Saviynt Forums

gabe_ung · ‎07/10/2023

I'm trying to set up Splunk integration. I've created the analytic record and created the siem-sid user with the required permissions as per the documentation.

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter20-EIC-Integrations/Saviynt-...

However, I am unable to invoke fetchRuntimeControlsDataV2 API to fetch data.

Endpoint: {{url}}/ECM/v5/fetchRuntimeControlsDataV2

Body:

{

"analyticsname":"Splunk Audit Log Analytics",

"attributes":{

"timeframe":"10"

}

Response:

It isn't the response I expect to get, I've also tried analyticsid - same response.

smitg · ‎07/10/2023

Hi @gabe_ung ,

Are you able to fetch expected data when you run the analytics from Saviynt UI?

Can you paste the query and analytic configuration screenshot here please.

For Splunk Integartion you can also try add on feature provided.
Splunk Integration Guide

Thanks,
Smitha

gabe_ung · ‎07/10/2023

Hi Smitha,

Yes, when I run the analytic from the Saviynt UI it returns 11 records.

The SQL query I used in the analytic configuration is the one outlined in the documentation: https://docs.saviyntcloud.com/bundle/Splunk-Guide/page/Content/Understanding-the-Integration-between...

Cheers,
Gabe

smitg · ‎07/11/2023

Try adding the Analytics under Sav role which is assigned for siem-sid user

gabe_ung · ‎07/11/2023

Hi,

Already tried that, it made no difference

armaanzahir · ‎07/10/2023

Hi @gabe_ung ,

Can you try the URL : {URL}/ECM/api/v5/fetchRuntimeControlsDataV2

The path parameter in your URL seems to be incorrect.

Ref: Saviynt SIEM Integration (saviyntcloud.com)

Thanks,

Armaan

Regards,
Md Armaan Zahir

gabe_ung · ‎07/10/2023

When I use URL: {URL}/ECM/api/v5/fetchRuntimeControlsDataV2, I receive status: 401

Regards,
Gabe

armaanzahir · ‎07/10/2023

Hi @gabe_ung ,

Can you refresh the auth api token and then invoke the analytics api using the above URL ({URL}/ECM/api/v5/fetchRuntimeControlsDataV2).

The sample body that can be passed is:

{"requestor": "SIEM_User","analyticsname": "Splunk SIEM Audit Capture Logs","analyticsid": "1495","attributes": {"timeFrame": "10000"}}

Thanks,

Armaan

Regards,
Md Armaan Zahir

gabe_ung · ‎07/11/2023

Hi @armaanzahir ,

I have refreshed the auth api token then invoked the analytic api using URL: ({URL}/ECM/api/v5/fetchRuntimeControlsDataV2)

There are two problems:

1. The analytics I created doesn't return any data when I run it in the Saviynt UI

2. When I substitute with an analytic that does return data I still receive status 412

A colleague tested this in our own SSM tenant and got it to work. I just can't get it work on my client's tenant.

Cheers,
Gabe

rushikeshvartak · ‎07/11/2023

Can you share postman screenshot

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

gabe_ung · ‎07/12/2023

Hi Rushikeshvartak,

Good news - I get data when running the analytic in the Saviynt UI.

Please see Postman screenshot below, URL: ({URL}/ECM/api/v5/fetchRuntimeControlsDataV2)

armaanzahir · ‎07/12/2023

Hi @gabe_ung ,

The response message mentions that the analytics id is not found. Can you confirm if the analytics created is a V2 runtime analytic.

Can you try using the analyticsname instead of analytics id in your request body:

{"analyticsname": "Splunk SIEM Audit Capture Logs","attributes": {"timeFrame": "10000"}}

If this does not work, then there might be an issue with the runtime analytic query definition.

Thanks,

Armaan

Regards,
Md Armaan Zahir

gabe_ung · ‎07/12/2023

Hi Armaan,

I can confirm that the analytics created is a V2, I can see it in the Analytics History V2 runtime analytic

I have tried with both the analyticsname and the analyticsid in the body, I receive the same response.

