Searching Investigate events beyond the UI limit of 6 months
search cancel

Searching Investigate events beyond the UI limit of 6 months

book

Article ID: 366839

calendar_today

Updated On:

Products

CASB Securlet SAAS

Issue/Introduction

Cloudsoc console has a predefined hard limit on the time picker where the user can allow any time range from the last six months. 

This limit is enforced on the User Interface (UI) to protect the user from any human mistakes that can lead to undesired results.

The question that arises is what if the use case is to search beyond the six months range? and this is the topic of this article.

Resolution

To overcome this limitation, there are two options for the customer:

1- The use of the SIEM agent as a log collector to download the events locally and to prepare them for the consumption of the customer's SIEM systems. This way, the data digested can stay available for the customer for a longer period of time following the customers internal regulations. Cloudsoc SIEM Agent Documentation can be found on this link.

2- The second option is to use Cloudsoc Log APIs, which allows the queries to expand more than six months. Here is the link to the Techdoc of the Cloudsoc Log API's

Additional Information

Example of the Cloudsoc Log API calls:

"https://api-vip.elastica.net/<Tenant-ID>/api/admin/v1/logs/get/?app=investigate&subtype=all&created_timestamp=2022-01-01T00%3A00%3A00&inserted_timestamp=2024-04-30T00%3A00%3A00$limit=100"

In this example, the starting time of the queried period is beyond the 6 months limit.