5 Replies Latest reply on Jun 21, 2015 8:21 PM by mhooper1

    SIEM API REST query filters

    shaw2k14

      We are trying to build REST queries using OR within the filters, e.g. search for events/records involving this IP or that IP, but have been unable to find any documented examples of this type of query.  Could someone possibly provide an example of a query to search for either of the following use cases?

       

      Query 1: Search for the existence of an IP address from a group of IP addresses

      123.123.123.123 or 80.80.80.80 or 234.234.234.234

       

      Query 2: Search for the existence of a domain from a group of domains

      red.com or blue.com or green.com

       

      Thank you

        • 1. Re: SIEM API REST query filters
          alexander_h

          I believe that REST is quite limited from that perspective meaning that you might need additional development to operate all that data returned from the REST API.

          Something like php,Java,C#

           

          Let's see if someone else will add something more to the discussion.

          • 2. Re: SIEM API REST query filters
            shaw2k14

            Thanks Alexander.  I believe we can handle the data returned if I could only understand how to modify the default operator between filters (from AND to OR).  Here is a detailed sample of what I am trying to do:

             

             

            AND Filter Logic (The ESM API implies an AND operator between the two filters):

             

            "filters": [

            {

            "field": {

            "name": "DstPort"

            },

            "type": "EsmFieldFilter",

            "operator": "EQUALS",

            "values": [

            {

            "type": "EsmBasicValue",

            "value": "80"

            }

            ]

            },

            {

            "field": {

            "name": "SrcIP"

            },

            "type": "EsmFieldFilter",

            "operator": "EQUALS",

            "values": [

            {

            "type": "EsmBasicValue",

            "value": "123.123.123.123"

            }

            ]

            }

            ]

             

            Desired OR Filter Logic:

             

            "filters": [

            {

            "field": {

            "name": "SrcIP"

            },

            "type": "EsmFieldFilter",

            "operator": "EQUALS",

            "values": [

            {

            "type": "EsmBasicValue",

            "value": "122.122.122.122"

            }

            ]

            },

            OR

            {

            "field": {

            "name": "SrcIP"

            },

            "type": "EsmFieldFilter",

            "operator": "EQUALS",

            "values": [

            {

            "type": "EsmBasicValue",

            "value": "123.123.123.123"

            }

            ]

            }

            ]

            • 3. Re: SIEM API REST query filters
              alexander_h

              I believe that this is not possible as with rest you perform simple request for specific information based on filters.

              So ideally what you need is C# app that can perform multiple REST request until it matches the info you need.

              Another thing is that the ESM itself doesn't have such filtering option to user SrcIP1 or SrcIP2.

              You can Specify only a single value within the Filter.

               

              At least this is my understanding. Hope it helps.

              • 4. Re: SIEM API REST query filters
                Scott Taschler

                While I'm not an expert in the ESM API, I'm wondering if watchlists are the answer to this question.  Could you place the elements you're searching for in a watchlist, and then run a query to with the watchlist as a filter?

                 

                Scott

                • 5. Re: SIEM API REST query filters
                  mhooper1

                  This is a bit old now, but you can add multiple IP's. The esmfilterfield is a list, so you can add multiple filters to the list.

                   

                  regards

                   

                  Mason