GET /access/login_attempts
Gets the list of login attempts.
Gets the list of login attempts. For SAAS and single signon authentication modules, failed login attempts will not be tracked. The successful login attempts will be created when the QRadar session is created, not necessarily when the user entered their credentials on the single sign on login page. Any users or authorized service can call this endpoint. If the caller has the ADMIN capability, login attempts for all users will be returned. For all other callers, only login attempts for the current caller will be returned.
| MIME Type |
|---|
application/json |
| Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
Range |
header |
Optional |
String |
text/plain |
Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero. |
sort |
query |
Optional |
String |
text/plain |
Optional - This parameter is used to sort the elements in a list. |
filter |
query |
Optional |
String |
text/plain |
Optional - This parameter is used to restrict the elements in a list base on the contents of various fields. |
fields |
query |
Optional |
String |
text/plain |
Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
| HTTP Response Code | Unique Code | Description |
|---|---|---|
200 |
An array of login attempts. The attempt_time is used as the default sort input in descending order. |
|
422 |
1005 |
A request parameter is not valid. |
422 |
1010 |
Invalid filter criteria supplied. |
422 |
1030 |
The sort field or order is not valid |
500 |
1020 |
An error occurred while retiriving login attempts. |
Response Description
- attempt_time - Long - The time the login attempt happens. This time is in milliseconds since epoch.
- user_id - Long - ID of user who tried login attempt. Users are accessible through the /api/config/access/users APIs.
- remote_ip - String - The remote IP address that made the login attempt.
- attempt_result - Enum - The result of login attempt.
- attempt_method - Enum - The method of the login attempt. HTTP_BASIC is for API based HTTP basic, and LOGIN_PAGE is for UI login attempt.
Response Sample
[{"attempt_result": "String <one of: SUCCESS, FAILURE>", "attempt_time": 42, "remote_ip": "String", "user_id": 42, "attempt_method": "String <one of: LOGIN_PAGE, HTTP_BASIC>"}]