DXE-2673 [BUG] 400 Error - SIEM API Python Example

Question

DXE-2673 [BUG] 400 Error - SIEM API Python Example

Closed this issue 3 months ago · 2 comments

Describe the bug
SIEM API (https://techdocs.akamai.com/siem-integration/reference/get-configid) has a recipe called Fetch security event in time-based mode | Python that uses this library. It does not work and returns an error.

To Reproduce
Steps to reproduce the behavior:

import requests
from akamai.edgegrid import EdgeGridAuth, EdgeRc
from urllib.parse import urljoin

edgerc = EdgeRc('~/.edgerc.txt')
section = 'default'
baseurl = 'https://%s' % edgerc.get(section, 'host')

session = requests.Session()
session.auth = EdgeGridAuth.from_edgerc(edgerc, section)

configId = "12345"

path = "https://hostname/siem/v1/configs/{}".format(configId)

headers = {
    "Accept": "application/json"}

querystring = {
    "from": "1488816442",
    "to": "1488816784",
    "limit": 1000
}

result = session.get(urljoin(baseurl, path),
                     headers=headers, params=querystring)
print(result.status_code)
print(result.json())

Expected behavior
For the documentation example to work.

Actual behavior
It outputs this error.

{
'type': 'https://problems.cloudsecurity.akamaiapis.net/siem/v1/missing-parameters',
'title': 'Missing mandatory parameter(s) or illegal parameter parameter(s) in the request',
'instance': 'https://{host}/siem/v1/configs/{configid}?from={from}',
'detail': 'Missing mandatory parameter(s) or illegal parameter parameter(s) in the request',
'method': 'GET'
...
}

Judging from the instance above, it appears that only the first query parameter is being recognized. If the & character is encoded to %26 in the signature generation then the instance variable changes to 'instance': 'https://{host}/siem/v1/configs/{configid}?from={from}&to={to}&limit={limit}', but gives a 401 error for the signature not matching. If the & character is encoded to %26 in the request and signature, then it returns a 400 error for missing parameters.

Answer 1 · 2023-05-19T07:39:28.000Z

Hi @estelae,

Thank you for opening an issue. I'll be investigating it and I'll get back to you once I learn more about it.

Kind regards,
Darek

Answer 2 · 2024-10-24T11:49:15.000Z

Hi @estelae

SIEM api can only fetch data starting from 12 hours in the past. So, you may get 400 due to:

from & to needs to be within the past 12 hours
from needs to be less than to

Looks like you are using some dummy values for the query params and mostporobalby this is the issue here.

Please let us know if this clarification helps.