SorbSecurity Cloud Logging API Reference

2 weeks ago
sorb
2 minutes

SorbSecurity Cloud Logging API provides an Application Programming Interface (API) framework for external applications to pull down the logs through the RESTFUL protocol.

The API is implemented as a RESTful web services API. Each request will require the user’s API key. REST stands for Representational State Transfer. It relies on a stateless, client-server and cacheable communication protocol – HTTP. It is an architecture style for designing networked applications. RESTful applications use HTTP requests to post data (create and/or update), get data (query information) and delete data. Thus, REST uses HTTP for all CRUD (Create/Read/Update/Delete) operations. It is a lightweight alternative to mechanisms like RPC (Remote Procedure Calls) and Web Services such as SOAP and WSDL.

Prerequisites

Before you begin, ensure you have:

  • Ask WeCare to enable SIEM integration capability
  • A working network environment
  • Access to the Logging API (API Key as needed)
  • Basic knowledge of API usage and authentication

Configure SIEM Integration

  • Go to Administration -> SIEM Integration -> Config, it chooses the format
  • Run the query in the example
https://admin.sorbsecurity.com/api/byyy7e73caxxxxd60885f3e5xxx1615/threats/86400/

Pulling Logs

Logs are typically downloaded as JSON objects containing various fields such as timestamp and message.

Example JSON Payload:

{
    "threats": [
        {
            "sender": "sender1@soomeone.com",
            "recipients": [
                "wecare@sorbsecurity.com"
            ],
            "quarantine_reason": "",
            "source_ip": "1.2.3.4",
            "time": "2025-03-18 18:10:34",
            "is_quarantined": false,
            "message_id": "<1842601205.846749.1742292561261@someone.com>",
            "subject": "test sample 1"
        },
        {
            "sender": "sender2@someone.com",
            "recipients": [
                "wecare@sorbsecurity.com"
            ],
            "quarantine_reason": "",
            "source_ip": "5.6.7.8",
            "time": "2025-03-18 18:25:32",
            "is_quarantined": false,
            "message_id": "<8198012106965679777@someone.com>",
            "subject": "Report: sorbsecurity.com Submitter: google.com"
        }
    }
}

Report to WeCare team if you have any further questions.