Skip to main content
McAfee Enterprise MVISION Cloud

Import Incident Activities to SIEM

You can import the incident activities in a compressed CSV file format and send them to SIEM.

The MVISION Cloud Connector can:

  • Query the CSV file and send it to the SIEM.
  • Expose the endpoint to invoke SIEM and pass the Incident ID or Date Range. These parameters are passed to SHNAPI to get the activity data and send it to the SIEM.

 To import the incident /query activities to SIEM, run the following curl command:

curl -k -X POST \
'https://MVISION Cloud URL/shnapi/rest/external/api/v1/queryActivities'
-H 'content-type: application/json' \
-H 'Authorization: Basic AuthToken'\
-H 'Cookie:JSESSION ID=SessionNumber'\
-d '{ "incidentId": "incidentNumber","start_time: "yyyy-mm-dd","end_time": "yyyy-mm-dd"}'

//Response shows the list of column names in the CSV file format

 NOTE: The Incident ID is a mandatory field. The Start time and End time are optional fields.

Example:

curl -k -X POST \
'https://www.myshn.net/shnapi/rest/external/api/v1/queryActivities'
-H 'content-type: application/json' \
-H 'Authorization: Basic c2hpdmFzYWkxMzkzNEBnbWFpbC5jb206QWJjZF8xMjM0NTY3OA=='\
-H 'Cookie:JSESSION ID= C04B1336A0FEFFA0A5C3C45B6B6B7602.shnapi-08ce8b66c61bc873b'\
-d '{ "incidentId": "469","start_time: "2020-10-29","end_time": "2020-11-03"}'

//Response shows the list of column names in the CSV file format

timestamp,accountId,actionName,asn,asnName,city,clientCategory,clientName,
clientOS,collabGroup,collabGroupAndTarget,count,country,cspId,deviceManaged,
directory,downloadBytes,eventCount,fileFolderPath,fileName,fileOwner,fileSharingEnabled,
fileSize,fileType,geoOrgNameV1,httpMethod,instanceId,isSourceTrusted,
locationId,monitoringStatusMetric,networkType,noOfObjects,objectType,
operation,profile,proxyDescription,proxyServerTime,proxyTotalTime,proxyType,
region,serviceName,shnProcessTimestamp,siteUrl,sourceIP,sourceIdentifier,
subCspId,targetId,targetType,tenantId,threatCategory,trustEntity,trustReason,
uploadBytes,url,user,userCount
  • Was this article helpful?