IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Call REST API

    Posted Fri April 12, 2019 12:43 PM
    Design a workflow which sends through REST API to a third party system the creation of a request.
    Within the action generate 4 fields and one of them has an "accent" which is giving me problems at the time of shipment.

    The problem is with the "Categoria" field in action, in the script is "Clasificacion"

    Inside my pre-script:

    Categoria1 = str('"Seguridad"')
Titulo = str('"'+rule.properties.titulo+'"')

description1 = rule.properties.descripcion['content']
description2 = description1.replace('"', '\'')
desc = repr(description2)
description6 = desc.replace('u', '', 1)
description7 = str('"'+description6+'"')

GrupoAsignado = str('"'+rule.properties.gruposm+'"')
Clasificacion = rule.properties.categoria

#Script para fechas
text = workflow.properties.fecha_salida.stdout
text2 = text.replace("\n", "")
FechaRequerida = str('"'+text2+'"')

#Datos de la tarea
RESIncidentID = str(incident.id)
RESTaskID = str(task.id)
algo = repr(task.name)
RESTaskName = algo.replace('u', '', 1)
RESTaskName1 = RESTaskName.replace('\'', '')
RESTaskName2 = str('"'+RESTaskName1+'"')


inputs.rest_body = """
{
  "ResilientQ": {
    "Categoria": "Seguridad",
    "Subcategoria": """+Clasificacion+""",
    "GrupoAsignado": """+GrupoAsignado+""",
    "SolicitadoPara": "falcon",
    "FechaRequerida": """+FechaRequerida+""",
    "SolicitadoPor": "falcon",
    "Descripcion": ["""+description7+"""],
    "Titulo": """+Titulo+""",
    "GrupoRegistradoPor": "ACCESO-PERIMETRAL-LAM",
    "Fase": "Registro",
    "RESTaskID": """+RESTaskID+""",
    "RESIncidentID": """+RESIncidentID+""",
    "RESTaskName": """+RESTaskName2+"""
    
  }
}
"""


    When executing the ction I am asked to complete the fields and one of them, the one that frames, has that "ascent" that I understand is the cause of the failure because if I choose another option without "ascento" it works perfect.

    The error that can be seen in the logs:
    "UnicodeEncodeError: 'ascii' codec can't encode character u'\xf3' in position 122: ordinal not in range(128)"

    Any suggestions?

    ------------------------------
    Juan Cruz Del Col
    ------------------------------


  • 2.  RE: Call REST API

    Posted Mon April 15, 2019 01:25 PM
    Hi Juan,

    Is it possible to make this call using IDs instead of the string value?

    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 3.  RE: Call REST API

    Posted Mon April 15, 2019 03:10 PM
    Brian, in destiny wait for a string value.

    ------------------------------
    Juan Cruz Del Col
    ------------------------------

    Original Message


  • 4.  RE: Call REST API

    Posted Mon April 22, 2019 09:30 AM
    Any suggestions?

    ------------------------------
    Juan Cruz Del Col
    ------------------------------

    Original Message


  • 5.  RE: Call REST API

    Posted Mon April 22, 2019 11:23 AM
    Hi Juan,

    You can try putting a lower case u character right before the double quote of what you are setting inputs.rest_body to.
    ie:
    inputs.rest_body = u"""..."""

    This should tell it to handle the string as Unicode instead of ASCII.

    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 6.  RE: Call REST API

    Posted Mon April 22, 2019 01:07 PM
    Same error:

    2019-04-22 13:43:49,328 ERROR [actions_component] <task[functionworker] (<function _call_the_task at 0x7fcfc7f18c08>, <utilities_call_rest_api[functions.utilities_call_rest_api] (id=7, workflow=abrirpricion, user=resapi@xelere.com) 2019-04-22 16:43:48.884000> rest_body={u'content': u'\r\n{\r\n "ResilientQ": {\r\n "Categoria": "Seguridad",\r\n "Subcategoria": "S.O/Plataformas -- Cloud -- Consulta/Capacitaci\xf3n",\r\n "GrupoAsignado": "SEGURIDAD-ANTIVIRUS",\r\n "SolicitadoPara": "falcon",\r\n "FechaRequerida": "2019-04-25T03:00:00",\r\n "SolicitadoPor": "falcon",\r\n "Descripcion": ["\'zxczx\'"],\r\n "Titulo": "zxcc",\r\n "GrupoRegistradoPor": "ACCESO-PERIMETRAL-LAM",\r\n "Fase": "Registro",\r\n "RESTaskID": 2679556,\r\n "RESIncidentID": 6732,\r\n "RESTaskName": "Interview key individuals"\r\n \r\n }\r\n}\r\n', u'format': u'text'}, rest_verify=False, rest_url=u'http://10.4.0.14:25001/SM/9/rest/ResilientQ/', rest_method={u'name': u'POST', u'id': 508}, rest_headers={u'content': u'\r\nContent-Type: application/json\r\nX-Frooble: Baz\r\nAuthorization: Basic ZmFsY29uOlBhc3N3MHJk\r\n', u'format': u'text'})> (<class 'resilient_circuits.action_message.FunctionException_'>): FunctionException_: <Traceback (most recent call last):
    File "/usr/local/lib/python2.7/site-packages/fn_utilities/components/utilities_call_rest_api.py", line 43, in _call_rest_api_function
    verify=rest_verify)
    File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
    File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
    File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
    File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 440, in send
    timeout=timeout
    File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
    File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 357, in _make_request
    conn.request(method, url, **httplib_request_kw)
    File "/usr/local/lib/python2.7/httplib.py", line 1042, in request
    self._send_request(method, url, body, headers)
    File "/usr/local/lib/python2.7/httplib.py", line 1082, in _send_request
    self.endheaders(body)
    File "/usr/local/lib/python2.7/httplib.py", line 1038, in endheaders
    self._send_output(message_body)
    File "/usr/local/lib/python2.7/httplib.py", line 886, in _send_output
    self.send(message_body)
    File "/usr/local/lib/python2.7/httplib.py", line 858, in send
    self.sock.sendall(data)
    File "/usr/local/lib/python2.7/socket.py", line 228, in meth
    return getattr(self._sock,name)(*args)
    UnicodeEncodeError: 'ascii' codec can't encode character u'\xf3' in position 123: ordinal not in range(128)
    >
    File "/usr/local/lib/python2.7/site-packages/circuits/core/manager.py", line 856, in processTask
    raise value.extract()
    Traceback (most recent call last):
    File "/usr/local/lib/python2.7/site-packages/circuits/core/manager.py", line 617, in _dispatcher
    event_handlers = self._cache[(event.name, channels)]
    KeyError: ('exception', ('*',))

    ------------------------------
    Juan Cruz Del Col
    ------------------------------

    Original Message


  • 7.  RE: Call REST API

    Posted Mon April 22, 2019 04:31 PM
    Hi Juan,

    After some more testing, with your example 'Capactación', I have found some workarounds.

    If you were to switch to python 3.6 this looks like it should work for you.
    Also, you can update the python source code and that should address the problem. In the file utilities_call_rest_api.py you can update line 59 to be: data=rest_body.encode("utf-8"),.

    I will raise an issue internally to investigate this further.

    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


  • 8.  RE: Call REST API

    Posted Tue April 23, 2019 09:34 AM
    Brian, the solution was perfect!!!!, you saved me some lines in my "pre-script".

    Something similar happens with the field "description" a field of type "text area".
    In my pre-script I solve it in the following way:

    description1 = rule.properties.descripcion['content']
description2 = description1.replace('"', '\'')
desc = repr(description2)
description6 = desc.replace('u', '', 1)
description7 = str(description6)

    To then enter the "inputs.rest_body"
    inputs.rest_body = """
{
  "ResilientQ": {
    "Categoria": "Seguridad",
    "Subcategoria": """+Clasificacion+""",
    "GrupoAsignado": """+GrupoAsignado+""",
    "SolicitadoPara": "falcon",
    "FechaRequerida": """+FechaRequerida+""",
    "SolicitadoPor": "falcon",
    "Descripcion": ["""+description7+"""],
    "Titulo": """+Titulo+""",
    "GrupoRegistradoPor": "ACCESO-PERIMETRAL-LAM",
    "Fase": "Registro",
    "RESTaskID": """+RESTaskID+""",
    "RESIncidentID": """+RESIncidentID+""",
    "RESTaskName": """+RESTaskName2+"""
    
  }
}
"""

    So if in the "description" enter a text with characters, for example quotes ("), line breaks or ascents or some special character, it would be saving.

    Do you have an alternative solution?

    ------------------------------
    Juan Cruz Del Col
    ------------------------------

    Original Message


  • 9.  RE: Call REST API

    Posted Tue April 23, 2019 10:30 AM
    Your solution seems good. If you were only worried about a double quote being added you could try wrapping the rest_body string in triple single quotes instead of double quotes.

    ------------------------------
    Brian Walsh
    ------------------------------

    Original Message


Related Content