and more in a single search tool across platforms. Read the announcement here. |
05/01/2023 02:04 PM - edited 05/01/2023 02:04 PM
Use case is to generate Analytics for integration with SIEM (MS Sentinel)
Documentation is requesting to create a "runtime analytics control (V2) using an SQL query".
In v23.3, when creating a new Analytics, I can either select SQL, Data Query or Runtime.
When creating a Runtime Analytics, I can successfully post to the api/v5/fetchRuntimeControlsData endpoint. When posting to api/v5/fetchRuntimeControlsDataV2, I constantly get a "412 Precondition Failed" error.
User has access to both endpoints. Removing access to fetchRuntimeControlsDataV2 does trigger the expected 403 error. 412 error is also returned for administrator access.
Is there any reason the SIEM would absolutely need v2 and if yes, what am I missing?
Solved! Go to Solution.
05/02/2023 03:14 AM
Could you please share the body of API call used in fetchRuntimeControlsDataV2
05/02/2023 05:06 AM
Hi @RakeshMG ,
Here it is:
05/02/2023 05:35 AM
Could you please try passing analyticsid and let us know the results.
05/02/2023 05:55 AM
Hi @RakeshMG
This is where it gets weirder, I didn't know the analyticsid. When querying for all analytics through APIs using any criteria, I cannot retrieve this item.
I am able to get the analyticsid from data analyzer though. I managed to find it under analyticsconfig (and not analyticsconfiges).
That being said, I am getting the same result with analyticsid:
Thanks a lot!
05/03/2023 08:36 AM - edited 05/03/2023 12:21 PM
This is solved, issue was at my end. Analytics was not created as ES to begin with.
Lesson learned...
Thanks for your help, it was greatly appreciated!