Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1562
Views
5
Helpful
1
Replies

Stealtwatch SMC: Reporting API vs syslogs

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee

‎06-28-2019 12:50 AM - edited ‎06-28-2019 12:52 AM

Hello Team,

1. How to fetch easily all alarms generated on SMC from the last 24 hours ?

Looking at:

https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1

It looks like i need to do multiple different queries including tags like: externalGeo, devices, externalHosts, CustomHosts, InternalHosts, ExternalThreats etc.

 

2. Do we have a feature parity between alarms fetched via API and sent by syslog ? (or: what API call should i use to make sure i fetch all the alarms sent by syslog -> syslog configured for all alarms).

 

3. Also comparing syslogs to APIs for Alarms: do we have more alarms or more details/fields for any of those two ? What are the plans for the future ? Do you plan to grow/expand both (so that both datasources for alarms are equally rich and will remain like that?)

 

Thanks,

Michal

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kywinter
Cisco Employee
Cisco Employee

‎06-28-2019 06:58 AM

Hi Michal,

 

With the REST API, you are able to pull Security Events, but unfortunately there is not a public API available to pull the alarms data. However, you can pull the Security Events via the API, which is also incredibly useful and important. The endpoints you would need to hit are documented at https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1 and are as follows:

 

  • POST /tenants/{tenantId}/security-events/queries (creates the search with your filters)
  • GET /tenants/{tenantId}/security-events/queries/{queryId} (get the search status)
  • GET /tenants/{tenantId}/security-events/results/{queryId} (get the results)

For convenience, here is a sample Python script that works through the logic: https://github.com/CiscoDevNet/stealthwatch-sample-scripts/blob/master/python-samples/get_security_events.py

 

If this API is not sufficient for your needs, please let me know and I can see what we can do to help you out. 

 

Kind regards,

 

Kyle Winters

Technical Marketing Engineer - Stealthwatch Customer Experience

View solution in original post

1 Reply 1

Go to solution
kywinter
Cisco Employee
Cisco Employee

‎06-28-2019 06:58 AM

Hi Michal,

 

With the REST API, you are able to pull Security Events, but unfortunately there is not a public API available to pull the alarms data. However, you can pull the Security Events via the API, which is also incredibly useful and important. The endpoints you would need to hit are documented at https://developer.cisco.com/docs/stealthwatch/#!reporting-api-version-1 and are as follows:

 

  • POST /tenants/{tenantId}/security-events/queries (creates the search with your filters)
  • GET /tenants/{tenantId}/security-events/queries/{queryId} (get the search status)
  • GET /tenants/{tenantId}/security-events/results/{queryId} (get the results)

For convenience, here is a sample Python script that works through the logic: https://github.com/CiscoDevNet/stealthwatch-sample-scripts/blob/master/python-samples/get_security_events.py

 

If this API is not sufficient for your needs, please let me know and I can see what we can do to help you out. 

 

Kind regards,

 

Kyle Winters

Technical Marketing Engineer - Stealthwatch Customer Experience

Customers Also Viewed These Support Documents