Forum Discussion

Altocumulus

Jan 31, 2023

BIG-IQ RestAPI - retrieve customized Web Application Security Event Log

Hello ,

As per following example, https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/HowToSamples/bigiq_public_api_wf/asm/t_get_event_log_record_by_support_id.html we can retrieve info about the Web Application Security Events .

Is there any way to make the BIG-IQ to return only specific parameter not the whole event log ?? I am looking to return only the "sig_ids[]" .

Thanks!

cloud

devops

gbogdan
Feb 24, 2023
This is how can be done :

POST /mgmt/cm/shared/es/logiq/asmindex/_search?filter_path=hits.hits._source
Request Body:
{       "query":{
"query_string":{
"query":"support_id: 123456789"          }
},
"_source": "staged_sig_ids",               <====
"from":0,
"size":50,
"sort":{          "date_time":"desc"       }
}

JRahm
Admin
Feb 02, 2023
I haven't used the big-iq api, but I think the same url query parameters work there. So using $select=<param> might work in theory. The challenge looking at the data though is that sig_ids is nested three levels deep:

hits -> hits -> _source -> sig_ids

Do you have the reference for what the query options are in the POST? Example from the link you provided..

{ "query":{ "query_string":{ "query":"support_id: 10961136626817826933" } }, "from":0, "size":50, "sort":{ "date_time":"desc" } }
- gbogdan
  Altocumulus
  Feb 03, 2023
  Hello JRahm ,
  
  Thanks for your response .
  
  Unfortunately , that page is the only information I have . Is there any place where I can find more details ?
  
  Also , I see this example https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/ApiReferences/bigiq_public_api_ref/r_analytics_event_query.html?highlight=security%20events , which using a different path , but I am not sure how to apply it to Web Application Security Events .
  
  EDITED by Leslie_Hubertus: tagged JRahm to make sure he sees this reply for follow-up 🙂
  - JRahm
    Admin
    Feb 10, 2023
    Hi gbogdan, I have inquired internally, but this might require a support case to get the right eyes on it.
gbogdan
Altocumulus
Feb 24, 2023
This is how can be done :

POST /mgmt/cm/shared/es/logiq/asmindex/_search?filter_path=hits.hits._source
Request Body:
{       "query":{
"query_string":{
"query":"support_id: 123456789"          }
},
"_source": "staged_sig_ids",               <====
"from":0,
"size":50,
"sort":{          "date_time":"desc"       }
}
- Leslie_Hubertus
  Ret. Employee
  Mar 02, 2023
  Thanks for following up with your solution!