Topic
  • 15 replies
  • Latest Post - ‏2015-07-22T05:21:01Z by SujayM
SujayM
SujayM
10 Posts

Pinned topic Getting event details thorugh api by passing offense id

‏2015-07-03T13:22:34Z | api aql ariel event offense search

Hi All,

 

Objective: Get all the events associated with an offense by passing the Offense ID.

 

Using AQL, i found one sample query in doc - SELECT * FROM events WHERE InOffense(3284).

 

However when i pass this query in "POST /ariel/searches" section i do not get any result. Please note i am not getting any error here, just blank results. The offense is generated correctly with multiple events under it and i have tried this with multiple offense id.

 

Have tried things like InOffense('3284'), passing this through html code in browser InOffense(%2C3284%2C) but no luck.

 

Please let me know if anyone has tried this particular query.

 

Regards,

 

Sujay

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts
    ACCEPTED ANSWER

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-07T12:11:24Z  
    • SujayM
    • ‏2015-07-04T09:07:36Z

    Hi Taylor,

     

    Thanks for the prompt response, i have not been specifying a time-frame...will check this out.

    But, i am giving a specific offense id, should time really matter?? I am not looking for offense id's in last hour or last 15 minutes, if i want event details from a specific offense, should i still give time frame.

     

    If yes, then is there a upper limit for specifying the time frame...can i set it to 12 hours?

     

    Regards,

    Sujay

    Hi Sujay,

     

    Yes, the time-frame matters. The API is for searches against event and flow information; searches are performed against events, not offences. Therefore, you must specify what range of events you wish to check for criteria. In this case, your use case is 'Get me any events within start X and stop time Y that are associated with offensive 3284'.

    I'm not aware of a limit on the time range, but the larger the range, the bigger the footprint of your search, and the longer it will take.

     

    I have been able to use InOffense successfully with restapi locally. I first verified it via the 'Advanced Search' tab in the UI (which allows you to execute AQL as well) to find a time-frame that I knew would match.

    I then executed the following curl command to create the search:

       curl -X POST -k -u username:password https://localhost/api/ariel/searches --data-urlencode "query_expression=select * from events where inoffense(8) START '2015-07-07 7:50:00' STOP '2015-07-07 8:10:00'"

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts
    ACCEPTED ANSWER

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-13T13:55:34Z  
    • SujayM
    • ‏2015-07-13T07:06:42Z

    Hi Taylor,

    Currently, getting the base events from offense id is a two-step process.

    1. I have to send a POST request in "/ariel/searches" with query (example select * from events where INOFFENSE(2684) start '2015-07-10 01:20:00' stop '2015-07-10 23:00:00' ) in query_expression parameter.
      1. The response to this is a search id (example - 47f48262-d279-4fed-b646-2f82059d7b1b).
    2. I have to send a GET request - /ariel/searches/{search_id}/results (example - GET /ariel/searches/47f48262-d279-4fed-b646-2f82059d7b1b/results )
      1. The response will be the offense event details.

    Essentially, to get offense event details, I have to send two requests every time, also I have to keep the START and STOP time changing.

    Is there a way to get the offense event details in one go?

     

    Regards,

    Sujay

    Hi Sujay,

    Multiple requests are required because queries are asynchronous, this is how you perform queries against events/flows.

    In fact, there is an additional step, the process is:

    1. Send a POST request to /ariel/searches, where query_expression is your AQL query

    a. If response is 201, obtain search_id from response

    2. Send a GET request to /ariel/searches/{search_id} to obtain the status of the search. While the response code is 200 and the status is not 'COMPLETED' or 'ERROR', loop.

    3. If the status is 'ERROR', you can use the error_messages response to obtain information. If the status is 'COMPLETED', you can get the results via GET /ariel/searches/{search_id}/results

    In addition to checking for 'ERROR' status, any non-2XX responses across the restapi will have the same error envelope that you can handle.

