symantec-logo-top
Symantec™ Data Center Security: Server Advanced

Symantec™ Data Center Security: Server Advanced

REST API documentation

1. Working with REST APIs

1.1. Getting started with REST APIs

You can work with Data Center Security: Server, Server Advanced, and Operations Director REST APIs by using the Unified Management Console authorization token. When you use the Unified Management Console authorization token, then the REST APIs are called by Unified Management Console using the token-based authentication.

To work with Data Center Security: Server, Server Advanced, and Operations Director REST APIs, you must:

  • Install any REST API client application.

  • For example, you can use Postman client application if you are using Chrome browser.

  • Generate Unified Management Console authorization token

  • You must generate Unified Management Console authorization token to view or execute the APIs.

  • Execute the respective REST APIs

1.2. Generating the Unified Management Console authorization token

You must generate Unified Management Console authorization token to view or execute the APIs. When you use the Unified Management Console authorization token, the REST APIs are called by Unified Management Console using the token-based authentication.

Note

After the Unified Management Console authorization token is generated, the token is valid only for 30 minutes to execute APIs. If the token becomes invalid, then you must regenerate a new token to execute the REST APIs.

Perform the following steps to generate UMC authorization token:

  1. In Chrome web browser, enter the following URL and change the UMC_IP to appropriate Unified Management Console IP hostname.

  1. Accept the security certificate and proceed to Unified Management Console (unsafe mode).

If you have already accepted the certificate in your browser, then you may get an HTTP Status 405 error message. Ignore the error message and proceed.

  1. In the REST client app, enter the following URL.

  1. Select the HTTP method as POST.

  2. Change the format to Raw and select JSON for the request.

  3. In the text box, enter the following JSON. The password for dcsadmin is the one specified while deploying Unified Management Console. In case of an AD user, the username is domain alias name\\username and the password is the configured AD password for that user.

{"username":"Enter the user name","password":"Enter the password"}

  1. Click Send to execute the API.

UMC authorization token is generated.

1.3. Viewing the Data Center Security: Server and Data Center Security: Server Advanced REST APIs

After you install the Data Center Security Management Server, you can view the REST APIs exposed by the Data Center Security Management Server by using the Unified Management Console authorization token. The Unified Management Console authorization token is valid only for 30 minutes from the time the token is generated. If the token becomes invalid, then you must regenerate a new token to view the Data Center Security: Server and Data Center Security: Server Advanced REST APIs.

Perform the following steps to view the Data Center Security: Server and Data Center Security: Server Advanced REST APIs:

  1. Open the REST API client application.

  2. Enter the following URL in the address bar, and change the localhost to appropriate Data Center Security Management Server IP or hostname.

https://localhost:4443/sis-ui/api

  1. Select the HTTP method as GET.

  2. Click Headers and add the following values:

    • For Authorization header, enter the value as “Authorization”, value “bearer token”

    • For example, the value appears as “Authorization”, value“bearer 87179347-e27d-4ec7-831f-1f150a5ab904"

    • For Content-Type header, enter the value as application/json

  3. Click Body and do the following:

    • Select the payload format to raw

    • Select JSON for the request body

  4. Click Send to execute the API.

The Data Center Security: Server API documentation appears.

1.4. Executing the Data Center Security: Server and Data Center Security: Server Advanced REST APIs

You can execute the Data Center Security: Server and Data Center Security: Server Advanced REST APIs by using the Unified Management Console authorization token. The Unified Management Console authorization token is valid only for 30 minutes from the time the token is generated. If the token becomes invalid, then you must regenerate a new token to execute the REST APIs.

To execute Data Center Security: Server and Data Center Security: Server Advanced REST APIs:

  1. Open the REST API Client App

  2. Enter the following URL in the address bar, and change the localhost to appropriate Data Center Security Management Server IP or hostname.

https://localhost:4443/sis-ui/api/v1/API_Function

  1. Select the HTTP method as GET method.

  2. Click Headers and add the following values:

    • For Authorization header, enter the value as “Authorization”, value “bearer [past-token-here]>

    • For example, the value appears as “Authorization”, value“bearer 87179347-e27d-4ec7-831f-1f150a5ab904

    • For Content-Type header, enter the value as application/json

  3. Click Body and do the following:

    • Select the payload format to raw

    • Select JSON for the request body

  4. Add the JSON request in the body.

  5. Click Send to execute the API.

An appropriate JSON response is returned.

1.5. Executing the Operations Director REST APIs

You can execute the Operations Director REST APIs by using the Unified Management Console authorization token. The Operations Director REST APIs are called by Unified Management Console using the token-based authentication. The Unified Management Console authorization token is valid only for 30 minutes from the time the token is generated. If the token becomes invalid, then you must regenerate a new token to execute the Operations Director REST APIs.

To use the Operations Director REST APIs, you must do the following:

  • Generate Unified Management Console authorization token

  • Execute Operations Director REST APIs

Note

The plug-in REST APIs are served over HTTPS only. To ensure data privacy unencrypted HTTP is not supported.

To execute the Operations Director REST APIs:

  1. Open the REST API Client App.

  2. Enter the following URL and change the Operations_Director-IP to appropriate Operations Director IP or hostname.

https://Operations_Director-IP:8443/sosservices/rest/API_Function

  1. Select the HTTP method as required.

  2. Click Headers and add the following values:

    • For Authorization header, enter the value as “Authorization”, value “bearer token”

    • For example, the value appears as “Authorization”, value "bearer 87179347-e27d-4ec7-831f-1f150a5ab904"

    • For Content-Type header, enter the value as application/json

  3. Click Body and do the following:

    • Select the payload format to raw

    • Select JSON for the request body, if required.

