Endpoint Central SIEM Entegrasyonu | WOTECH

Endpoint Central SIEM Entegrasyonu

EPC üzerinde yapılan işlemler için syslog yönlendirme özelliği bulunmuyor.

Bunun yerine 2 farklı yöntem kullanılabilir.

1) REST API ile log'ların aktarılması.

API Details :   
API Endpoint :   
/emsapi/server/auditLogs
API Description :   
To fetch the event logs of actions performed in the EndpointCentral console, for the requested time frame. The API is exposed for those customers who have self-implemented Third party log collection Tools to pull event logs of an application and post them to any SIEM tools.
 
Supported HTTP Method :   
GET

For OnPremise:
 
Follow the procedure to generate an API Token (https://www.manageengine.com/products/desktop-central/api/)



Rate Limits :   
APIs can be used to a maximum of 30 times per 5 minutes per technician
[With the server side limit of 5000 records per each API call , the user can fetch a max of 1.5lakh events per 5 min]
 
 
API Request Parameters :
/emsapi/server/auditLogs?startTime=...&page=...&endTime=...
Method : GET   
FIlters :
startTime - start time in currentmillis
endTime - end time in currentmillis
eventModule - optional list of modules ( * default all ) (comma separated)
 
Row Limit :
page - page number , in case of multipage response
pageLimit - optional Page Limit ( * default 5000) , minimum (100)
 
Header:
Accept - application/auditlogsdata.v1+json



For EC On Premise:
List of modules (Modules may subject to change) :
EC onPremise - AD Reports , Application Control , BMP , BitLocker Management , Chat , Compliance , Configuration , Custom Group , DLP , Database Backup , Device Control , Edr , Emergency Mitigations , Forwarding Server , General , Help Desk , Integrations , Inventory Mgmt , MDM , Maintenance Window , OS Deployer , Patch Mgmt , Privacy Settings , Remote Control , Query Reports , Remote DB Access , Remote Shutdown , Report Exported , Reports , Schedule , Security Settings , SoM , Software Deployment , System Manager , System Tools , User Management , Wake On LAN

API Response Parameters :   
{
"messageResponse": [
],
   "metadata": {
"page": Long,
   "pageLimit": Long,
   "total": Long,
   "totalPages": Long,
   "links": {
       "next": String
   }
},
"status": "success",
"messageVersion": "v1",
"messageType": "auditLogs"
}
where,
page - current page number
pageLimit - maximum records per page
total - total number of records available
totalPages - total number of pages
links - link of next pages
 
 
Sample Request :
GET /emsapi/server/auditLogs?page=1&startTime=1677609000000&endTime=1680201000000
HTTP/1.1
Host: Endpointcentral URL
 
Headers:
 
Content-Type: application/auditlogsdata.v1+json
 
For On premise:
Authorization: [<token>]

sample response :
{ "metadata": {
        "pageLimit": 5000,
        "total": "3",
        "totalPages": 1,
        "page": 0,
        "links": {
            "next": "/emsapi/server/auditLogs?&endTime=1695364960919&startTime=1695364960202&page=1"}
    }, "messageResponse": [  {
            "hostName": "ManageEngine Endpoint Central 11",
            "module": "User Management",
            "priority": "Information",
            "timeDuration": "0",
            "application": "ManageEngine Endpoint Central 11",
            "computerName": "--",
            "domainName": "--",
            "viewerIp": "--",
            "eventTime": "1695365222646",
            "userIp": "172.21.148.119",
            "startTime": "--",
            "endTime": "--",
            "remarks": "The host 172.21.148.119 is connected as admin with Administrator role",
            "userName": "admin",
            "startTimeISO": "--",
            "endTimeISO": "--",
            "eventTimeISO": "2023-09-22T12:17:02.646+05:30"
        },  {
            "hostName": "ManageEngine Endpoint Central 11",
            "module": "User Management",
            "priority": "Information",
            "timeDuration": "0",
            "application": "ManageEngine Endpoint Central 11",
            "computerName": "--",
            "domainName": "--",
            "viewerIp": "--",
            "eventTime": "1695365162253",
            "userIp": "127.0.0.1",
            "startTime": "--",
            "endTime": "--",
            "remarks": "The host 127.0.0.1 is connected as null with null role",
            "userName": "--",
            "startTimeISO": "--",
            "endTimeISO": "--",
            "eventTimeISO": "2023-09-22T12:16:02.253+05:30"
        }, {
            "hostName": "ManageEngine Endpoint Central 11",
            "module": "Configurations",
            "priority": "Information",
            "timeDuration": "0",
            "application": "ManageEngine Endpoint Central 11",
            "computerName": "--",
            "domainName": "--",
            "viewerIp": "--",
            "eventTime": "1695362922256",
            "userIp": "--",
            "startTime": "--",
            "endTime": "--",
            "remarks": "macOS PPPC Policy - \"PPPCConfigMacDriver\" is deployed sucessfully",
            "userName": "DC-SYSTEM-USER",
            "startTimeISO": "--",
            "endTimeISO": "--",
            "eventTimeISO": "2023-09-22T11:38:42.256+05:30"
    }],"messagetype": "auditLogs",
    "messageversion": "v1",
    "status": "success"
}
GET /emsapi/server/auditLogs?page=1&startTime=1677609000000&endTime=1680201000000&eventModule=Configuration
HTTP/1.1
Host: Endpointcentral URL
 
Headers:
 
Content-Type: application/auditlogsdata.v1+json


2) Schedule report ile rapor üzerinden bu bilgilerin okunması

Steps to set up a Scheduled query report:
1. Create a Query report with the Query given below
2. Create a Scheduled Report with the Query report created in the previous step
      - Select appropriate File format (csv or xlsx or pdf)
      - Select the option to Publish reports on the Central server and send the URL.