    If you wish to have an 'execute and retrieve results' functionality, these steps are easy to script.

     

    Again, this is only to be used for searching against events, flows, and other related databases. It does not search offences directly.

    Once you have an offence ID associated with an event, you can get details about the offence using [GET /offenses/{offense_id}]

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

     

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts
    ACCEPTED ANSWER

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-16T12:16:11Z  
    • SujayM
    • ‏2015-07-16T05:04:44Z

    Hi Taylor,

     

    As i mentioned in earlier post,

    "I can get LogSourceTypeName and LogSourceGroupName using functions LogSourceTypeName(LogSourceId), LogSourceGroupName(LogSourceId)"

     

    But i am not able to get "LogSourceIdentifier". Does Qradar have a separate function to get this???

     

    Also, [GET /ariel/databases/{database_name}] gives following columns (I have attached the api output in pdf)

     

    This does not contain critical columns like Qid, Payload, Severity, event count etc. which can still be used in a query.

    So what i'm saying is there is a difference between events database columns from API output AND event fields from this link 

    Is my understanding wrong....Am i missing something here??

     

    Regards,

    Sujay

     

    Hi Sujay, 

     

    It seems like you are only getting a subset of the full output from [GET /ariel/databases/events].

    Are you using the api_doc page to perform these queries? The default 'Range' header value is 'items=0-49'; meaning you will only see 50 items.

    To fix this, there are two options:

    1) Use a different client, so that the Range header is not provided automatically:

           curl -X GET -k -u username:password https://localhost/api/ariel/databases/events | python -mjson.tool

    2) Pass your own Range value in the api_doc page:

           Range: items=0-500

     

    Also, the property you are looking for is 'logsourceid' not 'logsourceidentifier'.

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

     

     

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-03T14:03:44Z  

    Hi Sujay,

     

    Could you verify that your time-frame is correct? If you do not specify a time-frame in AQL (via START and STOP parameters), then it will default to the last 5 minutes.

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

  • SujayM
    SujayM
    10 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-04T09:07:36Z  

    Hi Taylor,

     

    Thanks for the prompt response, i have not been specifying a time-frame...will check this out.

    But, i am giving a specific offense id, should time really matter?? I am not looking for offense id's in last hour or last 15 minutes, if i want event details from a specific offense, should i still give time frame.

     

    If yes, then is there a upper limit for specifying the time frame...can i set it to 12 hours?

     

    Regards,

    Sujay

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-07T12:11:24Z  
    • SujayM
    • ‏2015-07-04T09:07:36Z

    Hi Taylor,

     

    Thanks for the prompt response, i have not been specifying a time-frame...will check this out.

    But, i am giving a specific offense id, should time really matter?? I am not looking for offense id's in last hour or last 15 minutes, if i want event details from a specific offense, should i still give time frame.

     

    If yes, then is there a upper limit for specifying the time frame...can i set it to 12 hours?

     

    Regards,

    Sujay

    Hi Sujay,

     

    Yes, the time-frame matters. The API is for searches against event and flow information; searches are performed against events, not offences. Therefore, you must specify what range of events you wish to check for criteria. In this case, your use case is 'Get me any events within start X and stop time Y that are associated with offensive 3284'.

    I'm not aware of a limit on the time range, but the larger the range, the bigger the footprint of your search, and the longer it will take.

     

    I have been able to use InOffense successfully with restapi locally. I first verified it via the 'Advanced Search' tab in the UI (which allows you to execute AQL as well) to find a time-frame that I knew would match.

    I then executed the following curl command to create the search:

       curl -X POST -k -u username:password https://localhost/api/ariel/searches --data-urlencode "query_expression=select * from events where inoffense(8) START '2015-07-07 7:50:00' STOP '2015-07-07 8:10:00'"

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

  • SujayM
    SujayM
    10 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-07T13:24:50Z  

    Hi Sujay,

     

    Yes, the time-frame matters. The API is for searches against event and flow information; searches are performed against events, not offences. Therefore, you must specify what range of events you wish to check for criteria. In this case, your use case is 'Get me any events within start X and stop time Y that are associated with offensive 3284'.