  4. Add the JSON request in the body.

  5. Click Send to execute the API.

An appropriate JSON response is returned.

2. REST APIs of Data Center Security Server Advanced

2.1. REST APIs of Data Center Security: Server Advanced

This section provides the list of REST APIs of Data Center Security: Server Advanced, and explain how to execute them.

To execute the Data Center Security: Server Advanced REST APIs, you must use the following URL and change the localhost to appropriate Data Center Security management server IP or hostname.

https://localhost:4443/sis-ui/api/v1/API_function

To execute the REST APIs used by Operations Director to orchestrate Data Center Security: Server Advanced v6.6, you must use the following URL and change the localhost to appropriate Data Center Security management server IP or hostname.

https://localhost:4443/sis-ui/api/v1/API_Function

API function

HTTP Method

Description

sa/assets/

GET

Gets all assets, possibly filtered by one of securitygroupid or categoryid parameters

sa/assets/add/virtual

POST

Adds a virtual agent

sa/assets/delete

DELETE

Deletes one or more agents

sa/assets/securitygroups/tree

GET

Gets the security group categories tree; with each category containing a list of security groups

sa/assets/statistics

GET

Gets the statistics for the assets that match the filter. If no filter, get the statistics for all the assets

sa/assets/{assetId}/events

GET

Gets the recent events for the assets

sa/assets/{assetId}/history

GET

Gets audit events history for an asset

sa/assets/{assetid}

GET

Gets the asset associated with the specified asset ID

sa/assets/{assetid}/policiesandconfigs

sa/assets/{assetid}/policies

sa/assets/{assetid}/configs

GET

GET

GET

Gets the policies, configurations, or both associated with the given asset ID

sa/assets/{assetid}/securitygroup/

GET

Gets the security groups associated with the given asset ID

sa/assets/{assetrid}

PUT

Updates the asset by the given "assetrid" and the data PUT in the JSON format

sa/assets/{assetrid}/adr

PUT

Triggers Application Data Retrieval (ADR) request for specific asset

sa/assets/assign/securitygroup/​{securityGroupId}

PUT

Assigns one or more agents to a Security Group

assets/policy/ids

assets/policy/ips

GET

Gets the policy domain group

assets/policy/ids/{group_id}

assets/policy/ips/{group_id}

DELETE

Deletes the specified group

assets/policy/ids/{group_id}

assets/policy/ips/{group_id}

GET

Gets the specified group

assets/policy/ids/{group_id}/children

assets/policy/ids/{group_id}/ips/​{group_id}/​children

GET

Gets the children for the specified group

assets/policy/ids/{group_id}/children

assets/policy/ips/{group_id}/children

POST

Creates a new group

assets/policy/ids/{group_id}/policies

assets/policy/ips/{group_id}/policies

GET

Gets the list of policies for the given group

assets/policy/ips/policies

DELETE

Removes the applied policies from the group

assets/policy/ips/{assetid}/move/{groupid}

PUT

Moves an asset

assets/policy/ips/{assetid}/policy

DELETE

Clears the IPS policy from an asset

assets/policy/ips/{groupid}/policies/​{policyid}

DELETE

Removes the applied policy from the group

assets/policy/ips/{groupid}/policies/​{policyid}

PUT

Applies the policy to the given group

assets/policy/{id}/history

GET

Gets the audit events history for policy

workspace/folder/ids

workspace/folder/ips

GET

Gets the root workspace folder

workspace/folder/ids/{folderid}

workspace/folder/ips/{folderid}

DELETE

Deletes the specified workspace folder

workspace/folder/ids/{folderid}

workspace/folder/ips/{folderid}

GET

Gets the specified workspace folder

workspace/folder/ids/{folderid}

workspace/folder/ips/{folderid}

PUT

Updates or moves a workspace folder

workspace/folder/ids/{folderid}/children

workspace/folder/ips/{folderid}/children

GET

Gets the children for the specified workspace folder

workspace/folder/ids/{folderid}/children

workspace/folder/ips/{folderid}/children

POST

Creates a new workspace folder

workspace/folder/ids/{folderid}/history

workspace/folder/ips/{folderid}/history

GET

Gets the history on a workspace folder

workspace/folder/ids/{folderid}/policies

workspace/folder/ips/{folderid}/policies

GET

Gets the list of polices for the specified workspace folder

workspace/policy/getnullpolicy

GET

Gets the NULL policy

workspace/policy/ips/{policyid}/parameter

GET

Gets the parameter value for a given parameter from the specified workspace policy. Parameter "ControlName" is optional for getting details from the base policies policy and is required for custom controls. Parameter "ParamName" is name of a parameter or option in workspace policy to get parameter values\option state.

