Hello everyone,

I am using the example script here resilient-python-examples/create_with_values.py at master · ibmresilient/resilient-python-examples · GitHub
from @Hugh Pyle, to create incidents, and it works fine for me.
​​
The issue I face is, automating the incident creation on timestamp , e.g once a week.
I tried to use cron job for that, but I believe the switches like -n -d ,..etc it not working well inside cron.

Appreciate your support to automate this incident creation on timestamp.

------------------------------
ahmed abushanab
------------------------------

This is how I create SOAR incidents using python + SOAR REST API

Sorry, I can't include the full source code here, this is just to provide some guidance.

I am pretty sure there are better ways using SOAR python SDK.

I hope it helps

Leo

>>>>>>>>>>>>>>

Crontab (in this example, it's triggered 11:30)

#RESILIENT WORKFLOW INPUT
	30 11 * * * export PYTHONPATH="/opt/myscriptdir/" && cd /opt/myscriptdir/&& . ./activate && python /opt/myscriptdir/myscript.py; deactivate

My Script

(...)
resilient = Resilient()
(...)
resp = resilient.create_incident()

My Resilient class

import json
import time
from hub.core.connector.http_handler import get_json_headers
from hub.core.connector.http_handler import post_request

class Resilient:
(...)
def create_incident(self):

epoch_now = int(time.time()) * 1000
pii = {"data_compromised": False}

incident_data = {
"name": self.resilient_name,
"discovered_date": epoch_now,
"incident_type_ids": [self.resilient_type],
"pii": pii
}

basic_auth_data = os.getenv('RES_APIKEY_USER')+':'+os.getenv('RES_APIKEY_PASSWORD')

response = post_request(
self.logger,
self.url,
headers=get_json_headers(self.logger,basic_auth=basic_auth_data), data=json.dumps(incident_data), return_json=True)

if response['status_code'] != 200:
self.logger.exception('Unauthorized')

return response

where hub.core.connector.http_handler contains

import requests
import json
from base64 import b64encode
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def post_request(logger, url, headers=None, data=None, auth=None, return_json=False, verify=False):
result = {}
result['status_code'] = -1
try:

r = requests.post(url, headers=headers, data=data, auth=auth, verify=verify)
result['status_code'] = r.status_code

if r.status_code >= 200 and r.status_code <= 202:
if return_json:
result['content'] = r.json()
else:
result['content'] = r.content
else:
result['content'] = r.content

except:
logger.exception(f'Failed to run get request to {url}')

return result

and

def get_json_headers(logger, custom_fields=None, bearer_token=None, basic_auth=None, simple_token=None):
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}

if custom_fields:
headers.update(custom_fields)

if bearer_token:
headers['Authorization'] = 'Bearer ' + bearer_token

if basic_auth:
user_and_pass = b64encode(bytes(basic_auth,'utf-8')).decode("ascii")
headers['Authorization'] = 'Basic ' + user_and_pass

if simple_token:
headers['Authorization'] = simple_token

return headers


------------------------------
[]

Leonardo Kenji Shikida
------------------------------

Original Message:
Sent: Mon March 07, 2022 02:07 AM
From: ahmed abushanab
Subject: Creating incident - API - on schedule

Hello everyone,

I am using the example script here resilient-python-examples/create_with_values.py at master · ibmresilient/resilient-python-examples · GitHub
from @Hugh Pyle, to create incidents, and it works fine for me.
​​
The issue I face is, automating the incident creation on timestamp , e.g once a week.
I tried to use cron job for that, but I believe the switches like -n -d ,..etc it not working well inside cron.

Appreciate your support to automate this incident creation on timestamp.

------------------------------
ahmed abushanab
------------------------------

Thanks Leo for posting this one,

It looks good,

before seeing your reply, I did manipulated the original posted one a little, and it worked as well.
Thank you :)

------------------------------
ahmed abushanab
------------------------------

Original Message:
Sent: Tue March 08, 2022 07:19 AM
From: Leonardo Kenji Shikida
Subject: Creating incident - API - on schedule

This is how I create SOAR incidents using python + SOAR REST API

Sorry, I can't include the full source code here, this is just to provide some guidance.

I am pretty sure there are better ways using SOAR python SDK.

I hope it helps

Leo

>>>>>>>>>>>>>>

Crontab (in this example, it's triggered 11:30)

#RESILIENT WORKFLOW INPUT
	30 11 * * * export PYTHONPATH="/opt/myscriptdir/" && cd /opt/myscriptdir/&& . ./activate && python /opt/myscriptdir/myscript.py; deactivate

My Script

(...)
resilient = Resilient()
(...)
resp = resilient.create_incident()

My Resilient class

import json
import time
from hub.core.connector.http_handler import get_json_headers
from hub.core.connector.http_handler import post_request

class Resilient:
(...)
def create_incident(self):

epoch_now = int(time.time()) * 1000
pii = {"data_compromised": False}

incident_data = {
"name": self.resilient_name,
"discovered_date": epoch_now,
"incident_type_ids": [self.resilient_type],
"pii": pii
}

basic_auth_data = os.getenv('RES_APIKEY_USER')+':'+os.getenv('RES_APIKEY_PASSWORD')

response = post_request(
self.logger,
self.url,
headers=get_json_headers(self.logger,basic_auth=basic_auth_data), data=json.dumps(incident_data), return_json=True)

if response['status_code'] != 200:
self.logger.exception('Unauthorized')

return response

where hub.core.connector.http_handler contains

import requests
import json
from base64 import b64encode
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def post_request(logger, url, headers=None, data=None, auth=None, return_json=False, verify=False):
result = {}
result['status_code'] = -1
try:

r = requests.post(url, headers=headers, data=data, auth=auth, verify=verify)
result['status_code'] = r.status_code

if r.status_code >= 200 and r.status_code <= 202:
if return_json:
result['content'] = r.json()
else:
result['content'] = r.content
else:
result['content'] = r.content

except:
logger.exception(f'Failed to run get request to {url}')

return result

and

def get_json_headers(logger, custom_fields=None, bearer_token=None, basic_auth=None, simple_token=None):
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}

if custom_fields:
headers.update(custom_fields)

if bearer_token:
headers['Authorization'] = 'Bearer ' + bearer_token

if basic_auth:
user_and_pass = b64encode(bytes(basic_auth,'utf-8')).decode("ascii")
headers['Authorization'] = 'Basic ' + user_and_pass

if simple_token:
headers['Authorization'] = simple_token

return headers


------------------------------
[]

Leonardo Kenji Shikida

Original Message:
Sent: Mon March 07, 2022 02:07 AM
From: ahmed abushanab
Subject: Creating incident - API - on schedule

Hello everyone,

I am using the example script here resilient-python-examples/create_with_values.py at master · ibmresilient/resilient-python-examples · GitHub
from @Hugh Pyle, to create incidents, and it works fine for me.
​​
The issue I face is, automating the incident creation on timestamp , e.g once a week.
I tried to use cron job for that, but I believe the switches like -n -d ,..etc it not working well inside cron.

Appreciate your support to automate this incident creation on timestamp.

------------------------------
ahmed abushanab
------------------------------