1. Logsign Support Center
  2. Logsign Unified SecOps Platform
  3. Alert Management

How to configure API Bucket

Updated

Log in to Logsign USO and then switch to settings.

Settings > Alerts & Incidents > Buckets

Click on the +Bucket at the top right

After that;

You can type the bucket name you want in the Description field.

Under Group you can select the one you want.

If it is not an api that requires authentication in this area, you can start directly with methods. However, if Auth is required, you need to do the auth phase first.

You need to write in this field the same way you write in the header during the Auth phase.

If I need to give an example;

Key: Authorization  

Value: Bearer {Token}

Since this field only supports Basic Auth, you need to fill it in based on the data you have.

Basic Auth is usually like this; username:password and you need to encode them with base64.

You can think of it as you can write the token you get with the encode in the field above. It completely depends on your API capability.

 

Method: 

You need to choose one of GET or POST requests according to your endpoint capability.

 

Content Type:

You need to select the content-type depending on how it comes in your log structure. Your options here are application/json or text/plain.

 

Url:

You need the URL of your server where the API is located.You can think of it as the place where you will pull the API.In this example, the machine we are working locally is available.

 

Params:

In this example, there is no value in the params field, but if params is also used in your api endpoint, you can specify it here. Again, you need to do it in key and value logic.

 

Response Format:

When the request is sent, we need to select the log type that the api will return and do the sub-step related to it.

There are text or json options here.

 

Text Delimeter (if we select Text):

Specifies how the logs are segmented. 

In our example, we have API output like below and in this scenario we need to put comma(,) as delimeter.

192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.5,192.168.1.6,192.168.1.7,192.168.1.8,192.168.1.9,192.168.1.10

 

JSON Response Key (in case we choose JSON):

We need to determine which field we will reference and list in the log returned when the API request is made. 

In our example, the “web_name” field is important for us and we will print it in the bucket, so we write web_name in this field.

[

{

  "blacklist_websites": [

    { "web_name": "1.1.1.1", "reason": "Malicious" },

    { "web_name": "1.1.1.2", "reason": "Malicious" },

    { "web_name": "1.1.1.3", "reason": "Malicious" }

  ]

}

]

 

The Response key we need to use in this structure is blacklist_websites.web_name.

 

Purge Period:

Refers to the time when the generated list will be reset (in seconds).

 

After making these edits, save and wait for logsign-bucket-worker to collect the necessary logs.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.