workspace/policy/ips/{policyid}/reapply

PUT

Reapply the given workspace policy

workspace/policy/ips/{policyid}/settings

workspace/policy/ids/{policyid}/settings

PUT

Updates the policy settings for the given workspace policy

workspace/policy/packs

GET

Gets the list of policy packs

workspace/policy/processfilehash

POST

Process a CSV file to JSON format

workspace/policy/{policyid}/baseoptions

GET

Gets the list of predefined network properties (choices data)

workspace/policy/{policyid}/​sandboxcategories

GET

Gets the list of the sandbox categories by policy ID

workspace/policy/{policyid}/sandboxes

GET

Gets the list of the sandboxes by policy ID

workspace/policy/{policyid}/signatureflags

GET

Gets the list of the signature flags by policy ID

workspace/policy/{type}/{policyid}/exists

GET

Checks if a policy exists by the type and policy ID

workspace/policy/configs/prevention

workspace/policyconfigs/detection

workspace/policy/configs/common

workspace/policyconfigs/all

GET

Gets the list of config based the uri, paging, and filters provided

workspace/policy/prevention

workspace/policy/detection

GET

Gets the list of policies based the uri, paging, and filters provided

ippool/

GET

Finds all IP Pool

ippool/

POST

Creates an IP Pool

ippool/{rid}

DELETE

Deletes the IP Pool

ippool/{rid}

GET

Finds the IP Pool

ippool/{rid}

PUT

Updates the IP Pool

rest/v1.0/chartdata/{uuid}

GET

Gets the designated chart data as specified by the "uuid"

rest/v1.0/licenses

GET

Gets the licenses

rest/v1.0/package/download

GET

Downloads the product package in Zip format

rest/v1.0/package/downloadack

POST

PUT

Acknowledges the product download

rest/v1.0/settings

rest/v1.0/settings/sync

DELETE

Synchronizes delete on system settings

rest/v1.0/settings

rest/v1.0/settings/sync

GET

Returns system-wide settings as named by a given comma separated 'select' list of one or more distinct system settings categories: SMTP, SNMP, LIVEUPDATE, PROXY, NSX, VCENTER, TELEMETRY

rest/v1.0/settings

rest/v1.0/settings/sync

POST

PUT

Synchronizes update on system settings

sa/securitygroups/

GET

Gets the list of security groups based the uri, paging, and filters provided

sa/securitygroups/

POST

Creates a new Security Group, either category rid or catgory name is required, not both

sa/securitygroups/categories

GET

Gets the list of security group categories

sa/securitygroups/statistics

GET

Gets the total, published, modified and empty statistics for security groups

sa/securitygroups/statistics/{categoryId}

GET

Gets the total, applied, modified, and empty statistics for security groups, filtered by category

sa/securitygroups/{securityGroupId}

DELETE

Deletes the specified Security Group

sa/securitygroups/{securityGroupId}

GET

Gets the details for specified Security Group

sa/securitygroups/{securityGroupId}

PUT

Updates a specified Security Group, either category rid or catgory name is required, not both

sa/securitygroups/{securityGroupId}/​assign/{assetId}

PUT

Assigns to Security Group

sa/securitygroups/{securityGroupId}/events

GET

Gets the recent events for the security group

sa/securitygroups/{securityGroupId}/history

GET

Gets the audit events history for security group

sa/securitygroups/{securityGroupId}/policies

sa/securitygroups/{securityGroupId}/configs

sa/securitygroups/{securityGroupId}/​policiesandconfigs

GET

Gets the policies, configurations, or both associated with the security group

sa/securitygroups/{securityGroupId}/​publish

PUT

Publishes a Security Group

sa/securitygroups/{securityGroupId}/​reapply

PUT

Reapply Security Group

events/actions/

GET

Gets the list of all event wizard strategies and actions

events/actions/eventstrategies

GET

Gets the list of all event strategies, rules and actions

events/actions/eventwizard/{eventId}

GET

Gets the data for wizard by event ID

events/actions/multievents

GET

Gets the list of all event wizard strategies and actions for a list of event IDs

events/actions/rules

events/actions/rules/apply

PUT

Handles event wizard actions

events/actions/suppress

events/actions/suppress/apply

PUT

Updates the configuration to suppress the event

events/actions/{eventid}

GET

Gets the list of all event wizard strategies and actions for the given event ID

events/actions/{eventid}/rules

events/actions/{eventid}/rules/

PUT

Applies Handle event wizard actions

alerts/

DELETE

Deletes the alerts

alerts/

GET

Gets the list of Alerts

alerts/

POST

Creates a new alert

alerts/

PUT

Enables or disables the list of alerts

alerts/export

GET

Exports multiple alerts

alerts/import

POST

Imports an Alert

alerts/notifications

GET

Gets the list of Notifications

alerts/notifications

PUT

Acknowledge or Unacknowledge a list of notifications

alerts/notifications/statistics

GET

Gets the total, acknowledged and not acknowledged notification statistics

alerts/notifications/{notificationid}

PUT

Updates the notification

alerts/statistics

GET

Gets the total, enabled and disabled alert statistics

alerts/{alert_id}

DELETE

Deletes the specified alert

alerts/{alert_id}

GET

Gets the specified alert

alerts/{alert_id}

PUT

Updates the specified alert

alerts/{alert_id}/copy

POST

Creates a copy for the specified alert

alerts/{alert_id}/details

GET

Gets the specified alert details

alerts/{alert_id}/export

GET

Exports a single alert

admin/metadata

GET

Gets the metadata for the given element type

admin/product_info

GET

Gets the product name, version and build date

admin/settings

GET

Gets the system and alert settings

admin/settings

PUT

Updates the system and alert settings

highcharts/currentdate

GET

Gets the current server date

highcharts/eventcounts

highcharts/prevention/eventcounts

highcharts/detection/eventcounts

highcharts/malwareprotection/​eventcounts

highcharts/management/eventcounts

highcharts/profile/eventcounts

highcharts/filecatalog/eventcounts

highcharts

/analysis/eventcounts

highcharts/audit/eventcounts

highcharts/ipsnetwork/eventcounts

GET

Gets the aggregated event counts for the given parameters

highcharts/oldesteventdate

GET

Gets the date of the oldest event

API function

HTTP Method

Description

od/applications

GET

Gets the list of Applications

od/assets

GET

Gets the list of Assets for Operations Director

od/assets/{assetid}

DELETE

Deletes the specified asset

od/policies

GET

Gets the list of Workspace Policies for Operations Director

3. REST APIs of Data Center Security Server

3.1. REST APIs of Data Center Security: Server

This section provides the list of REST APIs of Data Center Security: Server, and explain how to execute them.

To execute the Data Center Security: Server REST APIs, you must use the following URL and change the localhost to appropriate Data Center Security management server IP or hostname.

https://localhost:4443/sis-ui/api/v1/API_Function

API function

HTTP Method

Description

assets/sva/secgrps/refresh/​CONNECTION RID

GET

This is the new api, which refreshes the NSX inventory with Data Center Security: Server, this should refresh selected NSX inventory.

/nsx/list

GET

gives details of the NSX and vCenter pairs registered with the server. This should support simple search on all displayed columns

API function

HTTP Method

Description

home/sva/networkthreatsdetected

GET

Gets the network threats detected statistics

home/sva/threatcon

GET

Gets the ThreatCon statistics

home/sva/top10networkthreats

GET

Gets the top 10 network threat statistics

home/sva/top10virusthreats

GET

Gets the top 10 virus threat statistics

home/sva/virusesdetected

GET

Get the viruses detected statistics

assets/sva/datacenter/

GET

Gets the list of Security Virtual Appliance Assets

assets/sva/datacenter/stampbox/​criticalservices

assets/sva/datacenter/stampbox/​ antivirusdefsoutofdate

GET

Gets the list of Security Virtual Appliance Assets

assets/sva/datacenter/statistics

GET

Gets the Data Protection SVAs Status

assets/sva/datacenter/{svaid}

GET

Gets the specified SVA

assets/sva/datacenter/{svaid}/definitions

GET

Gets the liveupdate definitions for the specified SVA

assets/sva/datacenter/{svaid}/errors

GET

Gets the errors for the specified SVA

assets/sva/datacenter/{svaid}/events

GET

Gets the recent events for the SVA

assets/sva/datacenter/{svaid}/​integritycheck

GET

Gets details of integrity check failure of the specified SVA Asset

assets/sva/secgrps/

GET

Gets the Security Groups

assets/sva/secgrps/gvms

GET

Gets the list of GVMs

assets/sva/secgrps/gvms/statistics

GET

Gets the GVM IP address Statistics

assets/sva/secgrps/​ lastvmwareinventoryrefreshtime

GET

Gets the last time VMware inventory was synchronized

assets/sva/secgrps/refresh

GET

Refreshes the GVM inventory from NSX

assets/sva/secgrps/tree

GET

Gets the Security Groups Tree

assets/sva/secgrps/{gvmid}/scans

GET

Gets the list of all scan commands for the GVM including the running status

assets/sva/secgrps/{gvmid}/scans

POST

Scans a GVM

assets/sva/secgrps/{gvmid}/scans/​{scanid}/cancel

GET

Cancels the scan command for a specific GVM

assets/sva/secgrps/{secgrpid}

GET

Gets the specified Security Group

assets/sva/secgrps/{secgrpid}/gvms

GET

Gets the GVM by Security Group Id

assets/sva/secgrps/{secgrpid}/scan

POST

Scans a Security Group

manage/sva/

DELETE

Deletes all of the specified SVA policies. This will also unpublish any policy if it is published

manage/sva/

GET

Gets the list of GNTP, AV and Config policies.

Example of query strings are as follows:

  • GNTP policies, use "?filter=elementtype::wrk.sva.nsec.pol"

  • AV policies, use element type "wrk.sva.av.pol".

      *
    Config policies, use "?filter=elementtype::wrk.sva.conf.pol"

manage/sva/

POST

Creates an SVA policy

manage/sva/config/export

POST

Exports WhiteList or BlackList CSV File

manage/sva/config/import

POST

Imports a WhiteList or BlackList CSV File in Zip format

manage/sva/export

GET

Exports multiple policies

manage/sva/import

POST

Imports a set of policies

manage/sva/published

GET

Gets the list of Published GNTP, AV and Config policies. For example:

  • Config policies, use "?filter=elementtype::pub.sva.conf.pol"

  • AV policies, use element type "pub.sva.av.pol".

      *
    GNTP policies, use element type "pub.sva.nsec.pol".
  • Single policy, filter on rid, as in "?filter=rid::532"

manage/sva/published/{policyid}

GET

Gets the specified published policy

manage/sva/published/{policyid}/​policyref

GET

Gets the refercenced policy for the specified published policy

manage/sva/statistics

GET

Gets the policy statistics

manage/sva/templates

GET

Gets the list of template policies. For example:

  • Config policies, use "?filter=elementtype::cmp.sva.conf.pol"

  • AV policies, use element type "cmp.sva.av.pol".

  • GNTP policies, use element type "cmp.sva.nsec.pol".

