msiempy icon indicating copy to clipboard operation
msiempy copied to clipboard

Published 20 hours ago verified publisher icon mfesiem

SIEM Field nicknames are not being mapped properly

Open A1337CBS opened this issue 3 years ago • 1 comments

Describe When trying to call the GroupEventManager API with SIEM nicknames such as with below code an error message throws saying "EVENT Field not supported". Checking the code for event.py on line 566, I see that "self.get_field_nickname(field)" method is being called, shouldn't it be rather different and be trying to get the original internal name for Mcafee instead of the nickname?

Code link: https://github.com/mfesiem/msiempy/blob/e5a4f34a060b77ce0ca9fecdccfc6266802f4455/msiempy/event.py#L566

Full error message Error with method (v2/qryExecuteGrouped?queryType=EVENT) and data : {'config': {'filters': [{'type': 'EsmFieldFilter', 'field': {'name': 'IPSID'}, 'operator': 'IN', 'values': [{'type': 'EsmBasicValue', 'value': '144125089401536512'}, {'type': 'EsmBasicValue', 'value': '144125084385148928'}, {'type': 'EsmBasicValue', 'value': '144125089418313728'}, {'type': 'EsmBasicValue', 'value': '144125089435090944'}]}], 'field': {'name': 'New_Value'}, 'timeRange': 'CURRENT_DAY'}}. From requests.HTTPError 400 Client Error: 400 for url: https://SIEM_IP/rs/esm/v2/qryExecuteGrouped?queryType=EVENT Field not supported: New_Value"

Code query = GroupedEventManager( time_range='CURRENT_DAY', field="Alert.4259885", filters=[ FieldFilter("IPSID", ["144125089401536512","144125084385148928","144125089418313728","144125089435090944"]),#'SrcIP', 'AlertID', #FieldFilter("Alert.Action", ["11","12"]), ]) query.load_data() results = list(reversed(sorted(query, key=lambda k: int(k['SUM(Alert.EventCount)'])))) top10=results[:10] pprint.pprint(top10)

SIEM and msiempy versions: SIEM and msiempy versions:

msiempy: 0.3.5
ESM version: 11.4.7

A1337CBS avatar Feb 15 '22 09:02 A1337CBS

Hello @A1337CBS

I admit I'm unsure about this.

There is a test case for the GroupEventManager, so I doubt there is a major bug in this logic, it works with other fields right? Did you try by replacing self.field = self.get_field_nickname(field) by self.field = field ?

Is there any chances the "New_Value" field simply doesn't support groupping ?

tristanlatr avatar Feb 22 '22 21:02 tristanlatr