Endpoint Protection Mobile (SEP Mobile legacy) security events can be stored and then retrieved via the rest API. This document outlines the process of enabling the storing of security events and then pulling them via the API.

Legacy SEP Mobile

To utilize the SEP Mobile API you must first obtain an API key by logging into the SEP Mobile portal and going to Settings -> API and clicking the "Generate API Token" button. This will give you the needed API token, Organization ID (Org ID), and API URL needed to make the calls. Note that in addition to this, Settings -> Security Incidents Feed -> "Pull Using" drop-down must be set to "API" or you will not be able to utilize the API.

Security Events are not available via the API by default, first you must set it to store the events. The following is an example curl command to enable this. Replace the <API token>, <Org ID>, and <API URL> with those generated above.

curl --location --request POST 'https://<API URL>/organizations/<Org ID>/security_events/store_security_events?auth_token=<API token>&organization_id=<Org ID>&enabled=true&pulling_type=api' \
--header 'API-VERSION: 1.1'

After setting it to store events as above, new security events will be available via the API. Events that happened prior to this being enabled will not be available to pull via the API.

Once events are available you can pull them via the API, below is an example curl command for this. By default it will remove the events from the API once they are pulled unless remove=false is added as is seen in the example.

curl --location 'https://<API URL>/organizations/<Org ID>/security_events?auth_token=<API token>&organization_id=<Org ID>&remove=false' \
--header 'API-VERSION: 1.1'

More API calls and additional options are available in the API documentation, the link for which can be found on the Settings -> API page.