Scribd
Upload
47 views10 pages

HOWTO - Network Logs API Endpoint Guide - GuardiCore

The document provides a guide on using the Network Logs API endpoint for GuardiCore, detailing how to access network logs via a REST API. It includes instructions on authentication, making GET requests for network logs, and processing the returned JSON data. Additionally, there are code examples in Python for exporting network logs data to CSV format.

Uploaded by

vdhivakaran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views10 pages

HOWTO - Network Logs API Endpoint Guide - GuardiCore

The document provides a guide on using the Network Logs API endpoint for GuardiCore, detailing how to access network logs via a REST API. It includes instructions on authentication, making GET requests for network logs, and processing the returned JSON data. Additionally, there are code examples in Python for exporting network logs data to CSV format.

Uploaded by

vdhivakaran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

Customer Portal ☰

GuardiCore > Best Practices and FAQs > How To Articles

🔍 Search


Knowledge Articles and Updates

Best Practices and FAQs

Downloads

Submit a ticket

HOWTO - Network Logs API


Endpoint Guide
Christina Vaizel
Follow
👤 8 months ago · Updated

Operating Systems N/A

Product Version V30+

Date Created 18 Nov 2019

https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 1/10
5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

Background

A how-to on getting the most out of the networks logs feature by utilizing the REST API. A
common use case is getting a bulk export of the network logs data as this will be much quicker to
do via the API.

Instructions

General Info

1. The Management server has a REST API service running. It can be accessed at
https://<management IP>/api/v3.0/

2. Create a new UI user for use with the REST API if one does not exist already.

3. Any programming language can be used to make requests to the API. This guide will show
examples in Python.

1. For Python, a prerequisite is the requests package. This can be installed from the
command line using python -m pip install requests

Authentication

This endpoint requires the user to be logged in and have a valid authentication token. And
example is given below showing how to authenticate using python requests.

mgmt_url = "https://<management IP>/api/v3.0/"


creds= {"username": "gc-api", "password": "******"}
headers = {'content-type': 'application/json'}
r = requests.post(mgmt_url + "authenticate", data=json.dumps(creds), heade
token= r.json()['access_token']

https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 2/10
5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

Network Logs Endpoint

The network logs API endpoint is at /connections

It listens for GET requests and expects a token (from the authentication step). The token is to be
sent as a URI variable.

These are the other required parameters:

"from_time" : Epoch time in milliseconds

"to_time" : Epoch time in milliseconds. The from_time and to_time form the time period window
for which the network logs are obtained

"sort" : The name of the data eld used to sort the returned data. Recommended to set this to
"slot_start_time"

"limit" : The number of results returned per API call. The maximum value is 10000

"offset" : Used to move to the next block of data if the resulting dataset is larger than your
"limit" value. In order words, if your dataset is 20,000 rows, you will need to make at minimum 2
API calls to get all of the data; 1 call with 0 as the offset and 1 call with an offset of 10000.

from_time_humanreadable = datetime(2019,11,8)
to_time_humanreadable = datetime(2019,11,9)

settings= {
"from_time" : int(from_time_humanreadable.timestamp()*1000),
"to_time" : int(to_time_humanreadable.timestamp()*1000),
"sort" : "-slot_start_time",
"offset": 0,
"limit": 500
}

r = requests.get(mgmt_url + "connections?token=" + token, params=settings,

Data Processing

The returned data will be in JSON format. If you would like this to be in a different format (such
as CSV), you will need to manually convert the data. This is an example of the raw returned data.

https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 3/10
5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

'objects':[
{
' ow_id':'48749191a2b02045a3630852de54dcb99e86f6b06d3969050e153efaed1cb2c4',
'bucket_id':'d03978f4-62fa-459a-80e1-c96c2eacdee9',
'source_node_id':'2e867187-3a21-4508-87bd-d0a6512442bc',
'destination_node_id':'UnknownAsset_Internal_192.168.0.0/16',
'source_node_type':'asset',
'destination_node_type':'subnet',
'source_process':'gc-channel',
'destination_process':'Unknown Server (443/TCP)',
'source_process_id':'e8085b5491e858806fc17a722c7e93f780e867df4800e6a9bddcc396abf
'destination_process_id':'703e10758bd5aad6d81ebe5037013fded72223e12e2d8a0d4e4823
'source_process_name':'gc-channel',
'destination_process_name':'Unknown Server (443/TCP)',
'destination_port':443,
'count':2,
'slot_start_time':1573272413000,
'incidents':False,
'connection_type':'UNKNOWN',
'source_ip':'192.168.2.76',
'destination_ip':'192.168.2.68',
'ip_protocol':'Tcp',
'source_asset_hash':317458,
'destination_asset_hash':349875,
'violates_policy':False,
'policy_rule':'default',
'policy_ruleset':None,
'policy_verdict':'allowed',
'db_insert_time':'2019-11-09T04:09:54.293504',
'id':'8272f5c4-7d27-48b0-ab66-cdedcbc444c3',
'source':{
'vm':{
'_id':'2e867187-3a21-4508-87bd-d0a6512442bc',
'name':'Gollum Lab Server'
}
},
'has_mismatch_alert':False,
'original_policy_verdict':'allowed',
https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 4/10
5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

