Inputs

Specify an endpoint of Get Logs API to retrieve event logs.

Default value: “/o/api/v3.1/logs”. This Add-on is tested with Get Logs API only.

Select any of 3 possible event categories

• Device: device event logs
• Admin: administrator event logs
• Webhook: webhook event logs
• Device Report: device report trail logs. MetaDefender IT Access records an event logs for each device reports even the device doesn't change status or no new issues found. This trail log is only available through API and requires special license.

Enter the number of days prior to configuration day to collect log events.

• The value can be 1 to 30.
• Default value: 7.

Specify an endpoint of the Get Logs API to retrieve device event logs.

Default value: “/o/api/v3.1/logs” The Add-on is tested with MetaAccess Get Logs v3.1 only.

Enter the number of days prior to configuration day to collect device event logs. However, these event logs won’t trigger extra API calls for device details or vulnerabilities

• The value can be 1 to 30.
• Default value: 7.

Select events that should trigger additional API calls to collect device details and/or Device Vulnerabilities.

Default value: events that a device became non-compliant or reported issues.

Enable this setting if you would like to retrieve device details when an event is in Event Triggers.

The device details information will be inserted into Splunk along with event and event_timestamp to identify what event triggered this call.

Specify an endpoint of Device Details API to retrieve device details information when selected event triggers are met.

Default value: “/o/api/v3.3/devices/detail”

Specify any additional filters to device details API through Body parameter.

The recommended value is {"verbose": {"system_info": 1, "categories": 1, "unclassified": 0, "mobile_apps": 0, "detected_processes": 0, "detected_packages": 0, "detected_patches": 0}}. to retrieve a device system information and issues on compliance categories based on a policy.

Refer to the API documentation page here to learn how to apply filters.

Enable this setting if you would like to retrieve vulnerabilities of a device when an event is in Event Triggers.

The device CVEs will be separated and inserted into Splunk along with device_username, event and event_timestamp to identify what event triggered this call.

Specify an endpoint of Get Vulnerabilities of a device API to retrieve vulnerabilities of a device.

Default value: “/o/api/v3/get_cves”.

Specify any additional filters to Get Vulnerabilities of a device endpoint through Body parameter.

The recommended value is {"verbose": 0} to retrieve only CVE-ID, score, and severity_._ Refer to the API documentation page here to learn how to apply filters.

Frequency at which Splunk makes an API call to fetch the latest logs. Please be mindful of the interval you set for the Input as smaller value of interval for some less frequently updated APIs can ingest duplicate data at each run and counts against the Splunk License quota also.

For ex: Vulnerability details doesn’t get updated that frequently so running Get Vulnerability API every 60 second will end up ingesting duplicate data every 60 seconds. Intervals less than 60 seconds are NOT permitted and will generate an error when saving the input.

Specify an endpoint of a MetaDefender IT Access API you would like to retrieve information from an account.

Refer to the API Documentation here get the valid endpoint values.

Select a HTTP request method (GET or POST) depending on the API endpoint you have chosen.

For example: If you use auto$ API, HTTP Method should be POST.

Enter the number of days prior to configuration day to collect log events.

• The value can be 1 to 30.
• Default value: 7.

Enable this setting if you would like to retrieve report details when a report is received.

The addon will make additional calling to get details information and it will be inserted into Splunk along with report.

Default value: No