Reports

Overview

Get the reports that match the filter and the data of the reports.

Configuration

Parameters

Domain (Domain)

Secrets

cisco_auth corresponds to the API Token used to authenticate the connection to Cisco Umbrella.

To add a Secret, open the Secret fields and click New secret:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the Sentinel One Web API Reports fields, or simply paste the desired YAML.

Configure as YAML

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: EpochMillis
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: https://${parameters.domain}/auth/v2/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
        - name: Accept
          value: application/json
        - name: authorization
          value: ${secrets.cisco_auth}
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: false
collectionPhase:
  paginationType: offsetLimit
  limit: 100
  isZeroIndex: false
  request:
    responseType: json
    method: GET
    url: https://${parameters.domain}/reports/v2/activity
    queryParams:
      - name: from
        value: ${temporalWindow.from}
      - name: to
        value: ${temporalWindow.to}
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
  output:
    select: ".data"
    map: "."
    outputMode: element
retry:
  statusCodes: [429, 500, 502, 503, 504]
  type: fixed 
  fixed:
    interval: 2s

Manually Configure

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Duration - 5 minutes (5m) as default, adjust based on your needs.
Offset - 5m
Format - EpochMillis

Authentication Stage

Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.

Type* - token
Request Method* - POST
URL* - https://${parameters.domain}/auth/v2/token
Headers
- Name - Content-type
- Value - application/x-www-form-urlencoded
- Name - Accept
- Value - application/json
- Name - Authorization
- Value - ${secrets.cisco_auth}
BodyType* - UrlEncoded
- Body params
  - Name - grant_type
  - Value - client_credentials
Token Path* - .access_token
Auth Injection
- In* - header
- Name* - authorization
- Prefix - Bearer
- Suffix - ''

Collection Phase

Pagination Type* - offsetLimit
Limit - 100
Zero Index - false
Request
- Response Type - JSON
- Method* - GET
- URL* - https://${parameters.domain}/reports/v2/activity
- Query Params
  - Name - from
  - Value - ${temporalWindow.from}
  - Name - to
  - Value - ${temporalWindow.to}
  - Name - offset
  - Value - ${pagination.offset}
  - Name - limit
  - Value - ${pagination.limit}
Output
- Select - .data
- Map - .
- Output Mode - element
Retry
- Status codes - [429, 500, 502, 503, 504]
- Type - fixed
  - Interval-2s

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousCollect data from Cisco Umbrella products NextCollect data from CrowdStrike Falcon NG-SIEM

Last updated 14 days ago

Was this helpful?

Good morning