Saviynt Forums

flegare · ‎05/01/2023

Use case is to generate Analytics for integration with SIEM (MS Sentinel)

Documentation is requesting to create a "runtime analytics control (V2) using an SQL query".

In v23.3, when creating a new Analytics, I can either select SQL, Data Query or Runtime.

When creating a Runtime Analytics, I can successfully post to the api/v5/fetchRuntimeControlsData endpoint. When posting to api/v5/fetchRuntimeControlsDataV2, I constantly get a "412 Precondition Failed" error.

User has access to both endpoints. Removing access to fetchRuntimeControlsDataV2 does trigger the expected 403 error. 412 error is also returned for administrator access.

Is there any reason the SIEM would absolutely need v2 and if yes, what am I missing?

RakeshMG · ‎05/02/2023

Could you please share the body of API call used in fetchRuntimeControlsDataV2

Regards

Rakesh M Goudar

flegare · ‎05/02/2023

Hi @RakeshMG ,

Here it is:

{

"analyticsname": "SIEM Integration",

"max": "100",

"offset": "0",

"attributes": {

"timeFrame": "1"

}

RakeshMG · ‎05/02/2023

Could you please try passing analyticsid and let us know the results.

Regards

Rakesh M Goudar

flegare · ‎05/02/2023

Hi @RakeshMG

This is where it gets weirder, I didn't know the analyticsid. When querying for all analytics through APIs using any criteria, I cannot retrieve this item.

I am able to get the analyticsid from data analyzer though. I managed to find it under analyticsconfig (and not analyticsconfiges).

That being said, I am getting the same result with analyticsid:

Thanks a lot!

flegare · ‎05/03/2023

This is solved, issue was at my end. Analytics was not created as ES to begin with.

Lesson learned...

Thanks for your help, it was greatly appreciated!

Saviynt Forums

SIEM Integration - fetchRuntimeControlsDataV2