McAfee SIEM has a strong API that allows to interact with the application programatically. This API offers a RESTful interface and its documentation is available in the following URL on a running ESM https://<ESM_IP>/rs/esm/help
In this post, through a set of code snippets I will show you how to connect to the ESM API via RESTful and execute different API commands.
1) Initial connection to the API Server
In this first code snippet we are authenticating against the API and we obtain a token in the response that we use in order to create an authenticated header that will be used for the rest of API connections.
2) Testing that we have all the authentication parameters needed. Getting the time of the system.
In this second code snippet we use the just obtained authentication header in order to get the system time through the available command (essmgtGetESSTime)
3) Getting the version (builtstamp) of the system.
4) Other useful available commands
The API allows to get information a lot of information about the system.
5) Query for events
In this code snippet, we query for some events according with several input parameters that define the fields that will be obtained and the filters that limit the information obtained. Specifically we are filtering the events by those generated by the correlation engine (DSID = 47 or 380)
This procedure returns a job_id value, later on we'll have to check by this value if McAfee SIEM has finished obtaining the information
6) Checking the status of the query.
The previous long value 140471397892928 is used to check against the ESM if the query has finished.
As we can see there are a total of 17 records that match with the previous filter condition.
7) Getting the final events
As the previous filter indicate that the Data Source ID (DSID) must be the correlation engines, the events that we are obtaining are in fact correlated events.
8) Getting the source events
The command qryGetCorrEventDataForID, allows to get all the source events related to a correlated event. It needs the Id of the correlated event this ID in 10.2.0 version is created using two values related to the fields (Alert.IPSID and Alert.AlertID), the following code snippet shows how to concatenate both values.
9) Logout from the ESM
Once we finish obtaining the desired information we logout from the system.
That's all
Thanks for reading
In this post, through a set of code snippets I will show you how to connect to the ESM API via RESTful and execute different API commands.
1) Initial connection to the API Server
In this first code snippet we are authenticating against the API and we obtain a token in the response that we use in order to create an authenticated header that will be used for the rest of API connections.
2) Testing that we have all the authentication parameters needed. Getting the time of the system.
In this second code snippet we use the just obtained authentication header in order to get the system time through the available command (essmgtGetESSTime)
3) Getting the version (builtstamp) of the system.
4) Other useful available commands
The API allows to get information a lot of information about the system.
5) Query for events
In this code snippet, we query for some events according with several input parameters that define the fields that will be obtained and the filters that limit the information obtained. Specifically we are filtering the events by those generated by the correlation engine (DSID = 47 or 380)
This procedure returns a job_id value, later on we'll have to check by this value if McAfee SIEM has finished obtaining the information
6) Checking the status of the query.
The previous long value 140471397892928 is used to check against the ESM if the query has finished.
As we can see there are a total of 17 records that match with the previous filter condition.
7) Getting the final events
As the previous filter indicate that the Data Source ID (DSID) must be the correlation engines, the events that we are obtaining are in fact correlated events.
8) Getting the source events
The command qryGetCorrEventDataForID, allows to get all the source events related to a correlated event. It needs the Id of the correlated event this ID in 10.2.0 version is created using two values related to the fields (Alert.IPSID and Alert.AlertID), the following code snippet shows how to concatenate both values.
9) Logout from the ESM
Once we finish obtaining the desired information we logout from the system.
That's all
Thanks for reading
Code available on the following repository: https://github.com/built4tech/esm
ReplyDeleteThank you for sharing this. It was helpful. Keep sharing such things.
ReplyDelete