Fetch security events

get

https://{hostname}/siem/v1/configs/{configId}

Get security events data from your security configurations using one of two modes: offset or time-based. Each mode orders event logs based on the logs' storage time in the database, not the time when the events actually occurred. This may result in delayed event logs in subsequent offset requests, or older event logs in time-based requests. While both methods have a 5-second latency, using offset allows subsequent calls to return logs for the 5 seconds omitted from the previous request. The time-based method omits logs from that 5 seconds of latency, so you may miss some logs from that period.

If the connection is disrupted, use time-based mode to replay security events that occurred in the last 12 hours up to 5 seconds before your requested time range. Use offset and limit parameters in offset mode. Use from, to, and limit parameters in time-based mode. The potentially large response contains a series of JSON objects, each separated with a line break and each corresponding to a security event. The last line of the response is an offset context object that provides total records fetched, an offset to use a starting point for the next batch of data, and any limit you specified. Run this operation continuously as long as it returns new logs to ensure you don't miss any. The API may return a maximum of 600,000 logs per request, while your configurations might generate many more in periods of high traffic.

Path Params

configId

string

required

Unique identifier for each security configuration. To report on more than one configuration, separate integer identifiers with semicolons.

Query Params

offset

string

This token denotes the last message. If specified, this operation fetches only security events that have occurred since the last offset value. Use this parameter for offset mode, not for time-based requests.

limit

integer

Defines the approximate maximum number of security events each fetch returns, in both offset and time-based modes. The default limit is 10000, and the maximum limit available is 600000. Listing an unlimited number of logs isn't possible. Expect requests to return a slightly higher number of security events than you set in the limit parameter, because data is stored in different buckets.

from

integer

The start of a specified time range, expressed in Unix epoch seconds. You need this to get time-based results for a set period, not for offset mode.

integer

The end of a specified time range, expressed in Unix epoch seconds. You can't use this parameter in offset mode, and it's optional in time-based mode. The value can't be any greater than the default value: five seconds before the current time.

Headers

string

enum

Defaults to application/json

Generated from available response content types

Allowed:

Responses

200The response lists security events.

400Bad request. Invalid request body or URL parameter input.

403Forbidden. You don't have permission to view the resource.

404Not found. The resource wasn't found.

416Expired offset parameter in the request.

429Exceeded rate limit. Too many requests.

500Any other server error.

503Service unavailable.