cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 6

ESM API Get event distribution (date histogram)

Jump to solution
Hi all, has abybody tried to get event count grouped by hour(or another period) for a day(or another period)? Like distribution type widget shows it in ESM? As a workaround, I can query hour by hour, but I think it's far from optimal solution. Thank you.
2 Solutions

Accepted Solutions

Re: ESM API Get event distribution (date histogram)

Jump to solution

Hello,

The API Python wrapper (https://github.com/mfesiem/msiempy) can help you dig out hour per hour data painlessly !

Here is a code snippet  :

 

 

from datetime import datetime

from msiempy.event import EventManager
from msiempy.core.utils import parse_timedelta, divide_times

# Generate last 24h tuples (start_time, end_time)
periods = divide_times(
    first = datetime.now() - parse_timedelta('24h'),
    last = datetime.now(),
    slots=24 )

periods_results = list()

for time in periods:

    query = EventManager(
        start_time=time[0],
        end_time=time[1],
        filters=[ ('SrcIP', ['22.0.0.0/8', '127.0.0.1'] ) ]
    )

    query.load_data()
    periods_results.append(query)

for i, p in enumerate(periods_results):
    print("{} hours ago, query got {} results".format(24-i, len(periods_results[i]))) 

 

 

Generates:

24 hours ago, query got 59 results
23 hours ago, query got 37 results
22 hours ago, query got 58 results
21 hours ago, query got 26 results
20 hours ago, query got 36 results
19 hours ago, query got 26 results
18 hours ago, query got 64 results
17 hours ago, query got 37 results
16 hours ago, query got 41 results
15 hours ago, query got 41 results
14 hours ago, query got 50 results
13 hours ago, query got 73 results
12 hours ago, query got 75 results
11 hours ago, query got 58 results
10 hours ago, query got 67 results
9 hours ago, query got 51 results
8 hours ago, query got 77 results
7 hours ago, query got 61 results
6 hours ago, query got 62 results
5 hours ago, query got 64 results
4 hours ago, query got 65 results
3 hours ago, query got 57 results
2 hours ago, query got 73 results
1 hours ago, query got 51 results

View solution in original post

Highlighted

Re: ESM API Get event distribution (date histogram)

Jump to solution
Don't hesitate to accept my answer If that was useful for you!

View solution in original post

5 Replies

Re: ESM API Get event distribution (date histogram)

Jump to solution

Hello,

The API Python wrapper (https://github.com/mfesiem/msiempy) can help you dig out hour per hour data painlessly !

Here is a code snippet  :

 

 

from datetime import datetime

from msiempy.event import EventManager
from msiempy.core.utils import parse_timedelta, divide_times

# Generate last 24h tuples (start_time, end_time)
periods = divide_times(
    first = datetime.now() - parse_timedelta('24h'),
    last = datetime.now(),
    slots=24 )

periods_results = list()

for time in periods:

    query = EventManager(
        start_time=time[0],
        end_time=time[1],
        filters=[ ('SrcIP', ['22.0.0.0/8', '127.0.0.1'] ) ]
    )

    query.load_data()
    periods_results.append(query)

for i, p in enumerate(periods_results):
    print("{} hours ago, query got {} results".format(24-i, len(periods_results[i]))) 

 

 

Generates:

24 hours ago, query got 59 results
23 hours ago, query got 37 results
22 hours ago, query got 58 results
21 hours ago, query got 26 results
20 hours ago, query got 36 results
19 hours ago, query got 26 results
18 hours ago, query got 64 results
17 hours ago, query got 37 results
16 hours ago, query got 41 results
15 hours ago, query got 41 results
14 hours ago, query got 50 results
13 hours ago, query got 73 results
12 hours ago, query got 75 results
11 hours ago, query got 58 results
10 hours ago, query got 67 results
9 hours ago, query got 51 results
8 hours ago, query got 77 results
7 hours ago, query got 61 results
6 hours ago, query got 62 results
5 hours ago, query got 64 results
4 hours ago, query got 65 results
3 hours ago, query got 57 results
2 hours ago, query got 73 results
1 hours ago, query got 51 results

View solution in original post

Highlighted
Level 9
Report Inappropriate Content
Message 3 of 6

Re: ESM API Get event distribution (date histogram)

Jump to solution

Hey, I will definitely check it out! Thank you so much!

Highlighted

Re: ESM API Get event distribution (date histogram)

Jump to solution
Don't hesitate to accept my answer If that was useful for you!

View solution in original post

Highlighted
Level 9
Report Inappropriate Content
Message 5 of 6

Re: ESM API Get event distribution (date histogram)

Jump to solution

Hey just got a chance to check it out, I have a task to get distributions for Receivers/ePO devices, any advice on how to properly set filter for it? Thank you.

Highlighted

Re: ESM API Get event distribution (date histogram)

Jump to solution

You need to figure what's your datasource ID and filter with that value.

To list all datasources you can use the "DevTree" object (Documentation here: https://mfesiem.github.io/docs/msiempy/msiempy.device.DevTree.html)

 

Then you need to filter by "IPSID" in the query.

 

Check the library documentation for exemple: https://mfesiem.github.io/docs/msiempy/msiempy.html#rst-execute-an-event-query

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community