IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Authenticate to SessionREST with API key_id and secret

  • 1.  Authenticate to SessionREST with API key_id and secret

    Posted Thu February 27, 2020 12:05 PM
    Hello,

    Is there a way to authenticate against the /rest/session API endpoint with the key_id and secret?
    We use the latest Resilient version 35.2.32

    ------------------------------
    Kind Regards,
    Gert Huisman
    ------------------------------


  • 2.  RE: Authenticate to SessionREST with API key_id and secret

    Posted Thu March 12, 2020 10:41 AM
    I do it using the fn-utilities CALL REST API workflow :

    for example : get the ID of an artifact type
    rest body is set hard to:
    {
    "filters": [
    {
    "conditions": [
    {
    "method": "equals",
    "field_name": "type",
    "value": 1
    }
    ]
    }
    ],
    "sorts": [],
    "start": 0,
    "length": 10,
    "recordsTotal": 0
    }


    The preprocess script is :
    # Rest fonction we are looking at:
    # get /orgs/{org_id}/artifact_types/{type_id}

    # Method:
    inputs.rest_method = "GET"

    # URL:
    # This should be adapted to your >>Resilient Domain Name<< from your integration server, and your >>ORG<<
    # inputs.rest_url = u"https://{myresilientdomainname}/rest/orgs/{org_id}/artifact_types/{type_id}
    inputs.rest_url = u"https://resilient.localdomain/rest/orgs/201/artifact_types/{}".format(artifact.type)

    # Create Credential to access Resilient Server from Integration Server
    # use a Specific API credential that is visible and create the encode version using this command in SSH: echo -n "api_key_id:api_key_secret" | base64
    api_encoded_credentials = "ZjJlNGUyYTMtMTlhMS00ZTkwLWI2M2ItZmJjODA3OWY3NjllOk1ON2gxSjZUUFNyTGlra29IV2FoWVI5NTlUYV8weVhkc01ILVZZZFNraG8="

    # BODY, See input

    # HTTP headers can be specified as a multi-line string
    inputs.rest_headers = """
    Content-Type: application/json
    Authorization: Basic {}
    """.format(api_encoded_credentials)

    # The 'rest_verify' parameter (Boolean) indicates whether to verify SSL certificates.
    # This should be True unless you need to connect to a self-signed or other invalid cert.
    inputs.rest_verify = False


    you can see inside how I create the API code credentials:
    # Create Credential to access Resilient Server from Integration Server
    # use a Specific API credential that is visible and create the encode version using this command in SSH: echo -n "api_key_id:api_key_secret" | base64
    api_encoded_credentials = "ZjJlNGUyYTMtMTlhMS00ZTkwLWI2M2ItZmJjODA3OWY3NjllOk1ON2gxSjZUUFNyTGlra29IV2FoWVI5NTlUYV8weVhkc01ILVZZZFNraG8="

    and pass them during the call in the header:
    # HTTP headers can be specified as a multi-line string
    inputs.rest_headers = """
    Content-Type: application/json
    Authorization: Basic {}
    """.format(api_encoded_credentials)

    in this case for test, the result in postprocess is just:
    # uncomment below for debug
    # incident.addNote("Workflow Call: Resilient Rest API to get Artifact type ID \n Status Code: {} \n {}".format(results.status_code, results.json.id))
    # incident.addNote("Workflow Call: Resilient Rest API to get Artifact type ID \n Status Code: {} \n {}\n {}".format(results.status_code, results.json.id, results.json.properties))

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message