tristanlatr
commented
2 years ago Hello @A1337CBS
I admit I'm unsure about this.
There is a test case for the GroupEventManager, so I doubt there is a major bug in this logic, it works with other fields right?
Did you try by replacing self.field = self.get_field_nickname(field) by self.field = field ?
Is there any chances the "New_Value" field simply doesn't support groupping ?
Describe When trying to call the GroupEventManager API with SIEM nicknames such as with below code an error message throws saying "EVENT Field not supported". Checking the code for event.py on line 566, I see that "self.get_field_nickname(field)" method is being called, shouldn't it be rather different and be trying to get the original internal name for Mcafee instead of the nickname?
Code link: https://github.com/mfesiem/msiempy/blob/e5a4f34a060b77ce0ca9fecdccfc6266802f4455/msiempy/event.py#L566
Full error message Error with method (v2/qryExecuteGrouped?queryType=EVENT) and data : {'config': {'filters': [{'type': 'EsmFieldFilter', 'field': {'name': 'IPSID'}, 'operator': 'IN', 'values': [{'type': 'EsmBasicValue', 'value': '144125089401536512'}, {'type': 'EsmBasicValue', 'value': '144125084385148928'}, {'type': 'EsmBasicValue', 'value': '144125089418313728'}, {'type': 'EsmBasicValue', 'value': '144125089435090944'}]}], 'field': {'name': 'New_Value'}, 'timeRange': 'CURRENT_DAY'}}. From requests.HTTPError 400 Client Error: 400 for url: https://SIEM_IP/rs/esm/v2/qryExecuteGrouped?queryType=EVENT Field not supported: New_Value"
Code query = GroupedEventManager( time_range='CURRENT_DAY', field="Alert.4259885", filters=[ FieldFilter("IPSID", ["144125089401536512","144125084385148928","144125089418313728","144125089435090944"]),#'SrcIP', 'AlertID',
FieldFilter("Alert.Action", ["11","12"]),
query.load_data() results = list(reversed(sorted(query, key=lambda k: int(k['SUM(Alert.EventCount)'])))) top10=results[:10] pprint.pprint(top10)
SIEM and msiempy versions: SIEM and msiempy versions: