https://community.cisco.com/t5/network-security/stealtwatch-smc-reporting-api-vs-syslogs/m-p/3881496#M118 <P>Hi Michal,</P> <P>&nbsp;</P> <P>With the REST API, you are able to pull Security Events, but unfortunately there is not a public API available to pull the alarms data. However, you can pull the Security Events via the API, which is also incredibly useful and important. The endpoints you would need to hit are documented at&nbsp;<A href="https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1" target="_blank">https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1</A>&nbsp;and are as follows:</P> <P>&nbsp;</P> <UL> <LI><SPAN class="ng-binding ng-scope">POST /tenants/{tenantId}/security-events</SPAN><SPAN class="raml-console-resource-path-active ng-binding ng-scope">/queries (creates the search with your filters)</SPAN></LI> <LI><SPAN class="raml-console-resource-path-active ng-binding ng-scope">GET&nbsp;/tenants/{tenantId}/security-events/queries/{queryId} (get the search status)</SPAN></LI> <LI><SPAN class="raml-console-resource-path-active ng-binding ng-scope">GET&nbsp;/tenants/{tenantId}/security-events/results/{queryId} (get the results)</SPAN></LI> </UL> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">For convenience, here is a sample Python script that works through the logic:&nbsp;<A href="https://github.com/CiscoDevNet/stealthwatch-sample-scripts/blob/master/python-samples/get_security_events.py" target="_blank">https://github.com/CiscoDevNet/stealthwatch-sample-scripts/blob/master/python-samples/get_security_events.py</A></SPAN></P> <P>&nbsp;</P> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">If this API is not sufficient for your needs, please let me know and I can see what we can do to help you out.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">Kind regards,</SPAN></P> <P>&nbsp;</P> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">Kyle Winters</SPAN></P> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">Technical Marketing Engineer - Stealthwatch Customer Experience</SPAN></P> Fri, 28 Jun 2019 13:58:01 GMT kywinter 2019-06-28T13:58:01Z https://community.cisco.com/t5/network-security/stealtwatch-smc-reporting-api-vs-syslogs/m-p/3881276#M117 <P>Hello Team,</P> <P>1. How to fetch easily all alarms generated on SMC from the last 24 hours ?</P> <P>Looking at:</P> <P><A href="https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1" target="_blank" rel="noopener">https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1</A></P> <P>It looks like i need to do multiple different queries including tags like: externalGeo, devices, externalHosts, CustomHosts, InternalHosts, ExternalThreats etc.</P> <P>&nbsp;</P> <P>2. Do we have a feature parity between alarms fetched via API and sent by syslog ? (or: what API call should i use to make sure i fetch all the alarms sent by syslog -&gt; syslog configured for all alarms).</P> <P>&nbsp;</P> <P>3. Also comparing syslogs to APIs for Alarms: do we have more alarms or more details/fields for any of those two ? What are the plans for the future ? Do you plan to grow/expand both (so that both datasources for alarms are equally rich and will remain like that?)</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Michal</P> <P>&nbsp;</P> Fri, 28 Jun 2019 07:52:02 GMT https://community.cisco.com/t5/network-security/stealtwatch-smc-reporting-api-vs-syslogs/m-p/3881276#M117 Michal Garcarz 2019-06-28T07:52:02Z https://community.cisco.com/t5/network-security/stealtwatch-smc-reporting-api-vs-syslogs/m-p/3881496#M118 <P>Hi Michal,</P> <P>&nbsp;</P> <P>With the REST API, you are able to pull Security Events, but unfortunately there is not a public API available to pull the alarms data. However, you can pull the Security Events via the API, which is also incredibly useful and important. The endpoints you would need to hit are documented at&nbsp;<A href="https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1" target="_blank">https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1</A>&nbsp;and are as follows:</P> <P>&nbsp;</P> <UL> <LI><SPAN class="ng-binding ng-scope">POST /tenants/{tenantId}/security-events</SPAN><SPAN class="raml-console-resource-path-active ng-binding ng-scope">/queries (creates the search with your filters)</SPAN></LI> <LI><SPAN class="raml-console-resource-path-active ng-binding ng-scope">GET&nbsp;/tenants/{tenantId}/security-events/queries/{queryId} (get the search status)</SPAN></LI> <LI><SPAN class="raml-console-resource-path-active ng-binding ng-scope">GET&nbsp;/tenants/{tenantId}/security-events/results/{queryId} (get the results)</SPAN></LI> </UL> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">For convenience, here is a sample Python script that works through the logic:&nbsp;<A href="https://github.com/CiscoDevNet/stealthwatch-sample-scripts/blob/master/python-samples/get_security_events.py" target="_blank">https://github.com/CiscoDevNet/stealthwatch-sample-scripts/blob/master/python-samples/get_security_events.py</A></SPAN></P> <P>&nbsp;</P> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">If this API is not sufficient for your needs, please let me know and I can see what we can do to help you out.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">Kind regards,</SPAN></P> <P>&nbsp;</P> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">Kyle Winters</SPAN></P> <P><SPAN class="raml-console-resource-path-active ng-binding ng-scope">Technical Marketing Engineer - Stealthwatch Customer Experience</SPAN></P> Fri, 28 Jun 2019 13:58:01 GMT https://community.cisco.com/t5/network-security/stealtwatch-smc-reporting-api-vs-syslogs/m-p/3881496#M118 kywinter 2019-06-28T13:58:01Z