Test log export from Cloud SWG (WSS) for use in a SIEM
search cancel

Test log export from Cloud SWG (WSS) for use in a SIEM

book

Article ID: 173283

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

As an administrator, you would like to verify/test the export of the logs from the Cloud SWG (WSS) for use in a SIEM such as Splunk.

Environment

Web Security Service

Cloud SWG

SyncAPI

Resolution

  1. Use curl to test. Download it here.
  2. Generate WSS API Credentials.
  3. Use the following command to run the query using the curl application:
curl -vvv "https://portal.threatpulse.com/reportpod/logs/sync?startDate=1525917600000&endDate=0&token=none" -H "X-APIUsername: APIUsername" -H "X-APIPassword: APIPassword" -o name_of_the_log_file_here.zip
  • Replace the ‘APIUsername’ and ‘APIPassword’ with the username and password for the API key that is set up in the WSS portal.
  • Replace the startDate value (i.e.1525917600000) with a recent timestamp value obtained using the Epoch time converter.
  • Be sure to use the "Timestamp in milliseconds" value in the curl command. 

It is recommended that a recent date be used when generating a timestamp and running the command.

For example, choose a "startDate" from two days ago (to no longer than one week ago).  This helps to ensure that a large amount of data is NOT downloaded during the test.  The main purpose of this curl command test is to ensure that the log export is working through the API with a small amount of data.

If the command is successful, a log file should be generated within the directory from where the command is being run.  This indicates that the API is available and working as expected using the provided API credentials.

Additional Information

For use with PowerShell scripts, the Invoke-WebRequest would need to be used.

Ex. 

Invoke-WebRequest -H @{'X-APIUsername'='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'; 'X-APIPassword'='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'} "https://portal.threatpulse.com/reportpod/logs/sync?startDate=1597687200000&endDate=0&token=none" -OutFile C:\temp\$config.zip

Reference: