Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/10/2023 08:07 PM - edited 07/10/2023 08:11 PM
I'm trying to set up Splunk integration. I've created the analytic record and created the siem-sid user with the required permissions as per the documentation.
However, I am unable to invoke fetchRuntimeControlsDataV2 API to fetch data.
Endpoint: {{url}}/ECM/v5/fetchRuntimeControlsDataV2
Body:
Solved! Go to Solution.
07/10/2023 11:05 PM
Hi @gabe_ung ,
Are you able to fetch expected data when you run the analytics from Saviynt UI?
Can you paste the query and analytic configuration screenshot here please.
For Splunk Integartion you can also try add on feature provided.
Splunk Integration Guide
Thanks,
Smitha
07/10/2023 11:28 PM
Hi Smitha,
Yes, when I run the analytic from the Saviynt UI it returns 11 records.
The SQL query I used in the analytic configuration is the one outlined in the documentation: https://docs.saviyntcloud.com/bundle/Splunk-Guide/page/Content/Understanding-the-Integration-between...
Cheers,
Gabe
07/11/2023 12:33 AM
Try adding the Analytics under Sav role which is assigned for siem-sid user
07/11/2023 04:09 AM
Hi,
Already tried that, it made no difference
07/10/2023 11:06 PM - edited 07/10/2023 11:08 PM
Hi @gabe_ung ,
Can you try the URL : {URL}/ECM/api/v5/fetchRuntimeControlsDataV2
The path parameter in your URL seems to be incorrect.
Ref: Saviynt SIEM Integration (saviyntcloud.com)
Thanks,
Armaan
07/10/2023 11:30 PM
When I use URL: {URL}/ECM/api/v5/fetchRuntimeControlsDataV2, I receive status: 401
Regards,
Gabe
07/10/2023 11:37 PM
Hi @gabe_ung ,
Can you refresh the auth api token and then invoke the analytics api using the above URL ({URL}/ECM/api/v5/fetchRuntimeControlsDataV2).
The sample body that can be passed is:
07/11/2023 05:46 PM
Hi @armaanzahir ,
I have refreshed the auth api token then invoked the analytic api using URL: ({URL}/ECM/api/v5/fetchRuntimeControlsDataV2)
There are two problems:
1. The analytics I created doesn't return any data when I run it in the Saviynt UI
2. When I substitute with an analytic that does return data I still receive status 412
A colleague tested this in our own SSM tenant and got it to work. I just can't get it work on my client's tenant.
Cheers,
Gabe
07/11/2023 11:22 PM
Can you share postman screenshot
07/12/2023 12:07 AM
Hi Rushikeshvartak,
Good news - I get data when running the analytic in the Saviynt UI.
Please see Postman screenshot below, URL: ({URL}/ECM/api/v5/fetchRuntimeControlsDataV2)
07/12/2023 01:04 AM
Hi @gabe_ung ,
The response message mentions that the analytics id is not found. Can you confirm if the analytics created is a V2 runtime analytic.
Can you try using the analyticsname instead of analytics id in your request body:
07/12/2023 03:54 PM
Hi Armaan,
I can confirm that the analytics created is a V2, I can see it in the Analytics History V2 runtime analytic
I have tried with both the analyticsname and the analyticsid in the body, I receive the same response.
Cheers,
Gabe
07/12/2023 09:43 PM
Hope you running on correct instance.
can you share screenshot from data analzyer for report name & key
07/12/2023 10:18 PM
I manage to find the report name in analyticsconfiges
Cheers,
Gabe
07/12/2023 11:14 PM - edited 07/12/2023 11:15 PM
Hi @gabe_ung ,
I see analytics type=2, I believe for runtime analytics the value should be 5.
Can you try creating a new analytics
Create new analytics > Runtime analytics
Thanks,
07/13/2023 03:26 PM
Hi Smitha,
I recreated the analytic as Runtime Analytic, I get the same response. I don't know what I am missing.
Regards,
Gabe
07/13/2023 04:19 PM
By "same response" you mean the garbled html content on 200 or the 401 return code?
If 401, make sure the SAV role assigned to your account has the right privilege over the endpoint you want to access
07/13/2023 05:27 PM
I get the same 412 return code.
The privilege have been assigned to my SAV role as per documentation: Saviynt SIEM Integration (saviyntcloud.com)
I added an additional Feature Access to the SAV role: Analytics Configuration
07/13/2023 07:36 PM
Try below body
07/13/2023 11:06 PM
Same response, Status: 412
07/14/2023 05:40 AM
Are you able to see your analytic when calling api/v5/fetchControlListES ?
07/16/2023 04:10 PM
I am able to see the analytic when calling api/v5/fetchControlListES
07/17/2023 02:44 AM
Thank you to everyone who replied to this thread.
I manage to create an analytic and received the expected response. I created an ES Runtime analytic using the same SQL query outlined in the Saviynt documentation: Saviynt SIEM Integration (saviyntcloud.com)
Type of analytic created, Runtime Analytic:
SQL Query:
select ua.TYPEOFACCESS as 'Object Type',ua.ActionType as 'Action Taken',u.username as 'Accessed By', ua.IPADDRESS as 'IP Address',ua.ACCESSTIME as 'Event Time',ua.DETAIL as 'Message' from users u , userlogin_access ua, userlogins l where l.loginkey = ua.LOGINKEY and l.USERKEY = u.userkey and ua.AccessTime >= (NOW() - INTERVAL ${timeFrame} Minute) and ua.Detail is not NULL
Method: POST
Path: api/v5/fetchRuntimeControlsDataV2
Body:
However, I am unable to get the expected response when I create an analytic using SQL query. I always receive the response status 412. It isn't clear in the documentation which analytic should be created for SIEM (Splunk) integration.
I need to hand these API the Splunk team I have finished the integration.
I would like to know:
Cheers,
Gabe
07/17/2023 02:58 AM
Hi @gabe_ung ,
Thanks,
Armaan
07/17/2023 09:24 PM