IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Issue accessing POST /system/usage endpoint via REST API for external dashboard

    Posted Thu September 04, 2025 09:57 AM
    Edited by Juan Cruz Del Col Thu September 04, 2025 09:58 AM

    We need to access the REST API endpoint POST /system/usage in order to retrieve usage data.

    With the data obtained, we intend to design a management dashboard outside of SOAR.

    We are performing the tests using Postman, but we consistently receive a 401 Unauthorized error. However, when we query other API endpoints such as GET /orgs/{org_id}/incidents/{inc_id}, it works correctly.

    {
        "success": false,
        "title": null,
        "message": "Internal Server Error",
        "hints": [],
        "error_code": "generic"
    }

    We tested using API users with full permissions, and also tried with a nominal user assigned as Master Admin. Additionally, we granted this nominal user Sysadmin permissions.

    Any guidance or documentation on how to properly authenticate or configure access to this specific endpoint would be greatly appreciated.



    ------------------------------
    Juan Cruz Del Col
    ------------------------------



  • 2.  RE: Issue accessing POST /system/usage endpoint via REST API for external dashboard

    Posted Fri September 05, 2025 03:22 PM

    Any suggestions?



    ------------------------------
    Juan Cruz Del Col
    ------------------------------

    Original Message


  • 3.  RE: Issue accessing POST /system/usage endpoint via REST API for external dashboard

    Posted Mon September 08, 2025 01:04 AM

    I actually had the same exact issue and couldn't solve it, I think its a permission issue where there is no option to set this permissions to any account.



    ------------------------------
    Mohamad islam Hamadieh
    I post SOAR content and tips on linkedIn , follow me :)
    https://linkedin.com/in/mohamadislam
    ------------------------------

    Original Message


  • 4.  RE: Issue accessing POST /system/usage endpoint via REST API for external dashboard

    Posted Mon September 08, 2025 12:26 PM

    I found a way to do this but not using the API key. By reproducing the login as is done on the web interface using the admin login detail. I'm not sure if that is going to be of any help.

    Call it with `the_script.sh <hostname> admin_email_address`
    At the prompt, type the admin password.

    #!/bin/sh

hostname=$1
email_address=$2
#password=$3
echo "Password:"
read password
session=$(curl -k -i -s -X POST "https://${hostname}/rest/session?include_permissions=false" -H 'Content-Type: application/json' --data-raw "{\"email\": \"${email_address}\",\"password\": \"${password}\"}")


body=$(echo $session|sed 's/[^{]*//')
echo "$session" > /tmp/session
jsessionid=$(cat /tmp/session |grep JSESSIONID|cut -d "=" -f2|cut -d ";" -f1)
#echo "JESSIONID: $jsessionid"

csrf_token=$(echo -n -e "${body}"|jq .csrf_token|sed 's/\"//g')
CSRF=$(echo $csrf_token| xxd -p -c 180 )

#echo "X-sess-id: ${csrf_token}"
#echo "CSRF: ${CSRF}"

curl -k -s -X POST "https://${hostname}/rest/system/usage" \
        -H 'Content-Type: application/json' \
        -H "X-sess-id: ${csrf_token}" \
        -H "Cookie: JSESSIONID=${jsessionid}; CSRF_TOKEN=${CSRF}" \
        --data-raw '{"start_date":1725148800000,"end_date":1759276799999,"metric_type":"authorized_user","period_type":"month"}'|jq .


    ------------------------------
    YANNICK LAVANANT
    ------------------------------

    Original Message


  • 5.  RE: Issue accessing POST /system/usage endpoint via REST API for external dashboard
    Best Answer

    Posted Tue September 09, 2025 09:53 AM
      |   view attached

    This is maybe not what you were looking for as this is reproducing the login the way it happens on the web interface.
    Example of call:

    ./getStatusUsage.sh <hostname> admin_email@address.com

    At the prompt type the admin password



    ------------------------------
    YANNICK LAVANANT
    ------------------------------

    Attachment(s)

    sh
    getStatusUsage.sh   955 B 1 version
    Original Message


Related Content