Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
vibot Absent Member.
Absent Member.
825 views

Arcsight ESM REST API get the list of updated CASES

Hello,

I'm looking in the REST API of the Arcsight ESM for a call that will give me the list of the last updated cases.

For instance something like GET https://arcsight:8443/www/manager-service/rest/CaseService/getLastUpdatedCases?time=1m

The result of this request will be a json with the list of the cases updated for the last 1 minute.

Is this possible and if so can you give me some examples how to do it.

Regards

Labels (4)
Tags (4)
0 Likes
3 Replies
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: Arcsight ESM REST API get the list of updated CASES

I don't think that is possible.  It might be possible using SQL directly to the MySQL database though.

0 Likes
giaban Absent Member.
Absent Member.

Re: Arcsight ESM REST API get the list of updated CASES

Use a query viewer and get the cases from there via the API.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Arcsight ESM REST API get the list of updated CASES

I know this is an older post, but since it was almost on top of certain google searches i would like to provide the correct answer here:

Access to cases is in CaseServices api found on

 

https://ARCSIGHT:8443/www/manager-service/rest/CaseService

Unfortunately you cannot query for cases with a specific timeline, but you can return all the current cases that exists using this API POST call:

 

POST /www/manager-service/rest/CaseService/findAllIds
Accept: application/json
Content-Type: application/json
Cache-Control: no-cache
BODY (JSON):
{
  "cas.findAllIds": {
    "cas.authToken": "Your TOKEN"
  }
}

 

Which will return you an array of all id's.

 

Then you can loop through the id's and get the details for each ID like so:

POST /www/manager-service/rest/CaseService/findByUUID
Accept: application/json
Content-Type: application/json
Cache-Control: no-cache
BODY (JSON):
{
  "cas.findByUUID":{
    "cas.authToken": "YOURTOKEN",
    "cas.id": "ID from findallids"
  }
}

And you will get a response like so for each time you loop through:

{
    "cas.findByUUIDResponse": {
        "cas.return": {
            "attributeInitializationInProgress": false,
            "createdTime": {
                "day": 9,
                "hour": 21,
                "milliSecond": 445,
                "minute": 34,
                "month": 4,
                "second": 35,
                "timezoneID": "Europe/Amsterdam",
                "year": 2018
            },
            "createdTimestamp": 1525894475445,
            "creatorName": "someuser",
            "deprecated": false,
            "disabled": false,
            "inCache": false,
            "inactive": false,
            "initialized": true,
            "isAdditionalLoaded": false,
            "localID": 30064771075,
            "modificationCount": 1,
            "modifiedTime": {
                "day": 9,
                "hour": 21,
                "milliSecond": 457,
                "minute": 34,
                "month": 4,
                "second": 35,
                "timezoneID": "Europe/Amsterdam",
                "year": 2018
            },
            "modifiedTimestamp": 1525894475457,
            "modifierName": "someuser",
            "name": "casetest",
            "reference": {
                "id": "7s+5lRmMBABDgWkCRbyAMbQ==",
                "isModifiable": true,
                "managerID": "iqzGK08BABCAXcbW2VGwrg==",
                "referenceName": "Case",
                "referenceString": "<Resource URI=\"/All Cases/All Cases/Personal/someuser's Cases/casetest\" ID=\"7s+5lRmMBABDgWkCRbyAMbQ==\"/>",
                "referenceType": 7,
                "uri": "/All Cases/All Cases/Personal/someuser's Cases/casetest"
            },
            "resourceid": "7s+5lRmMBABDgWkCRbyAMbQ==",
            "state": 2,
            "type": 7,
            "typeName": "Case",
            "URI": "/All Cases/All Cases/Personal/someuser's Cases/casetest",
            "action": "BLOCK_OR_SHUTDOWN",
            "actionsTaken": "",
            "affectedElements": "",
            "affectedServices": "",
            "affectedSites": "",
            "associatedImpact": "AVAILABILITY",
            "attackAddress": "",
            "attackAgent": "INSIDER",
            "attackImpact": "",
            "attackLocationID": "",
            "attackMechanism": "PHYSICAL",
            "attackNode": "",
            "attackOS": "",
            "attackProgram": "",
            "attackProtocol": "",
            "attackService": "",
            "attackTarget": "",
            "conclusions": "",
            "consequenceSeverity": "NONE",
            "displayID": 300,
            "estimatedImpact": "",
            "finalReportAction": "",
            "followupContact": "",
            "frequency": "NEVER_OR_ONCE",
            "history": "KNOWN_OCCURENCE",
            "incidentSource1": "",
            "incidentSource2": "",
            "inspectionResults": "",
            "numberOfOccurences": 0,
            "operationalImpact": "NO_IMPACT",
            "plannedActions": "",
            "recommendedActions": "",
            "recordedData": "",
            "reportingLevel": 0,
            "resistance": "HIGH",
            "securityClassification": "UNCLASSIFIED",
            "securityClassificationCode": "P I   D U A B ",
            "sensitivity": "UNCLASSIFIED",
            "sourceAddress": "",
            "stage": "QUEUED",
            "ticketType": "INTERNAL",
            "vulnerability": "DESIGN",
            "vulnerabilityData": "",
            "vulnerabilityEvidence": "",
            "vulnerabilitySource": "",
            "vulnerabilityType1": "ACCIDENTAL",
            "vulnerabilityType2": "EMI_RFI"
        }
    }
}

So you can just ignore 99% of the output and only focus on:

modifiedTimestamp 

 Bam, you got a list of all id's and when they was last modified.

State is also another parameter you can look at, though i do not remember in my head if there is a state for updated.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.