I'm trying to obtain all the events of a specific rule. Since I didn't find an API that does the job, I inspected the Chome Network Dev tool. During the inspection, I saw a request done to /internal/bsearch which replies with the events. The problem is that the reply is encrypted, and it comes with the following format:
eJzsvelyG9f16 ... es=
How can I decrypt/decode or manage that encryption? Because clearly is being decrypted on the user side. Is there any better way to approach this?
So we actually have a dedicated API for fetching alerts, but you may've missed it since there was a renaming event and it goes by the signals moniker instead of alerts. You can see all the details for that API here: Signals endpoint | Elastic Security Solution [8.2] | Elastic. Should be as simple as hitting that API with an ES Query DSL matching a specific rule name/id.
As for that bsearch request you've inspected, IIRC the response is just compressed (not encrypted). I believe there's a kibana.yml configuration for disabling this:
@Felipe_Fuller if you want to make the same request and have the response come back uncompressed, you can right click the response in chrome dev tools -> copy as curl and manually remove the ?compress=true query param from the end of the url. Also, if you want to programmatically decompress it, here's a snippet that would do so:
import { unzlibSync, strFromU8 } from 'fflate';
import { toByteArray } from 'base64-js';
const input = process.argv[2];
const result = strFromU8(unzlibSync(toByteArray(input)));
console.log(result);
if that's index.js, you can run it with node index.js compressedData
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.