IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

REST API - POST Body

1. REST API - POST Body

Like
Przemyslaw Klys
Posted Tue July 30, 2024 07:00 AM

Reply
I would like to call a query using rest api where I have to pass the body section. I do it as described in the documentation for the REST API Call function:

inputs.rest_api_body = """
{
"data": {
"type": "realTimeSearches",
"attributes": {
"query": "HostInfo platform where HostInfo hostname contains PB"
}
}
}
"""

or for example:

import json

inputs.rest_api_body = {
"data": {
"type": "realTimeSearches",
"attributes": {
"query": "HostInfo hostname and Processes name, parentname where Processes cmdline contains font"
}
}
}

every time I call the function I get the information below:

'400 Client Error: Bad Request for url: https://api.manage.trellix.com/edr/v2/searches/realtime'

------------------------------
Przemyslaw Klys
------------------------------
2. RE: REST API - POST Body

Like
Yohji Amano
Posted Wed July 31, 2024 01:58 AM

Reply
Hello Przemyslaw.

I'm afraid that you may encounter the problem due to confusing 'dict' object with 'str' object.

When passing an input json to the request, it should be a string. (json is a string type object)

So how about coding the following way?

import json body = { "data": { "type": "realTimeSearches", "attributes": { "query": "HostInfo hostname and Processes name, parentname where Processes cmdline contains font" } } } inputs.rest_api_body = json.dumps(body)

json.dumps(<dict>) returns the <str> for <dict> object.

Further you can check the type by encapsulating with type(<object>).

------------------------------
Yohji Amano
------------------------------

Original Message
3. RE: REST API - POST Body

Like
Przemyslaw Klys
Posted Wed July 31, 2024 02:53 AM

Reply
Hello Yohji,

I tried to do it your way:

import json

.....

body = {
"data": {
"type": "realTimeSearches",
"attributes": {
"query": "HostInfo hostname and Processes name, parentname where Processes cmdline contains font"
}
}
}

inputs.rest_api_body = json.dumps(body)

but it's not working:

ERROR: "'400 Client Error: Bad Request for url: https://api.manage.trellix.com/edr/v2/searches/realtime'"

------------------------------
Przemyslaw Klys
------------------------------

Original Message
4. RE: REST API - POST Body

Like
Yohji Amano
Posted Wed July 31, 2024 04:57 AM

Reply
Hi Przemyslaw

Apologies to not resolving your situation.

For REST API call from SOAR side, I have no further idea.

I guess that 400 Bad request may come from client request including post data.

If I were your situation, I may try curl with same post data. (<user>:<password> might be <api-key>:<api-secret>).

curl -X POST -sik -u '<user>:<password>' -d@<post_data_as_file_name> -H 'Content-Type application/json' https://api.manage.trellix.com/edr/v2/searches/realtime

I th400 Bad requests originally com

------------------------------
Yohji Amano
------------------------------

Original Message

IBM QRadar SOAR

IBM QRadar SOAR

REST API - POST Body

Przemyslaw KlysTue July 30, 2024 07:00 AM

Yohji AmanoWed July 31, 2024 01:58 AM

Przemyslaw KlysWed July 31, 2024 02:53 AM

Yohji AmanoWed July 31, 2024 04:57 AM

1. REST API - POST Body

2. RE: REST API - POST Body

3. RE: REST API - POST Body

4. RE: REST API - POST Body

Additional
Resources

Office

Quick Links

IBM QRadar SOAR

IBM QRadar SOAR

REST API - POST Body

Przemyslaw KlysTue July 30, 2024 07:00 AM

Yohji AmanoWed July 31, 2024 01:58 AM

Przemyslaw KlysWed July 31, 2024 02:53 AM

Yohji AmanoWed July 31, 2024 04:57 AM

1. REST API - POST Body

2. RE: REST API - POST Body

3. RE: REST API - POST Body

4. RE: REST API - POST Body

Additional Resources

Office

Quick Links

Additional
Resources