    *

Single policy, filter on rid, as in "?filter=rid::532"

manage/sva/{policyid}

DELETE

Deletes the specified SVA policy. This will also unpublish the policy if it is published.

manage/sva/{policyid}

GET

Gets the specified policy

manage/sva/{policyid}

PUT

Updates an SVA policy

manage/sva/{policyid}/copy

POST

Copies an SVA policy

manage/sva/{policyid}/events

GET

Gets the recent events for an SVA policy

manage/sva/{policyid}/export

GET

Exports a policy

manage/sva/{policyid}/publish

PUT

Publishes an SVA policy

manage/sva/{policyid}/published

GET

Finds the list of published policy for the specified workspace policy

manage/sva/{policyid}/settings

GET

Gets the policy settings

manage/sva/{policyid}/unpublish

PUT

Unpublishes an SVA policy

commands/cancel scans

GET

Cancels all scans

commands/cancelscans/{scancmdid}

GET

Cancels the scan command

commands/diagnosticpackage/{svarid}

POST

Creates a new SVA Diagnostic Package command

commands/diagnosticpackages

GET

Gets the list of diagnostic package commands

commands/diagnosticpackages/​​statistics

GET

Gets the diagnostic package statistics

commands/downloaddiagnosticpackage/​{commandrid}

GET

Gets SVA Diagnostic Package Content for specified command Rid

commands/gvms/{scancmdid}

GET

Gets the scan command details, including the status for each GVM on which the command is being executed

commands/liveupdate

POST

Runs the LiveUpdate

commands/scanconfigurations/​{scancmdid}

GET

Gets the scan configuration details

commands/scans

GET

Gets the list of scan commands

commands/scans/statistics

GET

Gets the scan statistics

commands/traceability

GET

Gets the list of script commands

commands/traceability/statistics

GET

Gets the scan statistics

commands/traceability/{svarid}

POST

Runs a script

events/

GET

Gets all events based the paging and filters provided

events/acknowledged/

POST

Acknowledged an event

events/notacknowledged

POST

Not-acknowledged an event

events/deduplicatedevents

GET

Gets the tunable events

events/benignevents

GET

Gets the benign events.

events/export

events/prevention/export

events/detection/export

events/malwareprotection/export

events/management/export

events/profile/export

events/filecatalog/export

events/analysis/export

events/audit/export

events/ipsnetwork/export

events/ipsnetwork/export

GET

Exports a list of events based the uri, paging and filters provided as a zip file

events/history/securitygroups/{id}

GET

Gets the history on an object

events/history/{id}

GET

Gets the history on an object

events/prevention

events/detection

events/malwareprotection

events/management

events/profile

events/filecatalog

events/analysis

events/audit

events/ipsnetwork

events/realtime

GET

Gets a list of events based the uri, paging, and filters provided

events/rescanquarantinefolder

POST

Re-Scans the Quarantine folder

events/statistics

events/prevention/statistics

events/detection/statistics

events/malwareprotection/statistics

events/management/statistics

events/profile/statistics

events/filecatalog/statistics

events/analysis/statistics

events/audit/statistics

events/ipsnetwork/statistics

events/realtime/statistics

GET

Gets the event statistics

assets/ovas/delete_current

DELETE

Deletes the current SVA OVA file on the server

assets/ovas/details

GET

Gets the details of the available SVA OVA file

assets/ovas/upload

POST

Uploads the SVA OVA file to the server

nsx/certficate

GET

Gets the certificate details for NSX

nsx/details

GET

Gets the NSX registration details

nsx/register

POST

Registers with NSX

nsx/tag

PUT

Tags the VM

nsx/unregister

PUT

Unregisters the NSX

nsx/untagall

PUT

Removes all tags from a specified VM

nsx/updateregister

PUT

Updates the registration details for NSX

ippool/

GET

Finds all IP Pool

ippool/

POST

Creates an IP Pool

ippool/{rid}

DELETE

Deletes the IP Pool

ippool/{rid}

GET

Finds the IPPool

ippool/{rid}

PUT

Updates the IP Pool

API function

HTTP Method

Description

home/sva/networkthreatsdetected

GET

Gets the network threats detected statistics

home/sva/threatcon

GET

Gets the ThreatCon statistics

home/sva/top10networkthreats

GET

Gets the top 10 network threat statistics

home/sva/top10virusthreats

GET

Gets the top 10 virus threat statistics

home/sva/virusesdetected

GET

Get the viruses detected statistics

assets/sva/datacenter/

GET

Gets the list of Security Virtual Appliance Assets

assets/sva/datacenter/stampbox/​criticalservices

assets/sva/datacenter/stampbox/​ antivirusdefsoutofdate

GET

Gets the list of Security Virtual Appliance Assets

assets/sva/datacenter/statistics

GET

Gets the Data Protection SVAs Status

assets/sva/datacenter/{svaid}

GET

Gets the specified SVA

assets/sva/datacenter/{svaid}/definitions

GET

Gets the liveupdate definitions for the specified SVA

assets/sva/datacenter/{svaid}/errors

GET

Gets the errors for the specified SVA

assets/sva/datacenter/{svaid}/events

GET

Gets the recent events for the SVA

assets/sva/datacenter/{svaid}/​integritycheck

GET

Gets details of integrity check failure of the specified SVA Asset

assets/sva/secgrps/

GET

Gets the Security Groups

assets/sva/secgrps/gvms

GET

Gets the list of GVMs

assets/sva/secgrps/gvms/statistics

GET

Gets the GVM IP address Statistics

assets/sva/secgrps/​ lastvmwareinventoryrefreshtime

GET

Gets the last time VMware inventory was synchronized

assets/sva/secgrps/refresh

GET

Refreshes the GVM inventory from NSX

assets/sva/secgrps/tree

GET

Gets the Security Groups Tree

assets/sva/secgrps/{gvmid}/scans

GET

Gets the list of all scan commands for the GVM including the running status

assets/sva/secgrps/{gvmid}/scans

POST

Scans a GVM

assets/sva/secgrps/{gvmid}/scans/​{scanid}/cancel

GET

Cancels the scan command for a specific GVM

assets/sva/secgrps/{secgrpid}

GET

Gets the specified Security Group

assets/sva/secgrps/{secgrpid}/gvms

GET

Gets the GVM by Security Group Id

assets/sva/secgrps/{secgrpid}/scan

POST

Scans a Security Group

manage/sva/

DELETE

Deletes all of the specified SVA policies. This will also unpublish any policy if it is published

manage/sva/

GET

Gets the list of GNTP, AV and Config policies.

Example of query strings are as follows:

  • GNTP policies, use "?filter=elementtype::wrk.sva.nsec.pol"

  • AV policies, use element type "wrk.sva.av.pol".

      *
    Config policies, use "?filter=elementtype::wrk.sva.conf.pol"

manage/sva/

POST

Creates an SVA policy

manage/sva/config/export

POST

Exports WhiteList or BlackList CSV File

manage/sva/config/import

POST

Imports a WhiteList or BlackList CSV File in Zip format

manage/sva/export

GET

Exports multiple policies

manage/sva/import

POST

Imports a set of policies

manage/sva/published

GET

Gets the list of Published GNTP, AV and Config policies. For example:

  • Config policies, use "?filter=elementtype::pub.sva.conf.pol"

  • AV policies, use element type "pub.sva.av.pol".

      *
    GNTP policies, use element type "pub.sva.nsec.pol".
  • Single policy, filter on rid, as in "?filter=rid::532"

manage/sva/published/{policyid}

GET

Gets the specified published policy

manage/sva/published/{policyid}/​policyref

GET

Gets the refercenced policy for the specified published policy

manage/sva/statistics

GET

Gets the policy statistics

manage/sva/templates

GET

Gets the list of template policies. For example:

  • Config policies, use "?filter=elementtype::cmp.sva.conf.pol"

  • AV policies, use element type "cmp.sva.av.pol".

  • GNTP policies, use element type "cmp.sva.nsec.pol".

    *

Single policy, filter on rid, as in "?filter=rid::532"

manage/sva/{policyid}

DELETE

Deletes the specified SVA policy. This will also unpublish the policy if it is published.

manage/sva/{policyid}

GET

Gets the specified policy

manage/sva/{policyid}

PUT

Updates an SVA policy

manage/sva/{policyid}/copy

POST

Copies an SVA policy

manage/sva/{policyid}/events

GET

Gets the recent events for an SVA policy

manage/sva/{policyid}/export

GET

Exports a policy

manage/sva/{policyid}/publish

PUT

Publishes an SVA policy

manage/sva/{policyid}/published

GET

Finds the list of published policy for the specified workspace policy

manage/sva/{policyid}/settings

GET

Gets the policy settings

manage/sva/{policyid}/unpublish

PUT

Unpublishes an SVA policy

commands/cancel scans

GET

Cancels all scans

commands/cancelscans/{scancmdid}

GET

Cancels the scan command

commands/diagnosticpackage/{svarid}

POST

Creates a new SVA Diagnostic Package command

commands/diagnosticpackages

GET

Gets the list of diagnostic package commands

commands/diagnosticpackages/​​statistics

GET

Gets the diagnostic package statistics

commands/downloaddiagnosticpackage/​{commandrid}

GET

Gets SVA Diagnostic Package Content for specified command Rid

commands/gvms/{scancmdid}

GET

Gets the scan command details, including the status for each GVM on which the command is being executed

commands/liveupdate

POST

Runs the LiveUpdate

commands/scanconfigurations/​{scancmdid}

GET

Gets the scan configuration details

commands/scans

GET

Gets the list of scan commands

commands/scans/statistics

GET

Gets the scan statistics

commands/traceability

GET

Gets the list of script commands

commands/traceability/statistics

GET

Gets the scan statistics

commands/traceability/{svarid}

POST

Runs a script

events/

GET

Gets all events based the paging and filters provided

events/acknowledged/

POST

Acknowledged an event

events/notacknowledged

POST

Not-acknowledged an event

events/deduplicatedevents

GET

Gets the tunable events

events/benignevents

GET

Gets the benign events

events/export

events/prevention/export

events/detection/export

events/malwareprotection/export

events/management/export

events/profile/export

events/filecatalog/export

events/analysis/export

events/audit/export

events/ipsnetwork/export

events/ipsnetwork/export

GET

Exports a list of events based the uri, paging and filters provided as a zip file

