Follow

Log Integration API

NormShield produces granular user action traces as log entries and provides an easy API for custom integration that may be leveraged sending new log entries to a SIEM syslog server.

Log API

https://nsserver/api/siem/log

The request parameter names and their explanation are shown in Table 1.

Request Parameter Name

Detail

token

NormShield authentication token as GUID if connecting NormShield Intranet version.

NormShield Company authentication token as GUID if connecting NormShield Cloud version. Please, check your Admin-Settings page for this token.

lastruninticks

DateTime in ticks acting as a starting point for new log entries to consider to return. Util API can help to convert DateTime into ticks and vice versa.

lastrunid

Log IDs generated in NormShield acting as a starting point for new log entries to return. lastruninticks and lastrunid parameters are exclusive, only one of them is taken into account.

type

The minimum integer threshold of the vulnerability severity to consider to return;

· LIST (e.g. visiting a portal interface that lists data such as Scan Results, Vulnerability Lists)

· INSERT (e.g. submitting a portal interface that inserts data such as New Scan Configuration screen)

· UPDATE (e.g. submitting a portal interface that updates data such as editing an existing Scan Configuration)

· SEE (e.g. visiting a portal interface that presents data such as Dashboard)

· DELETE (e.g. submitting a portal interface that deletes data such as deleting a Scan Configuration)

Table 1 - The HTTP request parameter names for SIEM integration log API

An example HTTP call would be as the following and it returns all log entries that are opened after the date and time that refer to 635713689261795616 in ticks and has type LIST and SEE.

https://ns/api/siem/log?token=[TOKEN]&lastruninticks=635713689261795616&type=LIST,SEE

Another example HTTP call would be as the following and it returns all log entries that are opened after log ID 352 and has all types.

https://ns/api/siem/log?token=[TOKEN]&lastrunid=352&type=ALL

This request returns an array of new log entriyes matching the request filter parameters with the following (as an example) structure with two objects.

[
{
    "LogID": 10830,
    "CompanyName": "Demo Inc.",
    "Username": "MARY",
    "Action": "Vulnerability Listing",
    "Type": "LIST",
    "Description": null,
    "IsError": "false",
    "Date": "19.11.2016 13:44:15"
  },
  {
    "LogID": 10831,
    "CompanyName": "Demo Inc.",
    "Username": "JAMES",
    "Action": "User Create",
    "Type": "INSERT",
    "Description": "User inserted successfully",
    "IsError": "false",
    "Date": "19.11.2016 13:44:16"
  }
]

The JSON fields are intuitive; however, each object represents a single log entry. The response parameter names and their explanation are shown in Table 2.

Response JSON Fields

Detail

LogID

The ID of the log entry given by NormShield at creation time

CompanyName

The related company name

Username

The username of the user that takes the action

Action

A short string value that explains the log entry

Type

One of SEE, LIST, INSERT, UPDATE, DELETE

Description

A short string value that explains the log entry in detail, may contain HTML elements such as <br/>

IsError

Determines whether the log entry is a result of an exception or not

Date

The creation date of the log entry

Table 2 - The HTTP JSON response structure for SIEM integration Log API

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk