Using the Notification API
Applies To
General API Parameters
Request API Parameters
Polling API Parameters
Results API Parameters
Sample XML Ouput
XML Schema
Sample Code
Sample XML Input File
Querying Incidents for the Last 2 Hours
Sample Python Script
Applies To
Enterprise and multitenant deployments.
General API Parameters
Methodology | REST API based: make an HTTP(S) request with an input XML. An output XML is returned. Since the number of returned results can be large, the requester has to first get the total number of results, and then get the results one chunk at a time. |
Request API Parameters
Input URL | https:// |
Input
Parameters |
XML file containing the query parameters |
Input
Credentials |
Enterprise Deployments: Username and password of any AccelOps account
Mulittenant Deployments: Username and password of Super account for getting incidents for all organizations. If incidents for a specific organization are needed, then an organization-specific account and an organization name is needed. |
Output | queryId or an error code if there is a problem in handling the query or the query format |
Polling API Parameters
The request will poll until the server completes the query.
Input
URL |
https:// |
Output | progress (pct)
Until progress reaches 100, at which point the server completes the query, you need to continue polling the server. This is because the server may need to aggregate the results or insert meta-information before sending the results. |
Results API Parameters
Input
URL |
https:// |
Output | totalCount (first time) and an XML containing the incident attributes.
For the first call, begin = 0 and end can be 1000. You need to continuously query the server by using the same URL, but increasing the begin and end until the totalCount is reached |
Sample XML Ouput
XML Schema
The AccelOps AONotification.xsd file shows the XML schema for incident notifications..
Sample Code
Sample XML Input File
Sample Python Script
<script name>.py Script | Usage |
Sample Query
python GetIncidentsByOrg.py 172.16.20.210 “super/admin” “admin*1” SoftwareAB Super_user needs to be explicitly stated in organization/user format, for example “sup er/admin” or “super/admin” instead of just “admin” |
External Help desk / CMDB Integration
Currently AccelOps has inbuilt support for ServiceNow and ConnectWise for CMDB and 2-way incident integration. Other systems can be supported by create a new Java plugin by following instructions in the AccelOps ServiceAPI. The document is available at AccelOps support portal under AccelOps ServiceAPI section.
External Threat Intelligence Integration
New external threat intelligence websites can be supported by create a new Java plugin by following instructions in the AccelOps ServiceAPI. The document is available at AccelOps support portal under AccelOps ServiceAPI section.
License Registration
Worker registration
Collector registration
AccelOps License registration
Worker registration
Methodology | Run this command to add or delete a Worker from Super |
Usage | Command located at /opt/phoenix/deployment/jumpbox
Run commands from Super Add a Worker to Super: phProvisionWorker –add <user> <password> <super> <worker> Remove a Worker from Super: phProvisionWorker –delete <user> <password> <super> <worker> |
Input Parameters | user: username of admin account to logon to GUI password: password of admin account to logon to GUI superIp: Supervisor IP Address or FQDN workerIp: Worker IP Address or FQDN |
Output | None |
Collector registration
Methodology | Run this command to add or delete a collector |
Usage | Add a Collector to Super
Run this command from Collector Usage: /opt/phoenix/bin/phProvisionCollector –add <user> <password> <super> <organization> <collector> Remove a Collector to Super Run this command from Super Usage: /opt/phoenix/bin/phProvisionCollector –delete <user> <password> <super> <organization> <collector> |
Input Parameters | user: username of admin account to logon to GUI password: password of admin account to logon to GUI super: Supervisor IP Address or FQDN
organization: organization name (SP), Super (Enterprise) collector: Collector IP Address or FQDN |
Output | None |
Sample
Interaction |
[root@Super171]# cd /opt/phoenix/deployment/jumpbox
[root@Super171]# phProvisionCollector –delete admin admin*1 10.10.110.171 test-org 10.10.110.172 Continue the provision process… Deleting Collector: 10.10.110.172 from Super: 10.10.110.171 with Organization: test-org … Sucessfully done. |
AccelOps License registration
Methodology | Download License from AccelOps |
Usage | Run this command from Super as root
Usage: /pbin/phdownloadlicense <user> <password> <ao-license-server> |
Input Parameters | user: username for obtaining license password: password for obtaining license
ao-license-server: AccelOps license server host name |
Output | None |
Sample interaction | [root@sp161 pbin]# phdownloadlicense rstest rstest va-reg.accelops.net
Retrieving Information … New license file has been retrieved. You may use phinstalllicense to install the new license. |
||
Methodology | Install downloaded license as root | ||
Usage | Run this command from Super as root
Usage: /pbin/phinstalllicense |
||
Input
Parameters |
None | ||
Output | None | ||
Sample
interaction |
[root@sp161 pbin]# phinstalllicense
The process of installing a license will disrupt AccelOps services. Do you want to start the installation at this time ? [yes/no] : yes Installing license … Number of Licensed VA(s) = 10 … Number of Running Worker(s) = 0 … Exiting from worker provision …
[root@sp161 pbin]# phLicenseTool –verify license matched
[root@sp161 pbin]# phLicenseTool –show Report License: workers=9; citems=5000; eps=10000;storage=10737418240000; starttime=1399878000; endtime=1447398000; mode=1; rsOrg=111; rsExp=1432796400; SP=1; organizationNum=10; country=; customerId=1086; customerName=rstest; collectors=5; devicesupport=1; basicAgents=1; advancedAgents=1; profile=0 |
I stumbled onto your site and thought I post a reply (even though I usually don’y post things on forums). Thanks for setting this up and spending your time to educate others. I have a new FortiSIEM environment and completed the 3 day FortiSIEM training (if you want to call it that). Any help, tips, videos etc on how to tame this SIEM beast would be helpful.