I am trying to use an API which I have used previously for various jobs, to query and get me relevant data. But lately, I am unable to do that because of an unusual exception returned, which I honestly have no idea about.
The CODE:
import SIEMAuth
import requests
alert_id = '144116287822364672|12101929'
query_params = {"id": {"value": alert_id}, "format": {"format": 0}}
print(requests.post(SIEMAuth.url + 'ipsGetAlertPacket', json=query_params, headers=SIEMAuth.session_headers, verify=False).text)
The following exception/traceback response is returned on querying this:
Can not construct instance of com.mcafee.siem.api.data.alert.EsmPacketFormat: no suitable constructor found, can not deserialize from Object value (missing default constructor or creator, or perhaps need to add/enable type information?)
at [Source: java.io.StringReader@1a15fbf; line: 1, column: 2]
Process finished with exit code 0
On trying to surf the internet to know more about the exception, most of the results are related to Jackson Parser for Json in Java Programming Environment which is not something I am working on or am aware of.
If anybody could help, I'd be extremely grateful.....
Unfortunately it's as I suggested; basically one way or another it's broken. The response from their support is as follows.
I have reach out to my development team for this question. I got below response.
That particular get is not meant to be used in the external API. It should only be used from the interface, and has been removed since the version of the ESM you are on. If you want to use that externally then you need to submit it as a per.
I hope this clears your questions.
Edit: This has actually been expanded on in a thread on their support forums. You need a login to see the original thread.
Name notwithstanding, this API does not return the actual data packet associated with an event. In fact, when aggregation is enabled, not all of the packets associated with a given event are available on the ESM. Raw packet data can be retrieved from the ELM through the UI, but unfortunately there currently is not a way to do that programmatically.