — Mon, 17 Nov 2025 22:28:41 GMT

Hey @rc11

Sorry to hear that. I would suggest reaching out to your Cisco account manager to lodge a feature request for programmatically retrieving snapshotId values.

The snapshotId values are internal to FMC and are linked to configuration changes/deployments, thought that would come from the /auditrecords endpoint but looks like that is not the case.

Sorry I can't be of more help.

Re: API access to cdFMC audit log configuration changes

rc11 — Mon, 17 Nov 2025 23:40:24 GMT

Actually, upon continuing to dig, we noticed that there was a snapshotId attribute in Policy Editor Save logs (generated when a policy is saved after modification). We will be looking into passing that snapshotId to the configchanges endpoint to see if we can get a delta of the changes.

Re: API access to cdFMC audit log configuration changes

rc11 — Wed, 19 Nov 2025 22:26:08 GMT

Update: we were successful in making the call to the /configchanges endpoint using the snapshotId attribute of the Save Policy event log. So note that the audit record id itself is not a valid snapshotId. It needs to be a snapshotId attribute that is part of a Save Policy event. We were unable to find any other type of log containing a snapshotId attribute. This answers my question. Thank you!