cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Columns have weird values when fetching using qryExecuteDetail API

Jump to solution

I trigger a search using the REST API (qryExecuteDetail), in the query configuration params I give it fields are :"Event_Class", "Rule_Name", "ID", "Protocol", "DstIP", "Description", "FirstTime", "Attacker_IP", "UserIDSrc"

when I fetch the results I get in response :

for :"Event_Class" , column name is : Alert.65545

for "UserIDSrc" , column name is :Alert.BIN(7)

for "Protocol" , it's actully correct : Alert.Protocol

etc...


all columns are (order as above) :

{"return": {

    "columns": [

        {"name": "Alert.65545"},

        {"name": "Alert.65616"},

        {"name": "Alert.ID"},

        {"name": "Alert.Protocol"},

        {"name": "Alert.DstIP"},

        {"name": "Alert.4259873"},

        {"name": "Alert.FirstTime"},

        {"name": "Alert.262175"},

        {"name": "Alert.BIN(7)"}

    ]

any idea what i'm doing wrong?

using version : 9.5.2

1 Solution

Accepted Solutions
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Columns have weird values when fetching using qryExecuteDetail API

Jump to solution

You can get a list of valid fields with qryGetFields. Here is a query using similar fields:

    {"config": {

               "limit": 10,

               "timeRange": time_range,

               "order": [{"direction": "ASCENDING",

                          "field": {"name": "FirstTime"}

                        }],

               "fields": [{"name": "FirstTime"},

                          {"name": "Rule.msg"},

                          {"name": "DSIDSigID"},

                          {"name": "EventCount"},

                          {"name": "SrcIP"},

                          {"name": "DstIP"},

                          {"name": "UserIDSrc"}],

        }          }

And here is the poorly formatted result:

First Time Rule Mesg Sig-ID Count Source-IP Dest-IP User 

04/28/2016 22:47:13 An account was successfully logged on 43-263046240 1 ::1 10.2.22.220 WINSERVER$ 

04/28/2016 22:48:13 An account was successfully logged on 43-263046240 4 ::1 10.2.22.220 WINSERVER$ 

04/28/2016 22:48:13 An account was successfully logged on 43-263046240 8 2002:1616:16DC:0:0:0:1616:16DC 10.2.22.220 WINSERVER$

3 Replies
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Columns have weird values when fetching using qryExecuteDetail API

Jump to solution

You can get a list of valid fields with qryGetFields. Here is a query using similar fields:

    {"config": {

               "limit": 10,

               "timeRange": time_range,

               "order": [{"direction": "ASCENDING",

                          "field": {"name": "FirstTime"}

                        }],

               "fields": [{"name": "FirstTime"},

                          {"name": "Rule.msg"},

                          {"name": "DSIDSigID"},

                          {"name": "EventCount"},

                          {"name": "SrcIP"},

                          {"name": "DstIP"},

                          {"name": "UserIDSrc"}],

        }          }

And here is the poorly formatted result:

First Time Rule Mesg Sig-ID Count Source-IP Dest-IP User 

04/28/2016 22:47:13 An account was successfully logged on 43-263046240 1 ::1 10.2.22.220 WINSERVER$ 

04/28/2016 22:48:13 An account was successfully logged on 43-263046240 4 ::1 10.2.22.220 WINSERVER$ 

04/28/2016 22:48:13 An account was successfully logged on 43-263046240 8 2002:1616:16DC:0:0:0:1616:16DC 10.2.22.220 WINSERVER$

Re: Columns have weird values when fetching using qryExecuteDetail API

Jump to solution

10x!

Are you able top fetch field Event_Class too?
I'm try to fetch the event subtype, and this field seem to be related..

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Columns have weird values when fetching using qryExecuteDetail API

Jump to solution

I usually test before I respond, but I'm running through an airport at the moment. Try "Action" instead of "Event_class".

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community