This file can then be further included into the SIEM product as required.


Query for collecting logs of this month:

SELECT  
    EventCode.EVENT_TYPE AS "TYPE", 
    LONG_TO_DATE(EventLog.EVENT_TIMESTAMP, "EVENT TIME"), 
    EventCode.EVENT_MODULE AS "MODULE",
    I18N_TRANSLATE(EventLog.EVENT_REMARKS,EventLog.EVENT_REMARKS_ARGS), 
    EventLog.LOGON_USER_NAME AS "USERNAME",
    RDSConnectionReason.REASON_MESSAGE AS "REASON MESSAGE",
    LONG_TO_DATE(EventTimeDuration.EVENT_START_TIME, "START TIME"),
    LONG_TO_DATE(EventTimeDuration.EVENT_END_TIME, "END TIME"),
    EventTimeDuration.EVENT_TIME_DURATION AS "TIME DURATION",
    ResourceEventLogRel.RESOURCE_NAME AS "COMPUTER NAME",
    ResourceEventLogRel.DOMAIN_NETBIOS_NAME AS "DOMAIN NAME", 
    EventTimeDuration.VIEWER_IP AS "VIEWER IP"
FROM
    EventLog
    LEFT JOIN CustomerEventLog
    ON EventLog.EVENT_LOG_ID=CustomerEventLog.EVENT_LOG_ID
        INNER JOIN EventCode
        ON EventLog.EVENT_ID=EventCode.EVENT_ID
            LEFT JOIN EventTimeDuration
            ON EventLog.EVENT_LOG_ID=EventTimeDuration.EVENT_LOG_ID
                LEFT JOIN RDSConnectionReason
                ON EventLog.EVENT_LOG_ID=RDSConnectionReason.EVENT_LOG_ID
                    LEFT JOIN ResourceEventLogRel
                    ON EventLog.EVENT_LOG_ID=ResourceEventLogRel.EVENT_LOG_ID
                        LEFT JOIN Resource
                        ON ResourceEventLogRel.RESOURCE_ID=Resource.RESOURCE_ID
WHERE
    EventLog.EVENT_TIMESTAMP<= <to_thismonth>
    AND EventLog.EVENT_TIMESTAMP>= <from_thismonth>
ORDER BY
    EventLog.EVENT_TIMESTAMP DESC

    • Related Articles

    • Endpoint Central Update Adımları

      Endpoint Central Update Adımları Update işlemleri için aşağıdaki adımları uygulayarak gerçekleştirebilirsiniz. Ayrıca işlemlere başlamadan önce uygulamanın bulunduğu sunucunun snapshot veya clone almanızı ve eğer uygulamada Mssql kullanılıyorsa ...

    • Aksiyon Loglarının SİEM Uygulamasına Import Edilmesi

      Merhaba, Endpoint Central üzerindeki aksiyon loglarının alınmasına yönelik 2 farklı yol bulunuyor. İkisinden biri ile ilerlenebilir. 1- Aşağıda yer alan Query yi SIEM yazılımı uzaktan çalıştırır ve logları alır. 2- İlgili query Endpoint Central ...

    • Endpoint Central ile Windows11 Upgrade'i atarken "Setup_InsufficientSystemPartitionDiskSpace" hatası

      Merhabalar, Bugünkü yazımızda Endpoint Central yazılımı kullanılarak hedef makinelere Windows11 kurarken "Setup_InsufficientSystemPartitionDiskSpace" hatası alındığında yapmamız gerekenleri anlatacağım. Bildiğiniz üzere Endpoint Central yazılımını ...

    • Endpoint Central ile İsme Göre Dosya Arama

      Amaç Bu script, belirli bir dosya adını kullanarak, o dosyanın hangi bilgisayarlarda bulunduğunu tespit etmenize olanak tanır. Endpoint Central üzerinden bu script’i çalıştırarak hedeflenen dosyayı kolayca arayabilirsiniz. Script Detayları Aşağıdaki ...

    • Endpoint Central Agent Kaldırma Yöntemi

      Merhaba, Endpoint Central ajanını kaldırmak için yapılması gerekenler cleanup tool -> https://downloads.zohocorp.com/dnd/Desktop_Central/fbX5PXL30e49QSU/AgentCleanupTool.exe 1) Download the exe 2) open command prompt as administrator 3) Navigate to ...