    I'm not aware of a limit on the time range, but the larger the range, the bigger the footprint of your search, and the longer it will take.

     

    I have been able to use InOffense successfully with restapi locally. I first verified it via the 'Advanced Search' tab in the UI (which allows you to execute AQL as well) to find a time-frame that I knew would match.

    I then executed the following curl command to create the search:

       curl -X POST -k -u username:password https://localhost/api/ariel/searches --data-urlencode "query_expression=select * from events where inoffense(8) START '2015-07-07 7:50:00' STOP '2015-07-07 8:10:00'"

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

    Hi Taylor,

     

    I am using version 7.2.5.

     

    I have tried the InOffense query but it was not working through API. I will try using timestamp and/or using Advanced Search.

     

    Regards,

    Sujay

  • SujayM
    SujayM
    10 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-09T11:13:17Z  
    • SujayM
    • ‏2015-07-07T13:24:50Z

    Hi Taylor,

     

    I am using version 7.2.5.

     

    I have tried the InOffense query but it was not working through API. I will try using timestamp and/or using Advanced Search.

     

    Regards,

    Sujay

    Hi Taylor,

    I am able to get data after adding  START and STOP parameters. 

     

    Thanks a lot!!!!!!!!!

     

    Cheers,

    Sujay

     

  • SujayM
    SujayM
    10 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-13T07:06:42Z  

    Hi Sujay,

     

    Yes, the time-frame matters. The API is for searches against event and flow information; searches are performed against events, not offences. Therefore, you must specify what range of events you wish to check for criteria. In this case, your use case is 'Get me any events within start X and stop time Y that are associated with offensive 3284'.

    I'm not aware of a limit on the time range, but the larger the range, the bigger the footprint of your search, and the longer it will take.

     

    I have been able to use InOffense successfully with restapi locally. I first verified it via the 'Advanced Search' tab in the UI (which allows you to execute AQL as well) to find a time-frame that I knew would match.

    I then executed the following curl command to create the search:

       curl -X POST -k -u username:password https://localhost/api/ariel/searches --data-urlencode "query_expression=select * from events where inoffense(8) START '2015-07-07 7:50:00' STOP '2015-07-07 8:10:00'"

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

    Hi Taylor,

    Currently, getting the base events from offense id is a two-step process.

    1. I have to send a POST request in "/ariel/searches" with query (example select * from events where INOFFENSE(2684) start '2015-07-10 01:20:00' stop '2015-07-10 23:00:00' ) in query_expression parameter.
      1. The response to this is a search id (example - 47f48262-d279-4fed-b646-2f82059d7b1b).
    2. I have to send a GET request - /ariel/searches/{search_id}/results (example - GET /ariel/searches/47f48262-d279-4fed-b646-2f82059d7b1b/results )
      1. The response will be the offense event details.

    Essentially, to get offense event details, I have to send two requests every time, also I have to keep the START and STOP time changing.

    Is there a way to get the offense event details in one go?

     

    Regards,

    Sujay

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-13T13:55:34Z  
    • SujayM
    • ‏2015-07-13T07:06:42Z

    Hi Taylor,

    Currently, getting the base events from offense id is a two-step process.

    1. I have to send a POST request in "/ariel/searches" with query (example select * from events where INOFFENSE(2684) start '2015-07-10 01:20:00' stop '2015-07-10 23:00:00' ) in query_expression parameter.
      1. The response to this is a search id (example - 47f48262-d279-4fed-b646-2f82059d7b1b).
    2. I have to send a GET request - /ariel/searches/{search_id}/results (example - GET /ariel/searches/47f48262-d279-4fed-b646-2f82059d7b1b/results )
      1. The response will be the offense event details.

