0

I am trying to use an API which I have used previously for various jobs, to query and get me relevant data. But lately, I am unable to do that because of an unusual exception returned, which I honestly have no idea about.

The CODE:

import SIEMAuth
import requests
alert_id = '144116287822364672|12101929'

query_params = {"id":   {"value": alert_id}, "format": {"format": 0}}
print(requests.post(SIEMAuth.url + 'ipsGetAlertPacket', json=query_params,  headers=SIEMAuth.session_headers, verify=False).text)

The following exception/traceback response is returned on querying this:

Can not construct instance of com.mcafee.siem.api.data.alert.EsmPacketFormat: no suitable constructor found, can not deserialize from Object value (missing default constructor or creator, or perhaps need to add/enable type information?)
 at [Source: java.io.StringReader@1a15fbf; line: 1, column: 2]

Process finished with exit code 0

On trying to surf the internet to know more about the exception, most of the results are related to Jackson Parser for Json in Java Programming Environment which is not something I am working on or am aware of.

If anybody could help, I'd be extremely grateful.....

Devanshu Misra
  • 773
  • 1
  • 9
  • 28
  • The error occurs server side probably because what you send in the request is not what the server expects. You should check the requirements for this API. – Serge Ballesta Jun 07 '18 at 07:50
  • @SergeBallesta That's what I figured, but as stated, this exception is unusual since I have queried a lot of times through this API and this thing came for the first time. Moreover, I'd just like to know what it essentially means. If you want, I can post the api call requirements. – Devanshu Misra Jun 07 '18 at 07:57
  • Unfortunately I think the API is just broken or the docs are incorrect. Their docs provide the example json body of `{"id": "(value)", "format": {"format": 0}}`, which is what @DevanshuMisra is providing. I've been looking into this with 10.2.0 of McAfee ESM and I'm getting the same issue. – Liam Sep 10 '18 at 08:18

1 Answers1

0

Unfortunately it's as I suggested; basically one way or another it's broken. The response from their support is as follows.

I have reach out to my development team for this question. I got below response.

That particular get is not meant to be used in the external API. It should only be used from the interface, and has been removed since the version of the ESM you are on. If you want to use that externally then you need to submit it as a per.

I hope this clears your questions.

Edit: This has actually been expanded on in a thread on their support forums. You need a login to see the original thread.

Name notwithstanding, this API does not return the actual data packet associated with an event. In fact, when aggregation is enabled, not all of the packets associated with a given event are available on the ESM. Raw packet data can be retrieved from the ELM through the UI, but unfortunately there currently is not a way to do that programmatically.

Community
  • 1
  • 1
Liam
  • 1,031
  • 10
  • 9