Get events of an specific rule

Hi Community!

I'm trying to obtain all the events of a specific rule. Since I didn't find an API that does the job, I inspected the Chome Network Dev tool. During the inspection, I saw a request done to /internal/bsearch which replies with the events. The problem is that the reply is encrypted, and it comes with the following format:

eJzsvelyG9f16 ... es=

How can I decrypt/decode or manage that encryption? Because clearly is being decrypted on the user side. Is there any better way to approach this?

Thank you in advance!

Best,

Felipe

Oh hey there @Felipe_Fuller :wave:, thanks for the question! :slightly_smiling_face:

So we actually have a dedicated API for fetching alerts, but you may've missed it since there was a renaming event and it goes by the signals moniker instead of alerts. You can see all the details for that API here: Signals endpoint | Elastic Security Solution [8.2] | Elastic. Should be as simple as hitting that API with an ES Query DSL matching a specific rule name/id.

As for that bsearch request you've inspected, IIRC the response is just compressed (not encrypted). I believe there's a kibana.yml configuration for disabling this:

uiSettings:
  overrides:
    'bfetch:disableCompression': true

Of course you'll probably only want to enable for debugging purposes to ensure network traffic doesn't balloon.

Hope this helps -- cheers!
Garrett

1 Like

@Felipe_Fuller if you want to make the same request and have the response come back uncompressed, you can right click the response in chrome dev tools -> copy as curl and manually remove the ?compress=true query param from the end of the url. Also, if you want to programmatically decompress it, here's a snippet that would do so:

import { unzlibSync, strFromU8 } from 'fflate';
import { toByteArray } from 'base64-js';

const input = process.argv[2];
const result = strFromU8(unzlibSync(toByteArray(input)));

console.log(result);

if that's index.js, you can run it with node index.js compressedData

2 Likes

Thank you both very much, I will try the respective solutions! It's great having this kind of support!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.