    Essentially, to get offense event details, I have to send two requests every time, also I have to keep the START and STOP time changing.

    Is there a way to get the offense event details in one go?

     

    Regards,

    Sujay

    Hi Sujay,

    Multiple requests are required because queries are asynchronous, this is how you perform queries against events/flows.

    In fact, there is an additional step, the process is:

    1. Send a POST request to /ariel/searches, where query_expression is your AQL query

    a. If response is 201, obtain search_id from response

    2. Send a GET request to /ariel/searches/{search_id} to obtain the status of the search. While the response code is 200 and the status is not 'COMPLETED' or 'ERROR', loop.

    3. If the status is 'ERROR', you can use the error_messages response to obtain information. If the status is 'COMPLETED', you can get the results via GET /ariel/searches/{search_id}/results

    In addition to checking for 'ERROR' status, any non-2XX responses across the restapi will have the same error envelope that you can handle.

    If you wish to have an 'execute and retrieve results' functionality, these steps are easy to script.

     

    Again, this is only to be used for searching against events, flows, and other related databases. It does not search offences directly.

    Once you have an offence ID associated with an event, you can get details about the offence using [GET /offenses/{offense_id}]

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

     

  • SujayM
    SujayM
    10 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-13T14:01:55Z  

    Hi Sujay,

    Multiple requests are required because queries are asynchronous, this is how you perform queries against events/flows.

    In fact, there is an additional step, the process is:

    1. Send a POST request to /ariel/searches, where query_expression is your AQL query

    a. If response is 201, obtain search_id from response

    2. Send a GET request to /ariel/searches/{search_id} to obtain the status of the search. While the response code is 200 and the status is not 'COMPLETED' or 'ERROR', loop.

    3. If the status is 'ERROR', you can use the error_messages response to obtain information. If the status is 'COMPLETED', you can get the results via GET /ariel/searches/{search_id}/results

    In addition to checking for 'ERROR' status, any non-2XX responses across the restapi will have the same error envelope that you can handle.

    If you wish to have an 'execute and retrieve results' functionality, these steps are easy to script.

     

    Again, this is only to be used for searching against events, flows, and other related databases. It does not search offences directly.

    Once you have an offence ID associated with an event, you can get details about the offence using [GET /offenses/{offense_id}]

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

     

    Hi Taylor,

     

    Got it. Thanks

     

    Regards,

    Sujay

  • SujayM
    SujayM
    10 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-14T13:05:53Z  

    Hi Sujay,

    Multiple requests are required because queries are asynchronous, this is how you perform queries against events/flows.

    In fact, there is an additional step, the process is:

    1. Send a POST request to /ariel/searches, where query_expression is your AQL query

    a. If response is 201, obtain search_id from response

    2. Send a GET request to /ariel/searches/{search_id} to obtain the status of the search. While the response code is 200 and the status is not 'COMPLETED' or 'ERROR', loop.

    3. If the status is 'ERROR', you can use the error_messages response to obtain information. If the status is 'COMPLETED', you can get the results via GET /ariel/searches/{search_id}/results

    In addition to checking for 'ERROR' status, any non-2XX responses across the restapi will have the same error envelope that you can handle.

    If you wish to have an 'execute and retrieve results' functionality, these steps are easy to script.

     

    Again, this is only to be used for searching against events, flows, and other related databases. It does not search offences directly.

    Once you have an offence ID associated with an event, you can get details about the offence using [GET /offenses/{offense_id}]

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

     

    Hi Taylor,

    Another question.

    The select query gives output for predefined set of 11 columns as shown in below screenshot (sourceip, destinationip etc)

    Is it possible to add columns or get details like logSourceGroup, logSourceIdentifier, logSourceType?

     

    Regards,

    Sujay

     

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-14T13:34:56Z  
    • SujayM
    • ‏2015-07-14T13:05:53Z

    Hi Taylor,

    Another question.

    The select query gives output for predefined set of 11 columns as shown in below screenshot (sourceip, destinationip etc)

    Is it possible to add columns or get details like logSourceGroup, logSourceIdentifier, logSourceType?

     

    Regards,

    Sujay

     

    Hi Sujay,

     

    You specified '*' in your query. Normally in relational databases this refers to 'all columns'.

    However, there can be hundreds of available columns (properties) for any given database in QRadar, so instead we restrict it to the small set you see there.

    Just like a relational database, you can specify the list of columns/properties simply by listing them as CSV:

    SELECT logSourceGroup, logSourceIdentifier, logSourceType FROM ..... WHERE ... START ... STOP ...

    etc.

    It is all outlined in the documentation for AQL v3: http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/r_aql_selectstaement.html

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

  • SujayM
    SujayM
    10 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-15T11:55:38Z  

    Hi Sujay,

     

    You specified '*' in your query. Normally in relational databases this refers to 'all columns'.

    However, there can be hundreds of available columns (properties) for any given database in QRadar, so instead we restrict it to the small set you see there.

    Just like a relational database, you can specify the list of columns/properties simply by listing them as CSV:

    SELECT logSourceGroup, logSourceIdentifier, logSourceType FROM ..... WHERE ... START ... STOP ...

    etc.

    It is all outlined in the documentation for AQL v3: http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/r_aql_selectstaement.html

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

    Hi Taylor,

    Thanks for the info. Even i was wondering why '*' returns only 11 columns.

     

    i checked this link for 7.2.5 - Supported event fields for AQL queries -  http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_aql_even_flow_fields_ref.html?lang=en

     

    There are 32 fields listed here which does not include LogSourceTypeName, LogSourceGroupName and LogSourceIdentifier.

    I can get LogSourceTypeName and LogSourceGroupName using functions LogSourceTypeName(LogSourceId), LogSourceGroupName(LogSourceId)

    Link - http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/r_aql_supported_functions.html?lang=en

     

    but still not able to get LogSourceIdentifier. The select query SELECT logSourceGroup, logSourceIdentifier, logSourceType FROM ..... WHERE ... START ... STOP throws an error.

    Is there any way to get list of all columns in event database?? I tried using API - GET - /ariel/databases/{database_name} by passing "events" in database_name parameter but the results are not complete and does not include LogSourceIdentifier

     

    Regards,

    Sujay

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-15T19:10:01Z  
    • SujayM
    • ‏2015-07-15T11:55:38Z

    Hi Taylor,

    Thanks for the info. Even i was wondering why '*' returns only 11 columns.

     

    i checked this link for 7.2.5 - Supported event fields for AQL queries -  http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_aql_even_flow_fields_ref.html?lang=en

     

    There are 32 fields listed here which does not include LogSourceTypeName, LogSourceGroupName and LogSourceIdentifier.

    I can get LogSourceTypeName and LogSourceGroupName using functions LogSourceTypeName(LogSourceId), LogSourceGroupName(LogSourceId)

    Link - http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/r_aql_supported_functions.html?lang=en

     

    but still not able to get LogSourceIdentifier. The select query SELECT logSourceGroup, logSourceIdentifier, logSourceType FROM ..... WHERE ... START ... STOP throws an error.

    Is there any way to get list of all columns in event database?? I tried using API - GET - /ariel/databases/{database_name} by passing "events" in database_name parameter but the results are not complete and does not include LogSourceIdentifier

     

    Regards,

    Sujay

    Hi Sujay.

     

    [GET /ariel/databases/{database_name}] does show a complete list of properties available to you for a given database.

    There is no such endpoint for functions currently.

     

    'logsourceid' is the property which will provide you with the ID of the log source the event originated from. You can use the 'logsourcename' and 'logsourcegroupname' to retrieve the name and group name respectively for that identifier.

