Unofficial ArcSight ESM API Examples released
As there is quite a few questions around the ESM API, both the documented and undocumented features, I have decided to compile a list of API calls that you might find interesting, while filtering out all the ones who either does not work or is not useful for 99.99% of the userbase.
This is supposed to be a similar release to what I did with the Logger, but due to time constraints I have not been able to finalize it yet, so I am releasing the postman examples for now.
To be able to view the examples please download the Postman application located here: https://www.getpostman.com/
Download the attached file, and rename it from .txt to .json (due to file upload restrictions on the forum).
Open postman, click File in the top left, Import and choose the file you downloaded.
To make everyone's life easier, I have replaced the hostname, username and password as variables, before starting to use the API calls please click on the EYE icon in the top right, and fill in your variables like so, with the exception of token, as that is filled in automatically later:
After importing the collection, you should be able to see all API calls from the drop down list to the left like so:
Since you filled in the variables, you can now go to the LoginService, Login API call and click POST.
I have added a specific post-response function to this API call, which adds the returned token automatically to postman, so after using the Login API call once you can then go ahead and start using the other API calls without worrying about usernames, passwords or tokens. If your user times out just use the login API call again to reset the token to a new one.
While common variables like username and passwords are set, you will still have to set other values manually as they are different from each installation, things like ID's and Names of resources, so be careful to replace these values before sending your API request or else it won't work.
As an example, here is the getEntries API call from ActiveListService:
As you can see, the HOSTNAME and token variable is set here, but the act.resourceId is pointing to the resourceId of an activelist, you will have to login to the ESM and find the resourceId of the activelist you want to communicate with to make this work.
If any issues comes up then feel free to post it here!
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
Hi @Marius2 ;
Excellent stuff! It really helped me alot to understand how ESM API works.
I want to get the ESM queryviewer data to my ELK. but I don't know how.
If you can help me with the code to login to ESM and get the query viewer output in python. It will be a great help.
Appreciate a quick response.