Cheers,
Gabe

rushikeshvartak · ‎07/12/2023

Hope you running on correct instance.

can you share screenshot from data analzyer for report name & key

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

gabe_ung · ‎07/12/2023

I manage to find the report name in analyticsconfiges

Cheers,
Gabe

smitg · ‎07/12/2023

Hi @gabe_ung ,

I see analytics type=2, I believe for runtime analytics the value should be 5.

Can you try creating a new analytics
Create new analytics > Runtime analytics

Thanks,
Smitha

gabe_ung · ‎07/13/2023

Hi Smitha,

I recreated the analytic as Runtime Analytic, I get the same response. I don't know what I am missing.

Regards,
Gabe

flegare · ‎07/13/2023

By "same response" you mean the garbled html content on 200 or the 401 return code?

If 401, make sure the SAV role assigned to your account has the right privilege over the endpoint you want to access

gabe_ung · ‎07/13/2023

I get the same 412 return code.

The privilege have been assigned to my SAV role as per documentation: Saviynt SIEM Integration (saviyntcloud.com)

I added an additional Feature Access to the SAV role: Analytics Configuration

rushikeshvartak · ‎07/13/2023

Try below body

{

"requestor": "admin",

"analyticsname": "Saviynt-Audit Logs",

"analyticsid": "1858",

"attributes": {

"timeFrame": "10"

},

"max": "10",

"offset": "15"

}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

gabe_ung · ‎07/13/2023

Same response, Status: 412

flegare · ‎07/14/2023

Are you able to see your analytic when calling api/v5/fetchControlListES ?

gabe_ung · ‎07/16/2023

I am able to see the analytic when calling api/v5/fetchControlListES

gabe_ung · ‎07/17/2023

Thank you to everyone who replied to this thread.

I manage to create an analytic and received the expected response. I created an ES Runtime analytic using the same SQL query outlined in the Saviynt documentation: Saviynt SIEM Integration (saviyntcloud.com)

Type of analytic created, Runtime Analytic:

SQL Query:
select ua.TYPEOFACCESS as 'Object Type',ua.ActionType as 'Action Taken',u.username as 'Accessed By', ua.IPADDRESS as 'IP Address',ua.ACCESSTIME as 'Event Time',ua.DETAIL as 'Message' from users u , userlogin_access ua, userlogins l where l.loginkey = ua.LOGINKEY and l.USERKEY = u.userkey and ua.AccessTime >= (NOW() - INTERVAL ${timeFrame} Minute) and ua.Detail is not NULL

Method: POST

Path: api/v5/fetchRuntimeControlsDataV2

Body:

{

"analyticsname":"Test Audit Log",

"analyticsid":"1485",

"attributes":{

"timeFrame":"30"

},

"max":"10",

"offset":"15"

}

Response:

However, I am unable to get the expected response when I create an analytic using SQL query. I always receive the response status 412. It isn't clear in the documentation which analytic should be created for SIEM (Splunk) integration.

I need to hand these API the Splunk team I have finished the integration.

I would like to know:

What is the difference between Runtime and SQL query analytic?
Why does Runtime work and SQL query work (both should work)?
Which is the correct analytic to create for Splunk integration, Runtime or SQL query analytic?

Cheers,
Gabe

armaanzahir · ‎07/17/2023

Hi @gabe_ung ,

What is the difference between Runtime and SQL query analytic? - A runtime analytics will be necessary to evaluate and send out a report during real-time application processing. A SQL Query, however, does not require run time parameters and can be created using conditions that need no run time parameters provided to the same.
Why does Runtime work and SQL query work (both should work)? The API invoked is a runtime analytics API, which needs runtime parameters which is 'timeframe' in your case which is a parameter which will decide your resultset on run time. Normal SQL query based analytics can't be invoked using the Runtime API.
Which is the correct analytic to create for Splunk integration, Runtime or SQL query analytic? Runtime Analytics, if you require the flexibility to define the 'timeframe' in your runtime api call.

Thanks,

Armaan

Regards,
Md Armaan Zahir

gabe_ung · ‎07/17/2023

Hi @armaanzahir ,

Thank you for your answering my questions, appreciate your efforts.

Cheers,
Gabe

Saviynt Forums

Invoking fetchRuntimeControlsDataV2