SIEM data
Get-SIEMData
Synopsis
Retrieve SIEM events.
Syntax
Get-SIEMData [-ConfigID] <Int32> -Offset <String> [-Limit <Int32>] [-Decode] [-EdgeRCFile <String>] [-Section <String>] [-AccountSwitchKey <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
Get-SIEMData [-ConfigID] <Int32> -From <Int32> -To <Int32> [-Limit <Int32>] [-Decode] [-EdgeRCFile <String>] [-Section <String>] [-AccountSwitchKey <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
Description
Gets security events data from your security configurations using one of the two modes: using the -Offset
parameter or the -From
and -To
date ranges. You can optionally decode the data to make it human-readable by enabling the -Decode
switch.
Note: The user associated with your API client (or the client role in the case of a Service Account) is required to have the Manage SIEM role assigned and no others. Otherwise, the operation will return a 403 response.
Parameters
‑AccountSwitchKey |
An account credential key that lets you move between accounts when using an API client enabled for multiple accounts. To find account switch keys, use Get-AccountSwitchKey. |
‑ConfigID Required |
Your security configuration's ID. To report on more than one configuration, separate integer identifiers with semicolons. |
‑Decode |
When enabled, SIEM data will be base64- and url-decoded to aid in readability. |
‑EdgeRCFile |
Your EdgeGrid resource file to authenticate your command. Defaults to |
‑From Conditionally required |
The start of a specified time range, expressed in Unix epoch seconds. You need this to get time-based results for a set period, not for offset mode. |
‑Limit |
The approximate maximum number of security events each fetch returns, in both offset and time-based modes. The default limit is Expect requests to return a slightly higher number of security events than you set in the |
‑Offset Conditionally required |
This token denotes the last message. If specified, this operation fetches only security events that have occurred from offset. This is a required parameter for offset mode and you can't use it in time-based requests. |
‑Section |
The section name in your EdgeGrid resource file to retrieve authentication credentials from. Defaults to |
‑To Conditionally required |
The end of a specified time range, expressed in Unix epoch seconds. You can't use this parameter in offset mode and it's an optional parameter in time-based mode. The value can't be greater than the current time minus 5 seconds. If omitted, the value defaults to the current time minus 5 seconds. |
Related Links
Updated 17 days ago