Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
704
Views
3
Helpful
3
Replies

API access to cdFMC audit log configuration changes

Go to solution
rc11
Level 1
Level 1

‎10-20-2025 01:23 PM

Hi there,

I tried posting this in the Technology and Support forums and it was marked as spam within minutes. It's been an absolute nightmare to get any clear information on the API endpoints that we're trying to access, and this community is my only hope...

So YES, this is a repost of my previously posted topic, but it is NOT SPAM. I am trying to get some help here!

My developer colleague and I (detection engineer) would like to call the following API endpoint:

GET​/api​/fmc_platform​/v1​/domain​/{domainUUID}​/audit​/configchanges

However, according to the documentation in API Explorer, this call requires a parameter called snapshotId that is not documented anywhere else, and doesn't even show up anywhere in the GUI. Furthermore, there is no API endpoint that would return valid snaphot IDs.

Does anyone know what this parameter represents, and how to get any or all valid snapshotId values for a tenant?

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rc11
Level 1
Level 1
In response to bigevilbeard

‎11-17-2025 02:12 PM - edited ‎11-19-2025 02:28 PM

Hey there bigevilbeard, we tried passing auditrecords IDs as snapshotId parameters, and that did not work out. We're going to try to get a TAC case going for the logs we were unable to pull from API calls. Thank you for weighing in!

Edit: we noticed a snapshotId attribute in a Save Policy log, so we tested it out. Those are the actual snapshotId values we needed for a successful GET from the configchanges endpoint. This answers my question. Thank you!

View solution in original post

3 Replies 3

Go to solution
bigevilbeard
VIP
VIP

‎10-20-2025 01:53 PM

Might be putting two a two together and getting a dog here. But from what I can gather in this doc https://www.cisco.com/c/en/us/td/docs/security/cdo/cloud-delivered-firewall-management-center-in-cdo/API/cloud_delivered_firewall_management_center_rest_api_quick_start_guide/Objects_In_The_REST_API.pdf

The snapshotId you provide is the uuid of the corresponding entry from the main audit records log. It looks like Ytou would first query the GET auditrecords endpoint to find the ID of the configuration change event, and then use that ID as the snapshotId to get the detailed diff

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Go to solution
rc11
Level 1
Level 1
In response to bigevilbeard

‎10-20-2025 02:12 PM

We'll try that and report back with the results! Thank you

Go to solution
rc11
Level 1
Level 1
In response to bigevilbeard

‎11-17-2025 02:12 PM - edited ‎11-19-2025 02:28 PM

Hey there bigevilbeard, we tried passing auditrecords IDs as snapshotId parameters, and that did not work out. We're going to try to get a TAC case going for the logs we were unable to pull from API calls. Thank you for weighing in!

Edit: we noticed a snapshotId attribute in a Save Policy log, so we tested it out. Those are the actual snapshotId values we needed for a successful GET from the configchanges endpoint. This answers my question. Thank you!

Customers Also Viewed These Support Documents