Open alevere opened 3 years ago
I agree with the query. Is it IDS specific or should we make a 'logging profile'? Would the command be very common to packet filters and EDR and ...? Then the other AP's could extend it if they have specific AP-specific details (particularly in the responses). I'm also ok with putting it in each AP but I prefer smaller profiles if there is commonality.
I would like to propose a command to retrieve the system logs over the last hour:
{ "action": "query", "target": { "properties": ["events"] } "args": { "ids": { "type":"system", "start": "1615304941", "end":: "1615391341", "limit" : 50 } }
{ "status": 200, "results": { "events":[ "first system log here", "second event set here", "third event set here" ] }