events/history/securitygroups/{id}

GET

Gets the history on an object

events/history/{id}

GET

Gets the history on an object

events/prevention

events/detection

events/malwareprotection

events/management

events/profile

events/filecatalog

events/analysis

events/audit

events/ipsnetwork

events/realtime

GET

Gets a list of events based the uri, paging, and filters provided

events/rescanquarantinefolder

POST

Re-Scans the Quarantine folder

events/statistics

events/prevention/statistics

events/detection/statistics

events/malwareprotection/statistics

events/management/statistics

events/profile/statistics

events/filecatalog/statistics

events/analysis/statistics

events/audit/statistics

events/ipsnetwork/statistics

events/realtime/statistics

GET

Gets the event statistics

assets/ovas/delete_current

DELETE

Deletes the current SVA OVA file on the server

assets/ovas/details

GET

Gets the details of the available SVA OVA file

assets/ovas/upload

POST

Uploads the SVA OVA file to the server

nsx/certficate

GET

Gets the certificate details for NSX

nsx/details

GET

Gets the NSX registration details

nsx/register

POST

Registers with NSX

nsx/tag

PUT

Tags the VM

nsx/unregister

PUT

Unregisters the NSX

nsx/untagall

PUT

Removes all tags from a specified VM

nsx/updateregister

PUT

Updates the registration details for NSX

ippool/

GET

Finds all IP Pool

ippool/

POST

Creates an IP Pool

ippool/{rid}

DELETE

Deletes the IP Pool

ippool/{rid}

GET

Finds the IPPool

ippool/{rid}

PUT

Updates the IP Pool

vsm/assets/overview

GET

Gets the assets overview details

vsm/assets/tree

GET

Gets the vCenter tree data list

vsm/certificates

GET

Gets the certificate details for vCenter/VSM

vsm/history/{id}/{moid}

GET

Gets the history of datacenter or cluster

vsm/registrations

GET

Gets the vShield Manager registration list

vsm/unregister/{regRid}

DELETE

Unregisters the VSM

assets/sva/vsm/cluster/map/{clusterid}

GET

Gets the Cluster HeatMap details

assets/sva/vsm/cluster/{clusterid}

GET

Gets the Hosts List for selected Cluster

assets/sva/vsm/cluster/{clusterid}/apply

PUT

Apply or unapply the policy for selected Cluster

assets/sva/vsm/cluster/{clusterid}/​statistics

GET

Gets the Cluster StampBox details

assets/sva/vsm/datacenter/map/​{datacenterid}

GET

Gets the Datacenter HeatMap details

assets/sva/vsm/datacenter/​{datacenterid}

GET

Gets the Clusters and Hosts List for selected Datacenter

assets/sva/vsm/datacenter/​{datacenterid}/statistics

GET

Gets the Cluster and Hosts StampBox details

assets/sva/vsm/esx/{hostid}

GET

Gets the VM’s List for selected Host

assets/sva/vsm/esx/{hostid}/statistics

GET

Gets the GVM StampBox details

assets/sva/vsm/host/{hostid}/apply

PUT

Apply or unapply policy for selected ESXi

assets/sva/vsm/vcenter/map/{vcenterid}

GET

Gets the vCenter HeatMap details

assets/sva/vsm/vcenter/{vcenterid}

GET

Gets Datacenter List for selected vCenter

assets/sva/vsm/vcenter/{vcenterid}/​refresh

GET

Refreshes the vShield inventory

assets/sva/vsm/vcenter/{vcenterid}/​statistics

GET

Gets Datacenter StampBox details

vsm/deploy/

DELETE

Undeploys SVA from ESXi Hosts

vsm/deploy/

POST

Deploys the latest imported SVA to ESXi Hosts

vsm/deploy/clusters

DELETE

Undeploys SVA to selected Clusters

vsm/deploy/clusters

POST

Deploys SVA to selected Clusters

vsm/deploy/clusters/disableautodeploy

DELETE

Disables Auto Deployment for clusters

vsm/deploy/clusters/enableautodeploy

POST

Enables SVA auto deploy on Clusters

vsm/deploy/inventory

GET

Gets the inventory of the selected Clusters and ESX hosts

vsm/deploy/status

GET

Gets all the SVA deployment status

4. REST APIs of Operations Director

4.1. REST APIs of Operations Director

This section provides the list of REST APIs of Operations Director, and explain how to execute them.

To execute the Operations Director REST APIs, enter the following URL and change the IP_Address to appropriate Operations Director IP or hostname.

https://IP_Address:8443/soservices/rest/API_Function

API function

HTTP Method

Description

assets/external-system-assets

POST

Imports the asset details into Operations Director from the registered vCenter.

assets/asset-details

GET

Retrieves the assets information from Operations Director.

tags/published

GET

Retrieves the published tags that are available in Operations Director.

tags/published?search=​namecontainstest

GET

Retrieves the published tags that are available in Operations Director based on the search criteria.

appdefinitions

GET

Retrieves the application definitions available in Operations Director.

securityprofile

POST

Create a security profile for an asset using the tags and application template. The security profile uses the policies that are mapped to the tags.

Security profile is created in pending approval state.

For more information on the REST APIs available in Operations Director v6.6 MP1, see Rest APIs of Operations Director guide.

API function

HTTP Method

Description

eventmanagement/2.0/events

POST

Sends an external event to Operations Director

1.0/register/<plug-in identifier>

POST

Registers the plug-in for the security product with Operations Director.

2.0/pluginintegration/plugin

POST

Adds the new plug-in and its configuration

provisioning/1.0/register/<plug-in identifier>

POST

Registers the plug-in for the security product with Operations Director

2.0/pluginintegration/plugin

PUT

Update Security Plugin

Note

You can use this API when the plug-in is configured with Operations Director. However, after you register the plug-in with Operations Director, this API is no longer supported

2.0/pluginintegration/plugin/<plug-in identifier>

DELETE

Deletes the security plug-in

Note

You can use this API when the plug-in is configured with Operations Director. However, after you register the plug-in with Operations Director, this API is no longer supported

5. Incident response use cases

5.1. Using curl for the REST APIs

This section provides information about using curl to drive the Symantec Data Center Security REST APIs. Some curl calls are made from sh scripts and some are made from PHP.

