SIEM API

All API URLs should be prefixed with
https://<your-server-ip>:8443/openapi/api/rest/v1/siem

• SIEM API
  • Preface
  • Authentication
    • Basic Authentication
  • Objects used with these APIs
    • SIEM
    • TestResult
  • Get all SIEMs
  • Get a SIEM
  • Add a SIEM
  • Update a SIEM
  • Delete a SIEM
  • Send test message to a SIEM

Preface

The following post detail how to interact with the SkyFormation cloud apps connector accounts using APIs.

A SkyFormation SIEM represent an instance of a SIEM configuration, which can then be assigned to a tenant. Once the assosiation to a tenant is done, all the tenant's accounts' (aka cloud connectors) data is sent to that SIEM.

Authentication

See guide

Objects used with these APIs

SIEM

{
    "is-deleted": boolean,
    "created-at": timestamp, e.g. 1505657187.215,
    "last-updated-at": timestamp, e.g. 1505657187.215,
    "id": string autogenerated,
    "tenant-id": string,
    "name": string,
    "description": string optional,
    "host": string, IP or host of the SIEM,
    "port": int,
    "message-format": string enum, RFC_5424|RFC_3162,
    "protocol": string enum, UDP|TCP|TLS
}

TestResult

{
    "success": boolean,
    "status": int, http status-like result. 200|400
    "msg": string, unique message that was sent to the SIEM, e,g, "Device Vendor: [Skyformation], Message: [Test message number # [1796971490]]"
}

Get all SIEMs

GET /
Response:
200,
List<SIEM>

Get a SIEM

GET /{siem-id}
Response:
200,
SIEM

Add a SIEM

POST /
Body:
SIEM w/o id
Response:
200,
SIEM

Update a SIEM

PUT /{siem-id}
Body:
SIEM
Response:
200

Delete a SIEM

DELETE /{siem-id}
Response:
200

Send test message to a SIEM

The SIEM being tested does not need to be a persisted one

POST /test
Body:
SIEM
Response:
200,
TestResult
400 if TCP or TLS and connection could not be established