CloudSOC Management API - Broadcom Inc.

CloudSOC Management API

Symantec CloudSOC Tech Note

Tech Note -- CloudSOC Management API

Copyright statement

Copyright (c) Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.

The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit .

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.

.

2

Tech Note -- CloudSOC Management API

Table of Contents Introduction Supported authentication methods

Creating an API key Basic authentication Getting logs Sample request Supported filters Sample responses

Sample response for Investigate Sample response for Detect (incidents) Sample response for Detect (ThreatScore) Response fields Sample queries for each app Investigate Logs CloudSOC history logs Detect incidents Detect ThreatScore Audit incidents Audit ThreatScore Querying the next page of logs Example Windows Powershell 5.1 script Logs response codes Usage guidelines Logs schema Common fields Browser and device information

.

3

Tech Note -- CloudSOC Management API

Location information Gatelets additional fields Securlet activity log structures

Common fields Activities on non-S3 objects Activities on S3 objects Google Drive Create a file or folder Modify a file or folder Upload a file or folder Share a file or folder Unshare a file or folder Rename a file or folder Trash a file or folder Restore a file or folder from Trash Permanently delete a file or folder Role change Delete user Grant permission on an app Revoke permission on an app Successful login Suspicious login Failed login Logout Salesforce Activities on Salesforce standard/custom objects Fields common to login, logout and failed login events

.

4

Tech Note -- CloudSOC Management API

Successful login Unsuccessful login Salesforce reports/dashboards CloudSOC applications Protect application Access enforcement - gateway File sharing - Securlet File sharing - gateway File transfer - gateway ThreatScore Detect application Incident logs User ThreatScore logs Audit API Authentication Getting Audit datasources Sample datasources request Sample datasources response Getting Audit services Sample Audit services request Supported Audit services filters Sample Audit services response Getting Audit users Sample Audit users request Supported Audit users filters Sample Audit users response Getting Audit usernames

.

5

Tech Note -- CloudSOC Management API

Sample Audit usernames request Supported Audit usernames parameters Sample Audit usernames response Getting Audit summary information Sample Audit summary request Supported Audit summary filters Sample Audit summary response Audit response codes Protect APIs Authentication Getting Protect policies Sample policy request Supported policy filters Sample policy response Protect response codes Protect policy schema Policy common fields Gatelet policy additional fields Securlets policy additional fields

Data exposure via Securlets Access monitoring via Securlets ThreatScore policy additional fields Revision history

.

6

Tech Note -- CloudSOC Management API

Introduction

The CloudSOC API describes the various events that are recorded by CloudSOC applications. The API facilitates the easy integration of CloudSOC with your apps and tools.

Supported authentication methods

The CloudSOC API supports Basic Authentication using API Keys. CloudSOC API keys inherit the access privileges of the CloudSOC user who configured them. You can use this feature to limit API keys to specific domains, SaaS services, and CloudSOC apps by creating a CloudSOC admin user specifically to enable the API key, and assigning it an access profile that limits its access. See the CloudSOC Tech Note Using CloudSOC Access Profiles for more information.

Creating an API key

To create a per-user API key: 1. Log in to CloudSoC using your administrator credentials. 2. On the CloudSOC menu bar, click your username and choose Settings. 3. On the Settings page, click the API Keys tab to bring it to the front. 4. To create a new API Access Key, enter a descriptive name for the new key and click Add New API Key.

5. In the API Keys List, click the download button for the new key.

.

7

Tech Note -- CloudSOC Management API

6. Open the file in a text editor and record the following information for the key: Key ID Key Secret Tenant

Basic authentication

The CloudSOC API supports Basic Access Authentication. Use the Key ID and Key Secret as your username and password respectively. The API keys are allocated on a per-user basis and inherit the permissions granted to that user.

Getting logs

Sample request

GET //api/admin/v1/logs/get/ HTTP/1.1 Host: api-vip. Authorization: Content-Type: application/javascript X-Elastica-Dbname-Resolved: True

Note: Use the following Host URLs: For the US-based production cloud: api-vip. For the EU-based production cloud: api.eu.

Also note that the request header "X-Elastica-Dbname-Resolved: True" is required for successful authorization.

.

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download