SIEM API API Reference

Example Script

There are many ways you can request information from the SIEM API. The following is an example using a Python script that requests information from the SIEM API and records it in a log file.

#!/usr/bin/env python
            import unirest
            import time
            import logging
            #import logging.handlers
            
            logging.basicConfig(filename='api.log', filemode='w', level=logging.DEBUG, format='LINE: %(message)s' )
            
            # Setting up syslog
            # siem_logger = logging.getLogger('SIEM Logger')
            # handler = logging.handlers.SysLogHandler(address='/dev/log')
            # siem_logger.addHandler(handler
            # siem_logger.info()
            
            currentTimeInMillis = int(round(time.time() * 1000) - 60000)
            fromTimeInMillis = currentTimeInMillis - (5*60*1000)
            jwt="<insert SIEM token value here>"
            url="https://siem.zixcorp.com/siemauthapi/api/siem/all"
            
            while True:
              response = unirest.get(url, headers={"Authorization": jwt}, params={ "from": fromTimeInMillis, "to": currentTimeInMillis})
              lines = response.body.split("\n")
              for line in lines:
                logging.info(line)
              time.sleep(300)
              fromTimeInMillis = currentTimeInMillis
              currentTimeInMillis = int(round(time.time() * 1000) - 60000)

Example Script Instructions

Prerequisites:

1. Install pip using ‘yum install python-pip’
2. Install unirest using ‘pip install unirest’ (http://unirest.io/python.html)

 

Using the Script:

To use the basic configuration:

1. Download the SIEM Token from the management console.
2. Enter the SIEM Token value after “jwt=“ in the quotations.
3. Run the script using ./sampleSiemApi.
4. Access the logs by opening the api.log.

The base configuration creates a log in the location where sampleSiemApi is stored.

To set up an optional syslog:

1. Uncomment the #import logging.handlers line and the lines Setting up syslog through siem.logger.info().
2. Change the location where the log will be stored using the handler.
3. Replace "dev/log" with the location you want to save the syslog to.
4. Enter the SIEM Token value after "jwt=" in the quotations.

API Endpoint
https://siem.zixcorp.com/siemauthapi/api
Response Content-Types: application/json
Schemes: https
Version: 1.0

Authentication

auth

jwt apiKey generated inside the management console

type
apiKey
name
Authorization
in
header

Paths

GET /siem/all

GET /siem/all

Returns all SIEM logs for a client using the entered start/inclusive and end/exclusive epochs. The epoch period must:

  • Be 24 hours or less
  • Have a start epoch occuring within 168 hours of when the GET request begins
  • Return less than 10,000 records. If you receive more than 10,000 records for your designated epoch period, shorten the epoch period until it receives less than 10,000 records.

Note: To avoid accidental exclusion of SIEM events from a GET call, it is recommended that you slightly offset the query range to allow for the data to fully populate. See the above script as an example.

from: integer
in query

The start epoch in milliseconds.

to: integer
in query

The end epoch in milliseconds.

200 OK

There are two event IDs for GET /siem/all:

1. A user selecting a Link Protection (TOCA) link in an email.
2. An inbound or outbound message triggering a filter.

The parameters for each event are:

TOCA Parameters

event_time: the date and time which the TOCA link was selected
ip: the IP address of the device which generated to query
event_id: the type of event (will always be "toca-link")
source: will always be "threat"
user_agent: user agent information from the browser
url_hash: The sha256 hash of the URL destination
url_destination: Where the URL directs the user when it is selected
toca: result of the link analysis (ok, warning, or blocked)

Filtered Message Parameters

event_time: the date and time which the message was filtered
sender: the sender of the filtered
sender_ip: the IP address of the message sender
event_id: the type of event (will always be "filtered_message")
source: will always be "threat"
recipients: the recipient list of the message in a quoted comma list
filter_rule_id: the name of the filter that was triggered
filter_type: the type of filter that was triggered
filter_action: the action the filter takes when triggered
direction: inbound or outbound depending on the source and destination of the message

type
string
400 Bad Request

An error message.

type
string
Response Content-Types: text/plain
Response Example (200 OK) 
"event_id=filtered_message source=threat sender=obsender@sender.com sender_ip=1.1.1.1 recipients=\"anyone@recipient.com\" filter_rule_id=11 filter_type=PHRASE_FILTER filter_action=REJECT direction=outbound event_time=1558470839873\nip = 10.160.2.7 event_id = \"toca_link\" source = \"threat\" url_hash = 047e8c31 url_destination = https://www.google.com toca = ok user_agent = Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 event_time = 1558474714293"
Response Example (400 Bad Request) 
"Range too wide"
"Begin time too old"
"End time before begin time"
auth
Documentation by Spectacle