3 Replies Latest reply on May 4, 2016 1:39 PM by andy777

    Columns have weird values when fetching using qryExecuteDetail API

    meirwah

      I trigger a search using the REST API (qryExecuteDetail), in the query configuration params I give it fields are :"Event_Class", "Rule_Name", "ID", "Protocol", "DstIP", "Description", "FirstTime", "Attacker_IP", "UserIDSrc"

      when I fetch the results I get in response :

      for :"Event_Class" , column name is : Alert.65545

      for "UserIDSrc" , column name is :Alert.BIN(7)

      for "Protocol" , it's actully correct : Alert.Protocol

      etc...


      all columns are (order as above) :

       

      {"return": {

          "columns": [

              {"name": "Alert.65545"},

              {"name": "Alert.65616"},

              {"name": "Alert.ID"},

              {"name": "Alert.Protocol"},

              {"name": "Alert.DstIP"},

              {"name": "Alert.4259873"},

              {"name": "Alert.FirstTime"},

              {"name": "Alert.262175"},

              {"name": "Alert.BIN(7)"}

          ]

       

      any idea what i'm doing wrong?

       

       

      using version : 9.5.2

        • 1. Re: Columns have weird values when fetching using qryExecuteDetail API
          andy777

          You can get a list of valid fields with qryGetFields. Here is a query using similar fields:

           

              {"config": {

                         "limit": 10,

                         "timeRange": time_range,

                         "order": [{"direction": "ASCENDING",

                                    "field": {"name": "FirstTime"}

                                  }],

                         "fields": [{"name": "FirstTime"},

                                    {"name": "Rule.msg"},

                                    {"name": "DSIDSigID"},

                                    {"name": "EventCount"},

                                    {"name": "SrcIP"},

                                    {"name": "DstIP"},

                                    {"name": "UserIDSrc"}],

                  }          }

           

          And here is the poorly formatted result:

           

          First Time Rule Mesg Sig-ID Count Source-IP Dest-IP User 

          04/28/2016 22:47:13 An account was successfully logged on 43-263046240 1 ::1 10.2.22.220 WINSERVER$ 

          04/28/2016 22:48:13 An account was successfully logged on 43-263046240 4 ::1 10.2.22.220 WINSERVER$ 

          04/28/2016 22:48:13 An account was successfully logged on 43-263046240 8 2002:1616:16DC:0:0:0:1616:16DC 10.2.22.220 WINSERVER$

          • 2. Re: Columns have weird values when fetching using qryExecuteDetail API
            meirwah

            10x!

             

            Are you able top fetch field Event_Class too?
            I'm try to fetch the event subtype, and this field seem to be related..

            • 3. Re: Columns have weird values when fetching using qryExecuteDetail API
              andy777

              I usually test before I respond, but I'm running through an airport at the moment. Try "Action" instead of "Event_class".