SIEM data

Get-SIEMData

Synopsis

Retrieve SIEM events.

Syntax

Get-SIEMData [-ConfigID] <Int32> -Offset <String> [-Limit <Int32>] [-Decode] [-EdgeRCFile <String>] [-Section <String>] [-AccountSwitchKey <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
Get-SIEMData [-ConfigID] <Int32> -From <Int32> -To <Int32> [-Limit <Int32>] [-Decode] [-EdgeRCFile <String>] [-Section <String>] [-AccountSwitchKey <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]

Description

Gets security events data from your security configurations using one of the two modes: using the -Offset parameter or the -From and -To date ranges. You can optionally decode the data to make it human-readable by enabling the -Decode switch.

Note: The user associated with your API client (or the client role in the case of a Service Account) is required to have the Manage SIEM role assigned and no others. Otherwise, the operation will return a 403 response.

Parameters

‑AccountSwitchKey

An account credential key that lets you move between accounts when using an API client enabled for multiple accounts. To find account switch keys, use Get-AccountSwitchKey.

‑ConfigID
Required

Your security configuration's ID. To report on more than one configuration, separate integer identifiers with semicolons.

‑Decode

When enabled, SIEM data will be base64- and url-decoded to aid in readability.

‑EdgeRCFile

Your EdgeGrid resource file to authenticate your command. Defaults to ~/.edgerc.

‑From
Conditionally required

The start of a specified time range, expressed in Unix epoch seconds. You need this to get time-based results for a set period, not for offset mode.

‑Limit

The approximate maximum number of security events each fetch returns, in both offset and time-based modes. The default limit is 10000 and the maximum limit available is 600000. Listing an unlimited number of logs isn't possible.

Expect requests to return a slightly higher number of security events than you set in the limit parameter, because data is stored in different buckets.

‑Offset
Conditionally required

This token denotes the last message. If specified, this operation fetches only security events that have occurred from offset. This is a required parameter for offset mode and you can't use it in time-based requests.

‑Section

The section name in your EdgeGrid resource file to retrieve authentication credentials from. Defaults to default.

‑To
Conditionally required

The end of a specified time range, expressed in Unix epoch seconds. You can't use this parameter in offset mode and it's an optional parameter in time-based mode. The value can't be greater than the current time minus 5 seconds. If omitted, the value defaults to the current time minus 5 seconds.

Related Links