cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
AmirGol
Level 7
Report Inappropriate Content
Message 1 of 14

REST API for adding/removing child data sources?

Hello.

We have scripts that constantly create and delete virtual servers from a default template. The template includes a syslog configuration that sends their logs to a Syslog relay and from there to a receiver.

The easiest way to handle those servers in the ESM is, in my opinion, to add a section to the scripts that will add or remove a child data source using the RESTful API whenever a new server is created or deleted.

I've played with the API and figured how to add a data source using "dsAddDataSource" and the target receiver ID as the "parentId" parameter, but how do I add a child? I tried the same API call with the ID of a parent data source, but that didn't work.

 

We're using ESM v. 1.3.4.

13 Replies
AmirGol
Level 7
Report Inappropriate Content
Message 2 of 14

Re: REST API for adding/removing child data sources?

P.S. Can the API be used with a user other that NGCP? I tried using an admin account but, aside from login, I was unable to do anything - not even logout. I'd rather not leave the NGCP password in a script.

ppineda
Level 8
Report Inappropriate Content
Message 3 of 14

Re: REST API for adding/removing child data sources?

 

I suggest you to look at these two links that contain infomation on how to connect to the API and a wrapper that lets you interact with the SIEM. You can use it with another account but it has to be administrator, also I suggest not to delete the data source if what you want is to log events from the ephemeral servers and review them later or else you would lose everything.

 

https://github.com/built4tech/esm/blob/master/McAfee_ESM_v_10.ipynb

https://github.com/andywalden/mfe_saw

AmirGol
Level 7
Report Inappropriate Content
Message 4 of 14

Re: REST API for adding/removing child data sources?

Thanks for the reply.

 

Unfortunately, the 1st like doesn't deal with data sources at all. The 2nd one does, and appears to be able to add and remove client data sources, but as my Python level is barely above "hello world", I couldn't understand how it does so.

It seems to be using the ID of the parent but, apparently, just replacing the ID of the Receiver with that of the parent data source in dsAddDataSource is not enough. I tried dsGetDataSourceDetail for a parent data source, hoping to see how a client looks like, but this showed only the parent.

 

On the other hand, I was able to use the API with users other than NGCP, so there's at least some progress.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 5 of 14

Re: REST API for adding/removing child data sources?

It's slightly more complicated. 

You need to edit the parent data source to remove the agent/client. The terms for the 'client' used in the documentation ranges from agent, client, child, etc... all used interchangeably with little regard for consistency. It is possible to do as I have done it, however not using python.

Brent
AmirGol
Level 7
Report Inappropriate Content
Message 6 of 14

Re: REST API for adding/removing child data sources?

Great, I accidentally erased my replay. Oh well, the short version:

 

I'm more interested in adding a client than deleting one, though it's probably more complicated also. I was talking about Python only because the sample code ppineda offered was in Python, I've no idea (and don't care 😎) how it'll be done in the end, I just need to understand the API enough to explain it to the development people.

McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 7 of 14

Re: REST API for adding/removing child data sources?

You can add a child through the API. Instead of specifying the "parentId": receiverID you would do "parentId": datasourceID in the json formatted data posted.

To get data source IDs, you will need to leverage the API to call data sources associated with the receiver ID through dsGetDataSourceList, and then to get any data source specific parameters, you will need to call dsGetDataSourceDetails

Be aware of inherited problems. WMI Systems added to a parent will inherit the parent WMI settings (if you are using system profiles) Depending on the domain the system is a part of, it is possible to add a data source to the incorrect parent and start using the wrong set of profile credentials.

AmirGol
Level 7
Report Inappropriate Content
Message 8 of 14

Re: REST API for adding/removing child data sources?

"You can add a child through the API. Instead of specifying the "parentId": receiverID you would do "parentId": datasourceID in the json formatted data posted."

 

That's what I thought, but when I use an ID of a data source instead of a receiver, no child is added to that data source. I'm using the following JSON:

 

{"datasource": {"parentId": "144121785330171904", "name": "API Test1", "typeId": 65, "childEnabled": false, "ipAddress": "1.2.3.5", "zoneId": 0, "enabled": false}}

 

The ID was obtained with dsGetDataSourceList. 

McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 9 of 14

Re: REST API for adding/removing child data sources?

you will need to add the parameter for your json string

"childType": <integer>

the int can be defined as 0 (default, parent), 1 (child), or 2 (client)

McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 10 of 14

Re: REST API for adding/removing child data sources?

The specific json data I am sending is to an add function, providing the variables needed for each, but it as follows:

"datasource": {
    "parentId": <int>,
    "name": <string>,
    "id": "",
    "typeId": <int>,
    "childEnabled": True,
    "childCount": "0",
    "childType": <int>,
    "ipAddress": <string>,
    "zoneId": "0",
    "url": "https://assetmanagerurl/search/?searchstring=[SrcIP]",
    "enabled": "True",
    "idmId": "",
    "parameters": [{
        "key": "autolearn",
        "value": "count"
        }]
    }}

**technically this isn't json data, it's a python dictionary that is dropped into the json.dumps function before being passed as params in your post request.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community