cancel
Showing results for 
Search instead for 
Did you mean: 

RESTful API for ESM 10

I have been trying for the last 3 days to get any API Calls with ESM 10.0.0 (20170214 MR1) as all the Examples I have found online is for 9.6.X or earlier. I did find the hint on the change from basic authentication to post the body, so I can successfully Auth in, and use the Session Cookie and the Xsrf-Token in followup calls but even porting the Python example script (esmcheckds.py)

https://10.X.X.X/rs/esm/devGetDeviceList?filterByRights=false

{"types": ["THIRD_PARTY", "EPO", "NSM"]}

<Response [400]>

Input Validation Error

I can get one of the other sample to call essmgtGetESSTime to successfully respond but every other request it's always Input Validation Error. Has the URL changed or is there any ESM API document available for 10.0.0.

Any help/pointers is greatly appreciated.

Thanks
Adam

9 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 10

Re: RESTful API for ESM 10

Try this URL for the verison 10: https://[IPofYourSIEM]/rs/esm/help/commands

Re: RESTful API for ESM 10

Dead in the water, any other suggestions as this environment was prepared by Mcafee... I noticed also hitting a lot of help links online also return similar responses (but a Json response instead of a 404 "No Such Command" response. Any help as this is kinda dead in the water.

GET /rs/esm/help/commands HTTP/1.1

Host: 10.X.X.X

Pragma: no-cache

Accept-Encoding: gzip, deflate, sdch, br

Accept-Language: en-GB,en-US;q=0.8,en;q=0.6

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Cache-Control: no-cache

Connection: keep-alive

HTTP/1.1 404 Not Found

Date: Mon, 03 Apr 2017 23:45:41 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

Cache-Control: no-cache, no-store, must-revalidate

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: text/html

Content-Length: 16

Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self';

form-action 'self'; media-src 'self'; font-src 'self'; connect-src 'self'; plugin-types application/pdf application/x-shockwave-flash; reflected-xss

block ; frame-src 'self';frame-ancestors 'self'

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

No such command.

Re: RESTful API for ESM 10

I found the ESM 10.X API documentation available here: https://[your_siem_domain]/rs/esm/help

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 5 of 10

Re: RESTful API for ESM 10

Hi Adam,

Here is a link to a script I have been working on that might help you. It's not fully functional but there are some examples of what you're trying to do. Let me know if you have questions. Thanks.

     GitHub - andywalden/ESM10-Datasource-Toobox: Script for the McAfee ESM v10.0+ API to create dat...

Re: RESTful API for ESM 10

Dear Andy,

In the config file (config.ini) add the next line:

dsconfigdir =

And, works!

Version: ESM McAfee v10 MR1 20170214

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 7 of 10

Re: RESTful API for ESM 10

Sorry for that! The initial intent of the script was to add data sources so the dsconfigdir would be necessary, but for most of the output examples that's not the case so I'll make it optional. I'll do a write-up on it soon and explain some of the details.

Re: RESTful API for ESM 10

Does this script still exist anywhere?

Highlighted

Re: RESTful API for ESM 10

I'm having a problem with the API as well. I keep getting an [Errno 60] Operation timed out when trying to login through the API but I can visit https://{my siem IP}/rs/esm/v2/help just fine.

Re: RESTful API for ESM 10

Hi there, I wrote a few lines for python 3.6. The only operations I needed were Login/WatchlistUpdating

So those are the only ones I wrote for but the Documentation should help if you want to automate some of that or copy the login function and use the authenticated header in future requests.

 

https://github.com/awfullyniceguy/esm_api

 

Hope this helps

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator