Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Download PDF lhs-panel

Click here to expand

Synchronous Alerts API

The API allows you to retrieval of alert data via EventLog Analyzer.

When you perform an api call with the synchronous alert method, your query will be sent to the EventLog Analyzer server, which will obtain all the results before returning it to you. The total time taken for the process depends on the number of search results obtained.

Here are the steps involved to execute a synchronous alert query:

Create an alert request with a set of relevant metadata.
The server executes the request on the request thread and responds with the result.
The server responds with cursor when there are additional results to be displayed other than the predefined number of results that are displayed.
You can keep requesting with the next cursor to get the next set of results. This needs to be done until all alert hits are consumed and the server doesn't send a cursor back.
EventLog Analyzer's cursor stays live for five minutes, if not used.

Request URL

POST http://hostname:8400/RestAPI/v1/alerts

Request Header

Header name	Value	Mandatory	Description
Authorization	Bearer {{AuthToken}}	Yes	AuthToken generated from API Settings page. e.g: Bearer nzxcvda0odmtmznloc00ndziltg0mgutmwzkhtljmjvmzbyt

Request Parameters

The request needs to be sent in the body of the request using JSON format. And should contain following key/value parameters

Parameter name	Default value	Mandatory	Type	Description
query	*	No	String	Start value of the list
alert_profiles	all	No	JSONArray	List of alert profiles
severity	all	No	JSONArray	List of severity
status	all	No	JSONArray	List of status
from	current time - 24 hours	No	Long	Start time for search in Unix milliseconds
to	current time	No	Long	End time for search in Unix milliseconds
cursor	-	No	String	Cursor from next query

Note:

When the cursor is passed, the other parameters are not required.
Quotes i.e ( " ") in query string should to be escaped. If query in EventLog Analyzer's search page is REMOTE_INTERFACE = "switch 1", then for Rest Api the query parameter should be written as "REMOTE_INTERFACE = \"switch 1\""

Response

The response will be a JSON object which will contain the following key/value pairs

Parameter name	Description
hits	JSON object which contain alert hits for the request Contains following fields hits: List of alert hits hits_count_in_current_page: Hits count in current alert hit response

Example usage using cURL

i) Search request with query

Sample request

Copy to Clipboard

curl --location --request POST 'http://localhost:8400/RestAPI/v1/alerts' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "query": "EVENTID = 16384 AND USERNAME = mhtoc", "alert_profiles": [1, 2, 601], "severity": ["CRITICAL"], "status": ["OPEN"], "from": 1643480792000, "to": 1643480479500 }'

Sample response:

Copy to Clipboard

{ "cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA", "hits": { "hits": [{ "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.loin64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422443", "IMPORTED_TIME": 1643531420365, "HOSTID": 601, "IPAddress2": "10.128.156.152", "Alert Profile": "Alert profile 1" }, { "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.l 15 142 200 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422446", "IPAddress1": "10.128.156.152", "HOSTID": 601, "IPAddress2": "10.128.156.152", "Alert Profile": "Alert profile 1" }], "hits_count_in_current_page": 3 } }

ii) Search request with cursor

Sample request

Copy to Clipboard

curl --location --request POST 'http://localhost:8400/RestAPI/v1/alerts' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA" }'

Sample response:

Copy to Clipboard

{ "hits": { "hits": [{ "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.loin64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422443", "IMPORTED_TIME": 1643531420365, "HOSTID": 601, "IPAddress2": "10.128.156.152", "Alert Profile": "Alert profile 1" }, { "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.l 15 142 200 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422446", "IPAddress1": "10.128.156.152", "HOSTID": 601, "IPAddress2": "10.128.156.152", "Alert Profile": "Alert profile 1" }], "hits_count_in_current_page": 3 } }

iii) Invalid Search query

Sample request

Copy to Clipboard

curl --location --request POST 'http://localhost:8400/RestAPI/v1/alerts' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "query": "EVENTID := 16384 AND USERNAME <> mhtoc", "alert_profiles": [1, 2, 601], "severity": ["CRITICAL"], "status": ["OPEN"], "from": 1643480792000, "to": 1643480479500 }'

Sample response

Copy to Clipboard

{ "ERROR": "SR007", "ERROR_DESCRIPTION": "QUERY NOT VALID", "ERRORS" : { "context": "Failed to build query", "cause": { "reason": "Encountered \" \":\" \": \"\" at line 1, column 159.\r\nWas expecting one of:\r\n ...\r\n \"+\" ...\r\n \"-\" ...\r\n ...\r\n \"(\" ...\r\n \"*\" ...\r\n ...\r\n ...\r\n ...\r\n ...\r\n ...\r\n \"[\" ...\r\n \"{\" ...\r\n ...\r\n ...\r\n ", "type": "ParseException" } } }

Example usage using Postman (Third party tool)

i) Search request with query

Synchronous Alerts API

Request URL

Request Header

Request Parameters

Response

Example usage using cURL

i) Search request with query

Sample request

Sample response:

ii) Search request with cursor

Sample request

Sample response:

iii) Invalid Search query

Sample request

Sample response

Example usage using Postman (Third party tool)

i) Search request with query

ii) Search request with cursor

iii) Invalid query

On this page