search cancel

Test log export from Web Security Service for use in a SIEM

book

Article ID: 173283

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

As an administrator, I would like to verify/test the export of the logs from WSS use in a SIEM such as Splunk, or others.

Environment

Web Security Service

SyncAPI

Resolution

  1. Use curl to test. Download it here.
  2. Generate WSS API Credentials.
  3. Use the following command to run the query using the curl application:
curl -vvv "https://portal.threatpulse.com/reportpod/logs/sync?startDate=1525917600000&endDate=0&token=none" -H "X-APIUsername: APIUsername" -H "X-APIPassword: APIPassword" -o name_of_the_log_file_here.zip
  • Replace the ‘APIUsername’ and ‘APIPassword’ with the username and password for the API key that is set up in the WSS portal.
  • Replace the startDate value (i.e.1525917600000) with a recent timestamp value obtained using the Epoch time converter: https://www.epochconverter.com/
  • Be sure to use the "Timestamp in milliseconds" value in the curl command. 

It is recommended that a recent date be used when generating a timestamp and running the command. For example, a date from a couple of days ago to a week ago. This helps to ensure that a large amount of data is not downloaded during the test. The main purpose of the curl command is to test to ensure the log export is working through the API and logs from a recent date should be sufficient to test this. 

If the command is successful, a log file should be generated within the directory from where the command is being run. This indicates that the API is available and working as expected using the provided API credentials.

Additional Information

Reference: