Fetch security events
GET https://{{host}}/siem/v1/configs/:configId
Get security events data from your security configurations using one of two modes: offset or time-based. Each mode orders event logs based on the logs' storage time in the database, not the time when the events actually occurred. This may result in delayed event logs in subsequent offset requests, or older event logs in time-based requests. While both methods have a 5-second latency, using If the connection is disrupted, use time-based mode to replay security events that occurred in the last 12 hours up to 5 seconds before your requested time range. Use offset allows subsequent calls to return logs for the 5 seconds omitted from the previous request. The time-based method omits logs from that 5 seconds of latency, so you may miss some logs from that period.offset and limit parameters in offset mode. Use from, to, and limit parameters in time-based mode. The potentially large response contains a series of JSON objects, each separated with a line break and each corresponding to a security event. The last line of the response is an offset context object that provides total records fetched, an offset to use a starting point for the next batch of data, and any limit you specified. Run this operation continuously as long as it returns new logs to ensure you don't miss any. The API may return a maximum of 600,000 logs per request, while your configurations might generate many more in periods of high traffic.
Body
PARAM
| Key | Datatype | Required | Description |
offset
|
string | (Optional) This token denotes the last message. If specified, this operation fetches only security events that have occurred from offset. This is a required parameter for offset mode and you can't use it in time-based requests. | |
limit
|
string | (Optional) Defines the approximate maximum number of security events each fetch returns, in both offset and time-based modes. The default limit is `10000` and the maximum limit available is `600000`. Listing an unlimited number of logs isn't possible. Expect requests to return a slightly higher number of security events than you set in the `limit` parameter, because data is stored in different buckets. | |
from
|
string | (Optional) The start of a specified time range, expressed in Unix epoch seconds. You need this to get time-based results for a set period, not for offset mode. | |
to
|
string | (Optional) The end of a specified time range, expressed in Unix epoch seconds. You can't use this parameter in offset mode and it's an optional parameter in time-based mode. The value cannot be greater than the current time minus 5 seconds. If omitted, the value defaults to the current time minus 5 seconds. |
HEADERS
| Key | Datatype | Required | Description |
Accept
|
string |
RESPONSES
status OK
| {
"attackData": {
"clientIP": "192.0.2.82",
"configId": "14227",
"policyId": "qik1_26545",
"ruleActions": "YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d",
"ruleData": "dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZXJ0IFJ1bGVzOiA5NTAwMDI6OTUwMDA2LCBEZW55IFJ1bGU6ICwgTGFzdCBNYXRjaGVkIE1lc3NhZ2U6IFN5c3RlbSBDb21tYW5kIEluamVjdGlvbg%3d%3d",
"ruleMessages": "U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3IgQ29tbWFuZCBJbmplY3Rpb24%3d",
"ruleSelectors": "QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b",
"ruleTags": "T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1RJT04%3d%3bQUtBTUFJL1BPTElDWS9DTURfSU5KRUNUSU9OX0FOT01BTFk%3d",
"ruleVersions": "NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d",
"rules": "OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"
},
"botData": {
"botScore": "100",
"responseSegment": "3"
},
"clientData": {
"appBundleId": "com.mydomain.myapp",
"appVersion": "1.23",
"sdkVersion": "4.7.1",
"telemetryType": "2"
},
"format": "json",
"geo": {
"asn": "14618",
"city": "ASHBURN",
"continent": "288",
"country": "US",
"regionCode": "VA"
},
"httpMessage": {
"bytes": "266",
"host": "www.hmapi.com",
"method": "GET",
"path": "/",
"port": "80",
"protocol": "HTTP/1.1",
"query": "option=com_jce%20telnet.exe",
"requestHeaders": "User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml,application%2fxml%3bq%3d0.9,*%2f*%3bq%3d0.8%0d%0auniqueID%3a%20CR_H8%0d%0aAccept-Language%3a%20en-US,en%3bq%3d0.5%0d%0aAccept-Encoding%3a%20gzip,%20deflate%0d%0aConnection%3a%20keep-alive%0d%0aHost%3a%20www.hmapi.com%0d%0aContent-Length%3a%200%0d%0a",
"requestId": "1158db1758e37bfe67b7c09",
"responseHeaders": "Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20266%0d%0aExpires%3a%20Tue,%2004%20Apr%202017%2010%3a57%3a02%20GMT%0d%0aDate%3a%20Tue,%2004%20Apr%202017%2010%3a57%3a02%20GMT%0d%0aConnection%3a%20close%0d%0aSet-Cookie%3a%20ak_bmsc%3dAFE4B6D8CEEDBD286FB10F37AC7B256617DB580D417F0000FE7BE3580429E23D%7epluPrgNmaBdJqOLZFwxqQLSkGGMy4zGMNXrpRIc1Md4qtsDfgjLCojg1hs2HC8JqaaB97QwQRR3YS1ulk+6e9Dbto0YASJAM909Ujbo6Qfyh1XpG0MniBzVbPMUV8oKhBLLPVSNCp0xXMnH8iXGZUHlUsHqWONt3+EGSbWUU320h4GKiGCJkig5r+hc6V1pi3tt7u3LglG3DloEilchdo8D7iu4lrvvAEzyYQI8Hao8M0%3d%3b%20expires%3dTue,%2004%20Apr%202017%2012%3a57%3a02%20GMT%3b%20max-age%3d7200%3b%20path%3d%2f%3b%20domain%3d.hmapi.com%3b%20HttpOnly%0d%0a",
"start": "1491303422",
"status": "200"
},
"type": "akamai_siem",
"userRiskData": {
"allow": "0",
"general": "duc_1h:10|duc_1d:30",
"originUserId": "jsmith007",
"risk": "udfp:1325gdg4g4343g/M|unp:74256/H",
"score": "75",
"status": "0",
"trust": "ugp:US",
"username": "jsmith@example.com",
"uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5"
},
"version": "1.0"
} |
ENDPOINTS