'source_process_full_path':'/var/lib/guardicore/sbin/gc-channel',
'destination_process_full_path':None
},
{
' ow_id':'20d76300a7121ab46ba0230e3505c565a69e945191b58631ee53bfeace788593',
'bucket_id':'7c653747-891c-488a-a934-3607b7d5ae77',
'source_node_id':'bf9cabfb-ede1-4232-ad7f-d2f9cd216cc0',
'destination_node_id':'UnknownAsset_Internal_192.168.0.0/16',
'source_node_type':'asset',
'destination_node_type':'subnet',
'source_process':'gc-channel',
'destination_process':'Unknown Server (443/TCP)',
'source_process_id':'be18ab6b5cc01b3af8e15da041d3ffd282f6dd1cc635092daf23f72aef0ba
'destination_process_id':'703e10758bd5aad6d81ebe5037013fded72223e12e2d8a0d4e4823
'source_process_name':'gc-channel',
'destination_process_name':'Unknown Server (443/TCP)',
'destination_port':443,
'count':2,
'slot_start_time':1573272413000,
'incidents':False,
'connection_type':'UNKNOWN',
'source_ip':'192.168.2.69',
'destination_ip':'192.168.2.68',
'ip_protocol':'Tcp',
'source_asset_hash':166347,
'destination_asset_hash':97014,
'violates_policy':False,
'policy_rule':'default',
'policy_ruleset':None,
'policy_verdict':'allowed',
'db_insert_time':'2019-11-09T04:09:54.476098',
'id':'9565706b-ab36-4ec9-ae05-3129fe44805d',
'source':{
'vm':{
'_id':'bf9cabfb-ede1-4232-ad7f-d2f9cd216cc0',
'name':'Sauron Lab Server'
}
},
'has_mismatch_alert':False,
https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 5/10
5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

'original_policy_verdict':'allowed',
'source_process_full_path':'/var/lib/guardicore/sbin/gc-channel',
'destination_process_full_path':None
}
],
'total_count':1828,
'is_count_exact':True,
'current_page':7,
'results_in_page':3,
'from':18,
'to':21,
'sort':'-slot_start_time',
' lter':{
'from_time':'1573189200000',
'to_time':'1573275600000',
'connection_type__not':'closed'
},
'db_query_time':'0.0 seconds',
'dict_mapping_time':'0.0 seconds',
'objects_mapping_time':'0.033 seconds',
'objects_cleanup_time':'0.0 seconds'

Code Example

import requests
import json
import csv
from datetime import datetime

#=====User Inputs========
mgmt_url = "https://192.168.2.12/api/v3.0/"
creds= {"username": "gc-api", "password": "*****"}
from_time_human = datetime(2019,11,8)
to_time_human = datetime(2019,11,9)
https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 6/10
5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

pagesize = 50

#========================

headers = {'content-type': 'application/json'}


r = requests.post(mgmt_url + "authenticate", data=json.dumps(creds), heade
token= r.json()['access_token']

continue_iterating = True
page = 1

fieldnames=[
"destination_asset_hash",
"slot_start_time",
"violates_policy",
"policy_rule",
"db_insert_time",
"source",
"destination_process_name",
"destination_ip",
"flow_id",
"id",
"has_mismatch_alert",
"policy_ruleset",
"destination_process",
"source_node_id",
"destination_node_type",
"source_process_id",
"source_asset_hash",
"destination_domain",
"count",
"bucket_id",
"source_node_type",
"incidents",
"source_process",
"destination_node_id",
"source_process_full_path",
"policy_verdict",
https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 7/10
5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

"ip_protocol",
"original_policy_verdict",
"destination_process_id",
"source_process_name",
"policy_section",
"destination_port",
"source_ip",
"destination_process_full_path",
"connection_type"]

with open("network_logs.csv", "w", newline="\n") as csvfile:


writer = csv.DictWriter(csvfile, delimiter=",", fieldnames = fieldnames,
writer.writeheader()

while continue_iterating:
settings= {
"from_time" : int(from_time_human.timestamp()*1000),
"to_time" : int(to_time_human.timestamp()*1000),
"sort" : "-slot_start_time",
"offset": (page-1)*pagesize,
"limit": pagesize
}

r = requests.get(mgmt_url + "connections?token=" + token, params=settings,


print(r.json())

for entry in r.json()["objects"]:


entry['slot_start_time'] = datetime.fromtimestamp(entry['slot_start_time'
writer.writerow(entry)

if r.json()['to'] >= r.json()['total_count']:


continue_iterating = False
page = page + 1

https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 8/10
5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

References

HOWTO - Use Postman for API scripting

KB HOWTO - Adding/Removing IPs/assets from labels via API

HOWTO - Create Blacklisted IP Rules Using API

External

Was this article helpful?

✓ Yes ✕ No

1 out of 1 found this helpful

Have more questions? Submit a request

Return to top ⬆

Related articles

HOWTO - Use Postman for API scripting

HOWTO - Create Blacklisted IP Rules Using API

HOWTO - Con gure Syslog over TLS

Insight Scheduled Queries V39

KNOWN BEHAVIOR - gc-agent-ui connecting externally over ports 80/8080

https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 9/10
5/14/2021 HOWTO - Network Logs API Endpoint Guide – GuardiCore

Connect with our experts Guardicore Blog

Email: [email protected] Here our experts provide in-depth analysis of


Phone (U.S.): +1 415-200-1993 advanced threats, reveal the latest tricks and tools
Phone (UK): +44 118 310 0896 used by hackers, and pro le the ones that we catch.
Guardicore EULA
See More
See More

Copyright © Guardicore 2021. All Rights Reserved.

  

https://guardicore.zendesk.com/hc/en-us/articles/360015818659-HOWTO-Network-Logs-API-Endpoint-Guide 10/10

You might also like