API access to cdFMC audit log configuration changes

rc11 · ‎10-20-2025

Hi there,

I tried posting this in the Technology and Support forums and it was marked as spam within minutes. It's been an absolute nightmare to get any clear information on the API endpoints that we're trying to access, and this community is my only hope...

So YES, this is a repost of my previously posted topic, but it is NOT SPAM. I am trying to get some help here!

My developer colleague and I (detection engineer) would like to call the following API endpoint:

GET/api/fmc_platform/v1/domain/{domainUUID}/audit/configchanges

However, according to the documentation in API Explorer, this call requires a parameter called snapshotId that is not documented anywhere else, and doesn't even show up anywhere in the GUI. Furthermore, there is no API endpoint that would return valid snaphot IDs.

Does anyone know what this parameter represents, and how to get any or all valid snapshotId values for a tenant?

Thanks in advance.

bigevilbeard · ‎10-20-2025

Might be putting two a two together and getting a dog here. But from what I can gather in this doc https://www.cisco.com/c/en/us/td/docs/security/cdo/cloud-delivered-firewall-management-center-in-cdo/API/cloud_delivered_firewall_management_center_rest_api_quick_start_guide/Objects_In_The_REST_API.pdf

The snapshotId you provide is the uuid of the corresponding entry from the main audit records log. It looks like Ytou would first query the GET auditrecords endpoint to find the ID of the configuration change event, and then use that ID as the snapshotId to get the detailed diff

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

rc11 · ‎10-20-2025

We'll try that and report back with the results! Thank you