The short answer: The Security Events API is a REST API that lets you pull security and audit events from your Proof account — such as logins, role changes, and MFA activity — directly into your SIEM or security monitoring tools like Splunk or Datadog.
This feature is automatically enabled for organizations with Command Center Standard or Command Center Lite access. To get started, you need a Proof API key.
Why use the Security Events API
Organizations pursuing SOC2 or ISO 27001 certification need to demonstrate that security events in systems containing customer data are being monitored. Previously, there was no way to export these events from the Proof platform. The Security Events API solves this by letting you automatically pull events into your own tools.
- Enables compliance certification — provides auditable security event logs to support SOC2 and ISO 27001 requirements
- Saves time — eliminates manual security monitoring through automated API integration
- Industry-standard format — events are returned in OCSF (Open Cybersecurity Schema Framework) for direct ingestion by most SIEM tools without transformation
- Comprehensive coverage — tracks 15+ critical event types including logins, role changes, MFA changes, API key activity, and suspicious behavior
- 90-day retention — provides sufficient history for security investigations and compliance audits
How it works
- Enable the feature — automatically enabled for all organizations with Command Center Standard or Lite access. No action needed.
- Generate API credentials — create an API key from your account settings to authenticate requests.
-
Initial backfill — make your first API call with a
sinceparameter to pull historical events (up to 30 days back):GET /logs/v1/security-events?since=2026-02-01T00:00:00Z&limit=1000
-
Set up ongoing polling — configure your SIEM to poll the API regularly (every 5–15 minutes recommended) using the
cursorfrom the previous response:GET /logs/v1/security-events?cursor=eyJpZCI6MTIzNH0&limit=1000
-
Filter events (optional) — add filters for specific event types or severity levels:
GET /logs/v1/security-events?class_uid=3002&severity_id=1
- Process events — events are returned in OCSF format and can be ingested directly by most SIEM tools without transformation.
- Monitor continuously — events are retained for 90 days. The API supports up to 100 requests per 15-minute window.
Who is this for
The Security Events API is designed for enterprise and commercial customers in regulated industries — particularly organizations pursuing security certifications or that need to centralize security monitoring. Common use cases include:
- Security operations teams
- Compliance officers
- IT administrators
- DevSecOps engineers
✓ Summary Checklist
- Available automatically to all Command Center Standard and Lite orgs — no setup needed beyond an API key.
-
Use
sincefor initial backfill (up to 30 days), then poll withcursorevery 5–15 minutes for ongoing monitoring. - Events are in OCSF format, retained for 90 days, and the API supports up to 100 requests per 15 minutes.
Updated