Search for configuration within the search bar

Sascha Scholz

July 05, 2022 05:11

Hey,

Iam searching for a possibility to return the configuration of defined alert rules in the logpoint search tab.

Background: I would like to report over icindents which are created by alert rules for a specific user group. We got several test alarms, which are “managed” by an other user and which should not appear in the report. So I have to combine the configuration of alert rules and the results with “repo_name="_logpoint" action="Alert received" | chart count () by alert_name, risk_level”.

Unfortunately I could not find a way to bring up the alert rule configuration with a search and combine the result with another search to narrow down the alert rules which I need to report. (I dont want to do that manually per hand by tyoing the names in the search)

I came over this idea because I have done such things with Splunk in the past. (was like an API-Call within the search bar to return internal configuration parameters)

Is it even possible to get the configuration of the XXX back as a json/xml (or other) string?

Thanks in advance.

BR,
Sascha

2 comments

Date Votes

Nils Krumrey July 18, 2022 10:03

Unfortunately, just like in your other question, the configuration of the alert rules is not held in a repository and therefore can’t be queried with the search language. Once an incident is generated some information is logged as an audit event, but again that does not include information about the alert configuration/ownership itself.

You should be able to use the Incident API to get this information, although it would require a CURL command or a script outside of Logpoint. Alternatively, perhaps a SOAR action could do that too - we do use some of the incident API when we use a SIEM incident to trigger into SOAR.

The list of incidents ( https://LogPoint-IP/incidents ) includes “username” and “assigned to” as the information. You can use https://LogPoint-IP/get_users to get a list of all the Logpoint users and their IDs.

I appreciate that that’s not in the search at all though and you would have to some external processing afterwards - perhaps you can raise an idea for us in the idea portal and describe what you would like to see / what you can do in Splunk? I think it would be great if we could do this without using the API externally...

Alexandru ILIOIU July 23, 2024 08:42

Hi,

In SIEM version 7.4.2 I believe the request APIs above are no longer available.

Question:
- if I want to make an API request (by example /getalloweddata) using a LDAP user (CN=My Name,OU=Users,DC=company,DC=com) how can I put it into “username” field ? All my attempts using different combination of quotes failed.

Example:
curl -k --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username= "ldap_CN=My NAME,OU=Users,DC=company,DC=com" ' --data-urlencode 'secret_key=123456789abcdefghijlmnoprstuvxyz' --data-urlencode 'type=user_preference' --location 'https://Logpoint_IP/getalloweddata'

Reponse:
{ "success": false, "message": "Authentication Failed" }

Can anyone help ne with the syntax for “username” field ?

Thanks,
Alexandru

Please sign in to leave a comment.