Has anyone obtained documentation on API for ESM appliances (esm, elm, rec)?
The documentation mentions one for watchlists and I obtained further documentation on it from support.
I am wondering if there are API for other parts of the suite, the kind that you get only by asking
And has anyone here used the Watchlist API? How did you use it in terms of new functionality? I am thinking of using it to automically add data from our other feeds.
There is currently no other supported API for the McAfee SIEM. Support does have a example perl script and some documentation. Perhaps that is the documentation you are referring too but if not please contact support and request that information.
To see the full API List avaiable at this time, simply utilize your local SIEM to report it using the following.
This will give you the full list for your version.
Here is the output from our SIEM which is runnig 9.5
Mark a triggered alarm as acknowledged
Delete a triggered alarm
Retrieves a list of all alarms that have been triggered, if no user specified, the current user will be used.
Retrieves a paged list of alarms that have been triggered, if no user specified, the current user will be used.
Retrieves a list of alarms that have been triggered and have not been acknowledged
Mark a triggered alarm as unacknowledged
Add a case to the system.
Edit an existing case.
Get detail on an existing case.
Get a list of cases from the system
Get a list of valid case statuses from the system
Get a list of all devices defined in the system.
Add a data source.
Add a list of data sources.
Delete a data source.
Edit a data source's properties.
Get the details for a specifc data sources.
Get a list of defined data sources.
Get all data source types.
Get user defined data sources.
Set user defined data sources.
Reboots the ESM Device
Restarts the services on the ESM Device
Get the system time of the ESM Device
Get the top level geo locations
Get geo locations within the given location
Get the version information for this ESM
Gets the basic device tree structure with only basic properties loaded. Each entry in the returned list is a root node in the tree.
This version of the call returns more detail per device than getDeviceList, wrapped in an esmDeviceList object.
Get the list of all policies defined in the ESM.
Get all variables defined in the system
Closes the query results, must be called after a query's results have been processed. If no exception is thrown, the close operation completed normally.
Execute a standard detail (non-grouped) query.
Execute a grouped query on a field.
Get the source events and flows for a given correlated event ID
Get all fields that can be used in query filters, with type information for each field.
Get the results for a query.
Get the fields available for selecting in queries. The groupType can be used to filter the fields to only ones that can be used to group results in a particular way. For example, if you want all fields that can be grouped to count the number of events per group, the groupType should be COUNT. If not provided, it is equivalent to passing NO_GROUP which returns all available select fields regardless of whether they can be used in grouped queries. This is useful for getting available fields for detail queries. (qryExecuteDetail)
Get the status for a query that has been executed.
Add a watchlist to the system.
Add values to a watchlist. This call is not supported for hidden watchlists, for example GTI.
Edit properties of a watchlist. (Watchlist Type will not be modified) This call is not supported for hidden watchlists, for example GTI.
Get detailed information about a watchlist.
Get watchlist fields/types.
Return basic information on all watchlists in the system
Read the content of a watchlist value file. Note that the EsmFileData object will contain information on how many bytes were read, as well as the total size of the file. The size of the data returned may be less than count, depending on the amount of file data available. Note that the watchlist file property on EsmWatchlistDetails is used as a parameter to this call. The file will contain the values as they existed when the call to sysGetWatchlistDetails was made. If subsequent changes were made to the watchlist after getting the details, another EsmWatchlistDetails object should be obtained by calling sysGetWatchlistDetails before using its EsmWatchlistFile object to retrieve the updated list of watchlist values. This call is not supported for hidden watchlists, for example GTI.
Remove a watchlist from the system. This call is not supported for hidden watchlists, for example GTI.
Remove values from a watchlist. This call is not supported for hidden watchlists, for example GTI.
Add an access group
Add a user to the system.
Delete an access group.
Delete a user from the system.
Edit properties of an access group.
Used by the master user to update information about another user.
Get extended information about an access group.
Get all user access groups defined in the system.
Get all rights defined in the system.
Get a list of timezones this system recognizes
Get a list of all users.
Get all rights defined for the current user.
Log into the SIEM with the given username and password.
Log the user out of their SIEM session
Add a new subzone under a zone
Create a new zone.
Delete the sub zone
Delete the zone
Edit the given sub zone. Note that ID must be set to an existing sub zone for this to work properly. The ID value will be set if the zone was gotten from zoneGetSubZone().
Edit the given zone. Note that ID must be set to an existing zone for this to work properly. The ID value will be set if the zone was gotten from zoneGetZone().
Get detailed information on a sub zone
Get extended detail on a zone.
Get the full tree of zones defined in the ESM.