EPM ECS Event Reference

Why Change to ECS?

EPM is developing a more scalable data infrastructure to better support your reporting, analytics, and insights needs.

We’re using the elastic stack to provide scale and speed in ingesting and searching the millions of events we process every day.

To enable better correlation of our data with others sources and make our events easier to work with, we have adopted the well known open source schema that was built for Elastic: the Elastic Common Schema (ECS).

For more information, please see Elastics Docs.

What Does it Mean For Me?

There is no change in your existing analytics or SIEM integrations in EPM.

A new API is exposed to extract the events in bulk.

get /v{version}/Events/FromStartDate 

The following is an example PowerShell usage script.

PowerShell 7 is required.

param (
  [Parameter(mandatory = $true)] $nextDate,
  [Parameter(mandatory = $true)] $tenantName,
  [Parameter(mandatory = $true)] $apiClientId,
  Parameter(mandatory = $true)] $apiClientSecret,
  $resource = 'domains',
  $lookupCache = 'false',
  $pageSize = 100,
  $pageNumber = 1
)



$_baseUrl = "https://$tenantName-services.epm.btrusteng.com"

function Get-AccessToken(
  [Parameter(mandatory = $true)][string] $apiClientId,
  [Parameter(mandatory = $true)][string] $apiClientSecret) {

  $authBody = @{
    client_id     = "$apiClientId"
    client_secret = "$apiClientSecret"
    scope         = "urn:management:api"
    grant_type    = "client_credentials"
    }
  $tokenUrl = "$_baseUrl/oauth/token"
  Write-Host "Requesting $tokenUrl"
  $response = Invoke-WebRequest -Uri $tokenUrl `
    -ContentType "application/x-www-form-urlencoded" `
    -Body $authBody `
    -Method Post `
    -ErrorAction Stop
  $accessToken = $response.content | ConvertFrom-Json
  return $accessToken
}

function Get-AllPages( [Parameter(mandatory = $true)][System.Object] $accessToken, 
  [Parameter(mandatory = $true)][string] $nextDate) {
  $page = 1;
  while ($true) {
    if (($accessToken.expires_in - $TotalStopwatch.Elapsed.Seconds ) -lt 10) {
       Write-Host "******* AccessToken Expiring in 10 Sec So Re-Requesting New Accesstoken ********"
       $accessToken = Get-AccessToken $apiClientId $apiClientSecret
    }
    $headers = @{
       'Authorization'     = "Bearer " + $accessToken.access_token
       'Content-Type'      = 'application/json'
       'ExpiresOn'         = $accessToken.expires_in
       'client-request-id' = New-Guid
    }
    $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
    $resourceUrl = "$_baseUrl/management-api/v1/Events/FromStartDate?StartDate=$nextDate&RecordSize=1000"            
    $Response = Invoke-WebRequest -Uri $resourceUrl -Headers $headers -Method Get -ErrorAction Stop
    $Stopwatch.Stop()

    $jsonObj = ConvertFrom-Json $([String]::new($Response.Content))
    $lastTimeStamp = $jsonObj.events[$jsonObj.events.Count - 1].event.ingested.ToUniversalTime().ToString('o')
    $timetake = $Stopwatch.ElapsedMilliseconds 
    $line = "$page*1000 -- $nextDate  TimeTake: $timetake"
    $line | Out-File -FilePath .\fetchResult.txt -Append
    # $Response.Content| Out-File -FilePath .\fetchResult.txt -Append

    Write-Host $line 
    $page++
    $nextDate = $lastTimeStamp
    if ($jsonObj.events.Count -lt 1000) { break; }

    }

}

$TotalStopwatch = [System.Diagnostics.Stopwatch]::StartNew()
$accessToken = Get-AccessToken $apiClientId $apiClientSecret
Get-AllPages $accessToken $nextDate
$TotalStopwatch.Stop()
$sec = $TotalStopwatch.Elapsed.TotalSeconds
$finishLine = "Total Time Taken To Fetch All Pages $sec Seconds"
$finishLine | Out-File -FilePath .\fetchResult.txt -Append
Write-Host
Write-Host $finishLine 
exit(0);