Difference between revisions of "Forensic Data Using the API"

From Observer GigaFlow Support | VIAVI Solutions Inc.
Jump to: navigation, search
Line 1: Line 1:
 
[[Category:API]]
 
[[Category:API]]
 
[[Category:NetFlow]]
 
[[Category:NetFlow]]
All Forensics requests are made via the http://127.0.0.1:7902/rest/api/ URI
+
All forensics requests are made via http://127.0.0.1:7902/rest/api/
  
 
The portalUser param can be used to authenticate sessions
 
The portalUser param can be used to authenticate sessions
 
  http://172.21.40.128:7902/rest/api?portalUser=admin@myipsla.com
 
  http://172.21.40.128:7902/rest/api?portalUser=admin@myipsla.com
  
To this, the server expects a post containing a single json object under the JsonRequest input form data field
+
To this, the server expects a post containing a single JSON object under the JsonRequest input form data field
 
e.g.
 
e.g.
 
  jsonRequest={"action":"get",
 
  jsonRequest={"action":"get",
Line 17: Line 17:
 
  "queryid":"1525093877133_2116768245_-715183526"
 
  "queryid":"1525093877133_2116768245_-715183526"
 
  }
 
  }
Simple Reports Available For Forensics Reporting
+
 
 +
Simple reports available for forensics reporting:
 +
 
 
  "Address Pairs"
 
  "Address Pairs"
 
  "Addresses By Dest"
 
  "Addresses By Dest"
Line 53: Line 55:
 
  "Users"
 
  "Users"
  
Enhanced Reports Available
+
Enhanced reports available:
 +
 
 
  "Interfaces By Source Pct"  
 
  "Interfaces By Source Pct"  
 
  "Interfaces By Destination Pct"
 
  "Interfaces By Destination Pct"
Line 127: Line 130:
 
  "Servers As Dest With Ports" {"dstadd", "dstport"}, "srcsavgsec", "afirstseen"
 
  "Servers As Dest With Ports" {"dstadd", "dstport"}, "srcsavgsec", "afirstseen"
  
Fields Available
+
Fields available:
 +
 
 
  Application ID as selected after profiling:appid
 
  Application ID as selected after profiling:appid
 
  Device ID:device
 
  Device ID:device

Revision as of 13:23, 24 April 2019

All forensics requests are made via http://127.0.0.1:7902/rest/api/

The portalUser param can be used to authenticate sessions

http://172.21.40.128:7902/rest/api?portalUser=admin@myipsla.com

To this, the server expects a post containing a single JSON object under the JsonRequest input form data field e.g.

jsonRequest={"action":"get",
"type":"Graph",
"sourcetype":"forensics",
"device":["172.21.40.250"],
"endtime":1525093847000,
"starttime":1525086647000,
"reportName":"Application Flows",
"queryid":"1525093877133_2116768245_-715183526"
}

Simple reports available for forensics reporting:

"Address Pairs"
"Addresses By Dest"
"Addresses By Source"
"All Fields"
"Application Flows"
"Applications"
"ASs By Dest"
"ASs By Source"
"ASs Pairs"
"Class of Service"
"FW Event"
"FW Ext Code"
"Interface Pairs"
"Interfaces By Dest"
"Interfaces By Source"
"MAC Address Pairs"
"MAC Addresses By Dest"
"MAC Addresses By Source"
"Ports By Dest"
"Ports By Source"
"Posture"
"Protocols"
"Sessions Flows"
"Sessions With Ints"
"Sessions"
"Subnet Class A By Dest"
"Subnet Class A By Source"
"Subnet Class B By Dest"
"Subnet Class B By Source"
"Subnet Class C By Dest"
"Subnet Class C By Source"
"TCP Flags"
"URLs"
"Users"

Enhanced reports available:

"Interfaces By Source Pct" 
"Interfaces By Destination Pct"
"Applications With Flow Count" 
"Application Flows With User"
"All Fields Max FPR" 
"All Fields Avg FPR"
"Duration Max"
"Duration Avg" 
"Ports As Dest By Dest Add Popularity"
"Addresses As Sources And Dest Port By Dest Count"
"Ports As Dest By Src Add Popularity"
"Ports As Src By Dest Add Popularity"
"Ports As Src By Src Add Popularity"
"Servers As Src Address"
"Servers As Dst Address"
"Servers As Src With Ports"
"Servers As Dest With Ports" 