5.1.1. Auth

The following fragment uses curl to get an authentication token. The first two lines make the request and the rest of the script processes the output. UMCPORT is typically 8443. MANAGER, USER, and PASS are the other required parameters.

The single line of JSON that is returned is broken into multiple lines by translating '{' into a new line. If the text "accessToken" is in the output then it is assumed that authentication was successful and then the token is extracted for use by other commands.

echo '{ "username":"'$USER'" ,"password":"'$PASS'" }"' > "$TEMP/authtemp_$$"
        curl --connect-timeout 20 -o "$TEMP/authout_$$" -s -k --data @"$TEMP/authtemp_$$" \
           -H "Content-type: application/json" \
           "https://$MANAGER:$UMCPORT/umcservices/rest/v1.0/auth/token"
        # quick hack to get data from json...
          tr '{' "\012" < "$TEMP/authout_$$" > "$TEMP/authout_$$.txt"
          if grep accessToken < "$TEMP/authout_$$.txt" >/dev/null ; then
            grep accessToken < "$TEMP/authout_$$.txt" | \
            sed -e "s/.*accessToken\":\"\([a-z0-9-][a-z0-9-]*\)\"..*/\1/" > "$TEMP/auth.token"
            if [ "$AUTHFILE" = "" ]; then
              cat "$TEMP/auth.token"
            else
              cat "$TEMP/auth.token" >"$AUTHFILE"
            fi
          else
            echo Failed to authenticate
            cat "$TEMP/authout_$$"
            rm -rf "$TEMP"
            exit 1
          fi
          rm -rf "$TEMP"

5.1.2. GET requests

This code fragment makes a GET request. The console port is typically 4443.

if [ "$TOKEN" = "" ]; then
            # assume auth not required.
            curl --connect-timeout 20 -o "$TEMP/consoleout_$$" -s -k \
              -H "Content-type: application/json" \
              "https://$MANAGER:$CONSOLEPORT/sis-ui/api$REQ"
          else
            # assume auth is required
            curl --connect-timeout 20 -o "$TEMP/consoleout_$$" -s -k \
              -H "Content-type: application/json" \
              -H "Authorization: bearer $TOKEN" \
              "https://$MANAGER:$CONSOLEPORT/sis-ui/api$REQ"
          fi
          RET="$?"
          if [ "$RET" = "0" ]; then
            cat "$TEMP/consoleout_$$"
          else
            exit $RET
          fi

Using the above code, setting REQ to / will retrieve the REST API documentation.

TOKEN should be set to the string returned by the auth.sh script when you need to make authenticated requests.

To get a list of policies in the workspace folder you can use a command sequence such as:

 ./sh/getreq.sh -a auth.token #MANAGERIP# /v1/workspace/folder/ips
          ./sh/getreq.sh -a auth.token #MANAGERIP# /v1/workspace/folder/ips/2/children  # where 2 is the rid of the base folder
              # specified in the previous output.

Once you have a policyid (rid), you can retrieve the values of options and parameters. In the following example, the policyid for the policy being modified is 3114.

sh/getreq.sh -t #authtoken# #MANAGERIP# /v1/workspace/policy/ips/3114/parameter?paramname=global_logonly
            {"name":"global_logonly","state":"on"}

5.1.3. PUT requests

The following code fragment makes PUT requests using curl.

curl -o "$TEMP/consoleout" -s -k \
 -X $METHOD \
 --data @"$TEMP/data" \
 -H "Content-type: application/json" \
 -H "Authorization: bearer $TOKEN" \
 "https://$MANAGER:$CONSOLEPORT/sis-ui/api$REQ"

RET="$?"
if [ "$RET" = "0" ]; then
  cat "$TEMP/consoleout"
fi

rm -rf "$TEMP"
exit $RET

In the following example, the value of global_logonly is set to "on" ( "1" or "on" ). Note that the value of the option is specified by the "action". For updating parameter lists, action can be ADD/DELETE.

sh/putreq.sh -t #authtoken#  #MANAGERIP# '/v1/workspace/policy/ips/#polid#/settings' '[{"name":"global_logonly","action":"1"}]'

To set it off:

sh/putreq.sh -t #authtoken#  #MANAGERIP# '/v1/workspace/policy/ips/#polid#/settings' '[{"name":"global_logonly","action":"0"}]'

Once you have modified a policy, you can then reapply the policy:

sh/putreq.sh -t #authtoken# #MANAGERIP# '/v1/workspace/policy/ips/#polid#/reapply'

5.1.4. Helper scripts

The following is a simple helper script that breaks up the single line of JSON so you can more easily find the policyid (rid) you need.

# the ^M below is entered as ctrl V ctrl M and puts a CR after each '}'
# then tr converts the CR to LF.
sh/getreq.sh -t "$TOKEN"  "$MANAGER" /v1/workspace/policy/prevention  | \
sed -e "s/}/}^M/g" | tr "\015" "\012"

To find the policy id of a policy called "foo" you can use:

sh/listpolicy.sh -t #authtoken# #MANAGERIP# | grep foo