SIEM data
Get-SIEMData
Synopsis
Retrieve SIEM events.
Syntax
offset (Default)
Get-SIEMData [-ConfigID] <Int32> -Offset <String> [-Limit <Int32>] [-Decode] [-EdgeRCFile <String>]
[-Section <String>] [-AccountSwitchKey <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
fromto
Get-SIEMData [-ConfigID] <Int32> -From <Int32> -To <Int32> [-Limit <Int32>] [-Decode] [-EdgeRCFile <String>]
[-Section <String>] [-AccountSwitchKey <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
Description
Gets security events data from your security configurations using one of the two modes: using the -Offset
parameter or the -From
and -To
date ranges. You can optionally decode the data to make it human-readable by enabling the -Decode
switch.
Note: The user associated with your API client (or the client role in the case of a Service Account) is required to have the Manage SIEM role assigned and no others. Otherwise, the operation will return a 403 response.
Parameters
-AccountSwitchKey
Account switch key, for use when you have access to multiple accounts and need to specify which one to use. Account switch keys can be found using Get-AccountSwitchKey
.
Type: String
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ConfigID
Unique identifier for each security configuration. To report on more than one configuration, separate integer identifiers with semicolons.
Type: Int32
Parameter Sets: (All)
Aliases: None
Required: True
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Decode
If present SIEM data will be base64- and url- decoded to aid in readability.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-EdgeRCFile
EdgeRC file to authenticate your command. Defaults to ~/.edgerc
.
Type: String
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-From
The start of a specified time range, expressed in Unix epoch seconds. You need this to get time-based results for a set period, not for offset mode.
Type: Int32
Parameter Sets: fromto
Aliases: None
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Limit
Defines the approximate maximum number of security events each fetch returns, in both offset and time-based modes. The default limit is 10000
and the maximum limit available is 600000
. Listing an unlimited number of logs isn't possible.
Expect requests to return a slightly higher number of security events than you set in the limit
parameter, because data is stored in different buckets.
Type: Int32
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Offset
This token denotes the last message. If specified, this operation fetches only security events that have occurred from offset. This is a required parameter for offset mode and you can't use it in time-based requests.
Type: String
Parameter Sets: offset
Aliases: None
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Section
EdgeRC section to retrieve authentication credentials from. Defaults to default
.
Type: String
Parameter Sets: (All)
Aliases: None
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-To
The end of a specified time range, expressed in Unix epoch seconds. You can't use this parameter in offset mode and it's an optional parameter in time-based mode. The value cannot be greater than the current time minus 5 seconds. If omitted, the value defaults to the current time minus 5 seconds.
Type: Int32
Parameter Sets: fromto
Aliases: None
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug
, -ErrorAction
, -ErrorVariable
, -InformationAction
, -InformationVariable
, -OutVariable
, -OutBuffer
, -PipelineVariable
, -Verbose
, -WarningAction
, and -WarningVariable
. For more information, see about_CommonParameters.
Inputs
None
Outputs
System.Object
Related links
Updated 17 days ago