    For example:

        SELECT logsourceid, LOGSOURCENAME(logsourceid), LOGSOURCEGROUPNAME(logsourceid) FROM events 

     

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

     

  • SujayM
    SujayM
    10 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-16T05:04:44Z  

    Hi Sujay.

     

    [GET /ariel/databases/{database_name}] does show a complete list of properties available to you for a given database.

    There is no such endpoint for functions currently.

     

    'logsourceid' is the property which will provide you with the ID of the log source the event originated from. You can use the 'logsourcename' and 'logsourcegroupname' to retrieve the name and group name respectively for that identifier.

    For example:

        SELECT logsourceid, LOGSOURCENAME(logsourceid), LOGSOURCEGROUPNAME(logsourceid) FROM events 

     

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

     

    Hi Taylor,

     

    As i mentioned in earlier post,

    "I can get LogSourceTypeName and LogSourceGroupName using functions LogSourceTypeName(LogSourceId), LogSourceGroupName(LogSourceId)"

     

    But i am not able to get "LogSourceIdentifier". Does Qradar have a separate function to get this???

     

    Also, [GET /ariel/databases/{database_name}] gives following columns (I have attached the api output in pdf)

     

    This does not contain critical columns like Qid, Payload, Severity, event count etc. which can still be used in a query.

    So what i'm saying is there is a difference between events database columns from API output AND event fields from this link 

    Is my understanding wrong....Am i missing something here??

     

    Regards,

    Sujay

     

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-16T12:16:11Z  
    • SujayM
    • ‏2015-07-16T05:04:44Z

    Hi Taylor,

     

    As i mentioned in earlier post,

    "I can get LogSourceTypeName and LogSourceGroupName using functions LogSourceTypeName(LogSourceId), LogSourceGroupName(LogSourceId)"

     

    But i am not able to get "LogSourceIdentifier". Does Qradar have a separate function to get this???

     

    Also, [GET /ariel/databases/{database_name}] gives following columns (I have attached the api output in pdf)

     

    This does not contain critical columns like Qid, Payload, Severity, event count etc. which can still be used in a query.

    So what i'm saying is there is a difference between events database columns from API output AND event fields from this link 

    Is my understanding wrong....Am i missing something here??

     

    Regards,

    Sujay

     

    Hi Sujay, 

     

    It seems like you are only getting a subset of the full output from [GET /ariel/databases/events].

    Are you using the api_doc page to perform these queries? The default 'Range' header value is 'items=0-49'; meaning you will only see 50 items.

    To fix this, there are two options:

    1) Use a different client, so that the Range header is not provided automatically:

           curl -X GET -k -u username:password https://localhost/api/ariel/databases/events | python -mjson.tool

    2) Pass your own Range value in the api_doc page:

           Range: items=0-500

     

    Also, the property you are looking for is 'logsourceid' not 'logsourceidentifier'.

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

     

     

  • SujayM
    SujayM
    10 Posts

    Re: Getting event details thorugh api by passing offense id

    ‏2015-07-22T05:21:01Z  

    Hi Sujay, 

     

    It seems like you are only getting a subset of the full output from [GET /ariel/databases/events].

    Are you using the api_doc page to perform these queries? The default 'Range' header value is 'items=0-49'; meaning you will only see 50 items.

    To fix this, there are two options:

    1) Use a different client, so that the Range header is not provided automatically:

           curl -X GET -k -u username:password https://localhost/api/ariel/databases/events | python -mjson.tool

    2) Pass your own Range value in the api_doc page:

           Range: items=0-500

     

    Also, the property you are looking for is 'logsourceid' not 'logsourceidentifier'.

     

    Taylor Osmun
    Software Engineer
    IBM Security Systems

     

     

    Hi Taylor,

    Yes, i was using api_doc page to perform these queries. Got the complete list by increasing range.

    Again, many thanks.

     

    Regards,

    Sujay