Get ARP Table via API

Question

Hi everyone, I want to grab the dynamic neighbor cache of the Sophos XG via the API for a script, but it's not quite clear to me how it is done. There is a entry in the Sophos API Help for "Get Dynamic Neighbour Entries", but is does not seem to be complete. It is lacking a sample configuration, so I am not sure about the syntax. The only attribute seems to be "IPFamily"... So I tried the following query: "https://FIREWALL:4444/webconsole/APIController?reqxml=USERPASSIPv4" My logfile says... Authentication Successful Input request module is Invalid Any ideas? If this does not work, I guess I will have to ssh into the advanced shell via inputs and send an "arp" command, which is rather slow... Cheers

LuCar Toni · Answer

As far as i know, this is currently not possible via XML API. 
 The cache is not filled with the proper information to curl this from the XML API. 
 But you can do this via Central, if you are a Central customer. 
 The datalake stores this kind of information and you can cross relate this to information coming from the endpoint to discover unwanted clients in the ntework etc. 
 See: https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/ 
 https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/b/announcements/posts/xg-firewall-data

Marcel · Answer

You assumption is correct, xdr_data is related to endpoint data. All firewall data is stored in the xgfw_data table, see: https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/b/announcements/posts/xg-firewall-data . You can most likely use the data logged by the firewall rule logging to generate something that comes pretty close to the ARP table. The query below should be a good starting point: SELECT DISTINCT src_ip, src_mac, in_interface
FROM xgfw_data
WHERE log_component = 'Firewall Rule'
AND timestamp > timestamp '2021-03-23 14:00:00.000'

Get ARP Table via API

Top Replies