aw-mfe/esmcheckds2

API Help

Closed this issue · 17 comments

Hi Andy,

I am working on my own API project that's how i got here, i was wondering if you could help me writing a query for a specific data source, i managed to get events but i just cant find the right filter to filter by data sources, any help much appreciated! I have attached the filter fileds i got from the esm. Thanks in advance, Adam
filter_fields.txt

Hi Adam,

Use 'devGetDeviceList' to get a list of devices and their IPSID, then use that as a filter in your query.

Here is a working query:

{'config': 
  {'timeRange': 'PREVIOUS_DAY', 
   'fields': [{'name': 'FirstTime'}, {'name': 'EventCount'}, {'name': 'DSIDSigID'}, {'name': 'IPSIDAlertID'}, {'name': 'AlertID'}, {'name': 'IPSID'}, {'name': 'SigID'}, {'name': 'SrcIP'}, {'name': 'DstIP'}, {'name': 'DomainID'}, {'name': 'Sensor_Name'}, {'name': 'ThirdPartyType.Name'}], 
    'filters': 
        [{'type': 'EsmFieldFilter', 
        'field': {'name': 'SrcIP'}, 
        'operator': 'EQUALS', 
        'values': [{'type': 'EsmBasicValue', 'value': '10.10.22.50'}]}, 
        {'type': 'EsmFieldFilter', 
         'field': {'name': 'IPSID'}, 
         'operator': 'EQUALS', 
         'values': [{'type': 'EsmBasicValue', 'value': '144116287604260864'}]}], 
    'order': [{'direction': 'ASCENDING', 
    'field': {'name': 'FirstTime'}}], 
    'includeTotal': False, 
    'limit': 5000}}

Hi Adam,

There are some new methods for clients in 11.2 (released yesterday), but for a quick fix, you could do the following to get a list of clients.

clients

Perhaps. Could you help me understand the use case? Are you exporting custom rules or making a backup or something else? Thanks.

Hey Andy, I was wondering if you knew any other way to export correlation rules other than from the GUI and preferably with the API or SSH Thank You, Adam

Is it possible to accomplish your goal manually in the UI? If so, could you list the steps?

Any reason not to use the backup functionality built into the product? Thanks.

Check out System Properties | ESM Management | Settings Backup. You will see that you can schedule the backup and point the file to a remote share. Does this work for your goal? Thanks.

setting_backup

Does the esm configuration backup include all that? We always create seperate backups? It can be done in the ui but i want to do it as daily task instead of doin it manually...

On Fri, Aug 16, 2019, 21:43 Andy Walden @.***> wrote: Is it possible to accomplish your goal manually in the UI? If so, could you list the steps? Any reason not to use the backup functionality built into the product? Thanks. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#25?email_source=notifications&email_token=AL4GE5OARFLFS3344QFICG3QE3YNDA5CNFSM4IILIA6KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4PMXKQ#issuecomment-522111914>, or mute the thread https://github.com/notifications/unsubscribe-auth/AL4GE5JUE5ZDUXBC5NUQMSTQE3YNDANCNFSM4IILIA6A .

Sounds interesting. I would like to check it out. Thanks.

Hey Andy, I wrote a little js to open tabs in the esm and also loop them, very usefull when somebody has only one screen but multiple dashboards, also it doen not need installation and work with all browser as far as i know, if you want it i would like to share it with you, maybe i can give sonething back for all the help you gave 😊 Adam On Fri, Aug 16, 2019, 21:50 Adam Szentkiralyi katona.legios@gmail.com wrote:

Does the esm configuration backup include all that? We always create seperate backups? It can be done in the ui but i want to do it as daily task instead of doin it manually... On Fri, Aug 16, 2019, 21:43 Andy Walden @.***> wrote: > Is it possible to accomplish your goal manually in the UI? If so, could > you list the steps? > > Any reason not to use the backup functionality built into the product? > Thanks. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <#25?email_source=notifications&email_token=AL4GE5OARFLFS3344QFICG3QE3YNDA5CNFSM4IILIA6KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4PMXKQ#issuecomment-522111914>, > or mute the thread > https://github.com/notifications/unsubscribe-auth/AL4GE5JUE5ZDUXBC5NUQMSTQE3YNDANCNFSM4IILIA6A > . >

api

They brought back the critical methods in 11.2.1, patch 4 (inquire with support, it's up to patch 7 now).