Replace the parameter values in the following script as instructed and then run the
script in Powershell Core 7.1.0 or later.
For more information about the parameters, see Get Security Logs.
# PowerShell 7.1.0
# Authentication token you created for the Log Retrieval API type on the management console.
$apiToken = "<authentication token>"
# serviceURL based on your Cloud App Security serving site, for example, api.tmcas.trendmicro.com
$baseUrl = 'https://<serviceURL>/v1/siem/security_events'
# Name of the service whose logs you want to retrieve, for example, exchange
$services = @('<service name>')
$requestOptions = @{
# Number of log items to display at a time, for example, 10. Maximum: 500
limit = <number of log items to display>
# Response log format which is cef (in CEF format) or null (in JSON format)
format = 'cef'
}
# Path to the export log file, for example, D:\securityrisk_logs.txt
$Path = "<file path>"
# Query interval in seconds, for example, 300. Default: 300
$queryIntervals = <query interval>
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", "Bearer " + $apiToken)
$optionalQuery = ""
foreach ($key in $requestOptions.keys) {
if ($null -ne $key) {
$optionalQuery = $optionalQuery + '&' + $key + "=" + $requestOptions[$key]
}
}
function getSecurityLogs($start, $end) {
$startTime = Get-Date $start -UFormat '+%Y-%m-%dT%H:%M:%S.000Z'
$endTime = Get-Date $end -UFormat '+%Y-%m-%dT%H:%M:%S.000Z'
Write-Output "start time: $startTime"
Write-Output "end time: $endTime"
foreach ( $service in $services ) {
"service: [$service]"
$response = ""
do {
$queryUrl = $response.next_link
if ($null -eq $queryUrl) {
$queryUrl = $baseUrl + '?service=' + $service + '&event=securityrisk' + $optionalQuery + '&start=' + $startTime + '&end=' + $endTime
}
else {
Write-Output "Get from next link $queryUrl"
}
$response = Invoke-RestMethod $queryUrl -Method 'GET' -Headers $headers -Body $body
$jsonBody = $response | ConvertTo-Json
Write-Output "$jsonBody"
if ($response.code) {
Write-Error "Found errors for url=$queryUrl, error=$response['msg']"
}
elseif ($response.security_events.count -gt 0) {
Write-Output "start to write logs to file..."
foreach ( $event in $response.security_events ) {
$event | Add-Content -Path $Path
}
}
} while (($response -ne "") -and ($response.next_link -ne ""))
}
}
# Entry for the whole script
$start = Get-Date ((Get-Date).ToUniversalTime().AddSeconds(-$queryIntervals))
while ($true) {
Write-Output "Start to query logs..."
$end = (Get-Date).ToUniversalTime()
try {
getSecurityLogs -start $start -end $end
$start = $end
}
catch {
Write-Error "An error occurred that could not be resolved."
Write-Host $_
Write-Output "retry query logs in next cycle..."
}
## Wait a few seconds
Start-Sleep -Seconds $queryIntervals
}