Guide

SIEM data

Get-SIEMData

Suggest Edits

Synopsis

Retrieve SIEM events.

Syntax

offset (Default)

Get-SIEMData [-ConfigID] <Int32> -Offset <String> [-Limit <Int32>] [-Decode] [-EdgeRCFile <String>]
 [-Section <String>] [-AccountSwitchKey <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]

fromto

Get-SIEMData [-ConfigID] <Int32> -From <Int32> -To <Int32> [-Limit <Int32>] [-Decode] [-EdgeRCFile <String>]
 [-Section <String>] [-AccountSwitchKey <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]

Description

Gets security events data from your security configurations using one of the two modes: using the -Offset parameter or the -From and -To date ranges. You can optionally decode the data to make it human-readable by enabling the -Decode switch.

Note: The user associated with your API client (or the client role in the case of a Service Account) is required to have the Manage SIEM role assigned and no others. Otherwise, the operation will return a 403 response.

Parameters

-AccountSwitchKey

Account switch key, for use when you have access to multiple accounts and need to specify which one to use. Account switch keys can be found using Get-AccountSwitchKey.

Type: String
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ConfigID

Unique identifier for each security configuration. To report on more than one configuration, separate integer identifiers with semicolons.

Type: Int32
Parameter Sets: (All)
Aliases: None
Required: True
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Decode

If present SIEM data will be base64- and url- decoded to aid in readability.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-EdgeRCFile

EdgeRC file to authenticate your command. Defaults to ~/.edgerc.

Type: String
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-From

The start of a specified time range, expressed in Unix epoch seconds. You need this to get time-based results for a set period, not for offset mode.

Type: Int32
Parameter Sets: fromto
Aliases: None
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Limit

Defines the approximate maximum number of security events each fetch returns, in both offset and time-based modes. The default limit is 10000 and the maximum limit available is 600000. Listing an unlimited number of logs isn't possible.

Expect requests to return a slightly higher number of security events than you set in the limit parameter, because data is stored in different buckets.

Type: Int32
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Offset

This token denotes the last message. If specified, this operation fetches only security events that have occurred from offset. This is a required parameter for offset mode and you can't use it in time-based requests.

Type: String
Parameter Sets: offset
Aliases: None
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Section

EdgeRC section to retrieve authentication credentials from. Defaults to default.

Type: String
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-To

The end of a specified time range, expressed in Unix epoch seconds. You can't use this parameter in offset mode and it's an optional parameter in time-based mode. The value cannot be greater than the current time minus 5 seconds. If omitted, the value defaults to the current time minus 5 seconds.

Type: Int32
Parameter Sets: fromto
Aliases: None
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

None

Outputs

System.Object

Related links

Updated 5 months ago