IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Authenticate to SessionREST with API key_id and secret

  • 1.  Authenticate to SessionREST with API key_id and secret

    Posted Thu February 27, 2020 12:05 PM
    Hello,

    Is there a way to authenticate against the /rest/session API endpoint with the key_id and secret?
    We use the latest Resilient version 35.2.32

    ------------------------------
    Kind Regards,
    Gert Huisman
    ------------------------------


  • 2.  RE: Authenticate to SessionREST with API key_id and secret

    Posted Thu March 12, 2020 10:41 AM
    I do it using the fn-utilities CALL REST API workflow :

    for example : get the ID of an artifact type
    rest body is set hard to:
    {
    "filters": [
    {
    "conditions": [
    {
    "method": "equals",
    "field_name": "type",
    "value": 1
    }
    ]
    }
    ],
    "sorts": [],
    "start": 0,
    "length": 10,
    "recordsTotal": 0
    }


    The preprocess script is :
    # Rest fonction we are looking at:
    # get /orgs/{org_id}/artifact_types/{type_id}

    # Method:
    inputs.rest_method = "GET"

    # URL:
    # This should be adapted to your >>Resilient Domain Name<< from your integration server, and your >>ORG<<
    # inputs.rest_url = u"https://{myresilientdomainname}/rest/orgs/{org_id}/artifact_types/{type_id}
    inputs.rest_url = u"https://resilient.localdomain/rest/orgs/201/artifact_types/{}".format(artifact.type)

    # Create Credential to access Resilient Server from Integration Server
    # use a Specific API credential that is visible and create the encode version using this command in SSH: echo -n "api_key_id:api_key_secret" | base64
    api_encoded_credentials = "ZjJlNGUyYTMtMTlhMS00ZTkwLWI2M2ItZmJjODA3OWY3NjllOk1ON2gxSjZUUFNyTGlra29IV2FoWVI5NTlUYV8weVhkc01ILVZZZFNraG8="

    # BODY, See input

    # HTTP headers can be specified as a multi-line string
    inputs.rest_headers = """
    Content-Type: application/json
    Authorization: Basic {}
    """.format(api_encoded_credentials)

    # The 'rest_verify' parameter (Boolean) indicates whether to verify SSL certificates.
    # This should be True unless you need to connect to a self-signed or other invalid cert.
    inputs.rest_verify = False


    you can see inside how I create the API code credentials:
    # Create Credential to access Resilient Server from Integration Server
    # use a Specific API credential that is visible and create the encode version using this command in SSH: echo -n "api_key_id:api_key_secret" | base64
    api_encoded_credentials = "ZjJlNGUyYTMtMTlhMS00ZTkwLWI2M2ItZmJjODA3OWY3NjllOk1ON2gxSjZUUFNyTGlra29IV2FoWVI5NTlUYV8weVhkc01ILVZZZFNraG8="

    and pass them during the call in the header:
    # HTTP headers can be specified as a multi-line string
    inputs.rest_headers = """
    Content-Type: application/json
    Authorization: Basic {}
    """.format(api_encoded_credentials)

    in this case for test, the result in postprocess is just:
    # uncomment below for debug
    # incident.addNote("Workflow Call: Resilient Rest API to get Artifact type ID \n Status Code: {} \n {}".format(results.status_code, results.json.id))
    # incident.addNote("Workflow Call: Resilient Rest API to get Artifact type ID \n Status Code: {} \n {}\n {}".format(results.status_code, results.json.id, results.json.properties))

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message