ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Test log export from Web Security Service for use in a SIEM

book

Article ID: 173283

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

You'd like to verify you can export logs from WSS to use in a SIEM (Splunk)

Environment

Web Security Service

Resolution

  1. Use curl to test. Download it here

  2. Use the following script to run in a command prompt using the curl application:

    curl -vvv "https://portal.threatpulse.com/reportpod/logs/sync?startDate=1525917600000&endDate=0&token=none" -H "X-APIUsername: APIkeyUsername" -H "X-APIPassword: APIkeyPassword" -o name_of_the_log_file_here.zip

  3. Replace the ‘APIkeyUsername’ and ‘APIkeyPassword’ with the username and password for the API key that is set up in the WSS portal.

  4. Replace the startDate value (i.e.1525917600000) with a recent timestamp value obtained using the Epoch time converter:

    https://www.epochconverter.com/

    Be sure to use the "Timestamp in milliseconds" value in the curl command.

    It is recommended that a recent date is used when generating a timestamp and running the command. For example, a date from a couple of days ago to a week ago. This helps to ensure that a large amount of data is not downloaded during the test. The main purpose of the curl command is to test to ensure the log export is working through the API and logs from a recent date should be sufficient to test this. 

  5. If the command is successful, a log file should be generated within the directory from where the command is being run. This indicates that the API is available and working as expected using the provided API credentials.