IBM QRadar SOAR

 View Only

 REST API: How to get data from SOAR by call API to SOAR itself ?

Jump to  Best Answer
On Chi Thanh's profile image
On Chi Thanh posted Thu October 31, 2024 06:47 AM

Hi everyone,

I need to get the data of the incident on SOAR through the API. I have found the following curl command can run from

curl -k \
>   -u "api_key_id:api_key_secret" \
>   -X GET \
>   "https://resilient.mylab.com/rest/orgs/201/incidents/{incident.id}/tasks?want_layouts=false&want_notes=false"

Then I try to convert this curl to python3 which can be used by REST API app on SOAR.

import json
import re

inputs.incident_id = "3948"
inputs.rest_api_verify = False
inputs.rest_api_method = "GET"
inputs.rest_api_url = "https://resilient.mylab.com/rest/orgs/201/incidents/{incident.id}/tasks?want_layouts=false&want_notes=false"
inputs.rest_api_headers = json.dumps({
    "Authorization": "Basic api_key_id:api_key_secret"
})

But I'm being "stucked" here because I don't know how to define SOAR system's authentication mechanism configuration in inputs.rest_api_headers field.

So, has anyone done the configuration like me did or used another method to get data from the SOAR API ?

Thanks & Best Regards.

Benny On

On Chi Thanh's profile image
On Chi Thanh posted Fri November 01, 2024 04:52 AM  Best Answer

Hi everyone,

As Pierre Dufresne said, after having changed REST API scripts to below; REST API function is working properly.

import json
import re
import base64

api_key_id = "your_soar_api_key_id"
api_key_secret = "your_soar_api_key_secret"
auth_value = f"{api_key_id}:{api_key_secret}"

inputs.incident_id = incident.id
inputs.rest_api_verify = False
inputs.rest_api_method = "GET"
inputs.rest_api_url = f"https://resilient.mylab.com/rest/orgs/201/incidents/{incident.id}/tasks?want_layouts=false&want_notes=false"
inputs.rest_api_headers = json.dumps({
    "Authorization": "Basic " + base64.b64encode(auth_value.encode()).decode(),
    "Accept": "application/json"
})

 
I highly appreciate Pierre Dufresne help.

Thanks & Best regards.

Benny On

Pierre Dufresne's profile image
Pierre Dufresne posted Thu October 31, 2024 10:19 AM

I think the string api_key_id:api_key_secret has to be base64 encoded.

I asked Microsoft Copilot the question: "write the python code to generate an authorization header using basic authentication"

This is the answer:

import base64

def generate_auth_header(username, password):
    # Combine username and password
    credentials = f"{username}:{password}"
    # Encode the credentials in base64
    encoded_credentials = base64.b64encode(credentials.encode("utf-8")).decode("utf-8")
    # Create the authorization header
    auth_header = f"Basic {encoded_credentials}"
    return auth_header

# Example usage
username = "your_username"
password = "your_password"
header = generate_auth_header(username, password)
print(header)

I am not sure if this could work.  I have'nt tried it.

Related Content