Key Fields For Each Report

"Application Flows"	srcadd, dstadd, appid
"Address Pairs"	srcadd, dstadd
"MAC Address Pairs"	srcmac, dstmac
"Interfaces By Source"	device, device||'_'||inif as difin
"Interfaces By Dest"	device, device||'_'||outif as difout
"Interface Pairs"	device, device||'_'||inif as difin, device||'_'||outif as difout
"Sessions"	srcadd, srcport, dstadd, dstport, appid
"Sessions Flows"	firstseen, srcadd, srcport, dstadd, dstport, appid, proto
"Sessions With Ints"	srcadd, srcport, inif, dstadd, dstport, outif, appid
"Protocols"	proto
"Posture"	postureid
"Applications"	appid
"URLs"	url
"Ports By Source"	srcport
"Ports By Dest"	dstport
"TCP Flags"	flags
"FW Event"	fwevent
"FW Ext Code"	fwextcode
"Class of Service"	tos
"ASs Pairs"	srcas, dstas
"ASs By Source"	srcas
"ASs By Dest"	dstas
"Users"	userid
"MAC Addresses By Source"	srcmac
"MAC Addresses By Dest"	dstmac
"Addresses By Source"	srcadd
"Subnet Class A By Dest"	dstadd-modulus(dstadd,16777216) as dstsubneta
"Subnet Class B By Dest"	dstadd-modulus(dstadd,65536) as dstsubnetb
"Subnet Class C By Dest"	dstadd-modulus(dstadd,256) as dstsubnetc
"Subnet Class A By Source"	srcadd-modulus(srcadd,16777216) as srcsubneta
"Subnet Class B By Source"	srcadd-modulus(srcadd,65536) as srcsubnetb
"Subnet Class C By Source"	srcadd-modulus(srcadd,256) as srcsubnetc
"Addresses By Dest"	dstadd
"Interfaces By Source Pct" {"difin"}, "pct_avg_in", "afirstseen"
"Interfaces By Destination {"difout"}, "pct_avg_out", "afirstseen"
"Applications With Flow Count" {"appid"}, "flowcount", "afirstseen"
"Application Flows With User" {"srcadd", "dstadd", "appid", "userid"}, "bits_avgsec", "afirstseen"
"All Fields" {}, "bits_avgsec", "afirstseen"
"All ID Fields", new int[]{reportDomainForensics}, ROS.forensicsMinDuration, reportTypeForensics
"All Fields Max FPR" {}, "maxfpr", "afirstseen"
"All Fields Avg FPR" {}, "maxfpr", "afirstseen"
"Duration Max" {}, "maxduration", "afirstseen"
"Duration Avg", {}, "avgduration", "afirstseen"
"Ports As Dest By Dest Add Popularity" {"dstport"}, "dstcount", "afirstseen"
"Addresses As Sources And Dest Port By Dest Count" {"srcadd", "dstport"}, "dstcount", "afirstseen"
"Ports As Dest By Src Add Popularity" {"dstport"}, "srccount", "afirstseen"
"Ports As Src By Dest Add Popularity" {"srcport"}, "dstcount", "afirstseen"
"Ports As Src By Src Add Popularity" {"srcport"}, "srccount", "afirstseen"
"Servers As Src Address" {"srcadd"}, "bits_avgsec", "afirstseen"
"Servers As Dst Address" {"dstadd"}, "bits_avgsec", "afirstseen"
"Servers As Src With Ports"{"srcadd", "srcport"}, "dstsavgsec", "afirstseen"
"Servers As Dest With Ports" {"dstadd", "dstport"}, "srcsavgsec", "afirstseen"

Fields available:

Application ID as selected after profiling:appid
Device ID:device
Device And Input Interface ID:device||'_'||inif as difin
Device And Output Interface ID:device||'_'||outif as difout
Destination IP Address:dstadd
Destination Class A Subnet:dstadd-modulus(dstadd,16777216) as dstsubneta
Destination Class C Subnet:dstadd-modulus(dstadd,256) as dstsubnetc
Destination Class B Subnet:dstadd-modulus(dstadd,65536) as dstsubnetb
Destination AS Number:dstas
Destination MAC Address:dstmac
Destination IP Port Number:dstport
MS Timestamp Of When Flow Record Was First Seen:firstseen
TCP Flags:flags
Forwarding Event Code:fwevent
First Packet Response:fpr
Extended Event Code:fwextcode
Input Interface ID:inif
Output Interface ID:outif
Posutre ID Of Flow As Marked After Processing:postureid
IP Protocol Nunmber:proto
Source IP Address: srcadd
Source Class A Subnet:srcadd-modulus(srcadd,16777216) as srcsubneta
Source Class C Subnet:srcadd-modulus(srcadd,256) as srcsubnetc
Source Class B Subnet:srcadd-modulus(srcadd,65536) as srcsubnetb
Source AS number:srcas
Source MAC Address:srcmac
Source IP Port:srcport
TOS/QOS Marking:tos
Text Field:url
User ID:userid