Detecting users deleted from a group


I was trying to un assign a group from a user using postman.

I used the HTTP Delete method on {{url}}/api/v1/groups/:gid/users/:uid endpoint.

When I hit the {{url}}/api/v1/groups?filter=lastMembershipUpdated+gt+"2015-10-01T00:00:00.000Z\ endpoint I am able to fetch the group whose member was deleted.

When I hit the {{url}}/api/v1/groups/:gid/users endpoint, I do not get any information on which user was deleted.

Is there any way by which we can find out which user was deleted that caused the membership for that group to be updated?

Hi @Pranav, I would definitely think about going from this in the other direction. The /logs API has an event that you can poll for that will get you the event you are looking for. The targets of the event will be the user and the group, so you have references to both.

eventType eq "group.user_membership.remove"

Hope this helps!

Thank you @tom,

After going through the documentation I have come across another hurdle. The document states that the /logs API only keeps the data for the past 90 days.

This would mean that any group removal action happening prior to that would not be fetched from this endpoint.

Is there a way to increase this 90 days threshold?

90 days is the max. You would need to write some code to move the information into your own long-term storage or into a service like Splunk or another SIEM.

1 Like