IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Using API KEY

  • 1.  Using API KEY

    Posted Mon July 29, 2019 04:51 AM
    Hi,

    Have you a proper documentation about using API KEY and API SECRET for integration resilient with external apps?

    https://www.ibm.com/support/knowledgecenter/en/SSBRUQ_33.0.0/com.ibm.resilient.doc/admin/API_accounts.htm

    Thanks

    ------------------------------
    Jasmine
    ------------------------------


  • 2.  RE: Using API KEY

    Posted Thu August 01, 2019 04:45 AM
    Is there any answer for this question? I really need to integrate resilient with third party apps and you don't have any document or even any answer for this issue.

    ------------------------------
    Jasmine
    ------------------------------



  • 3.  RE: Using API KEY

    Posted Fri November 12, 2021 08:43 AM
    Hi Jasmine,

    We will be publishing a new version of resilient-circuits which will support API keys very shortly. Check pypi for a version 33.0.xxx. When this is published, additional documentation will be updated on github on how to use API keys. 

    I'll post an update here when all that takes place.

    Regards,
    Mark

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 4.  RE: Using API KEY

    Posted Fri August 02, 2019 02:20 PM
    Resilient-circuits v33 is now published on pypi: https://pypi.org/project/resilient-circuits/. This version supports API Tokens introduced in Resilient v33.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 5.  RE: Using API KEY

    Posted Mon August 05, 2019 04:36 AM
    Hi, Mark - Thanks for the notification.  I see that resilient-33 and resilient_lib-33 are also available.  Do you recommend updating these to keep in sync with circuits V33?  This would be my suggestion.  Also note that circuits v33 depends on setuptools-41 (previous versions of circuits had a dependency on setuptools-37 IIRC), which is a factor for those of us where our Resilient servers are air-gapped.

    Regards - Edwin Bolton

    ------------------------------
    Edwin Bolton
    ------------------------------



  • 6.  RE: Using API KEY

    Posted Mon August 05, 2019 07:52 AM
    Hi Edwin,

    resilient-circuits and resilient-lib are independent of each other. resilient-lib is used by a number of integrations and does not need to upgraded for API Tokens. 

    Regards,
    Mark

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 7.  RE: Using API KEY

    Posted Tue August 06, 2019 01:20 PM

    Hello again, Mark - Just for the benefit of the Group, existing Circuits programming that refers to the user (event.message["user"]) will fail with a KeyError as this entry is not in place for automatically triggered rules, once you switch to API Key authentication in place of a privileged user.


    This is fairly obvious once you encounter it but a word of warning would not go amiss...


    Best regards - Edwin






  • 8.  RE: Using API KEY

    Posted Wed August 07, 2019 12:01 PM

    Hi Edwin,

    I believe what you're referring to is the ability to interrogate an event produced by Resilient for the user who initiated the event. For instance, for an event associated with the creation of an artifact, the Resilient user creating that artifact is found at event.message["user"]['email']
    If you're creating an artifact from an API call which uses API Tokens, a similarly produced event will continue to have a user and email property. But that name will now indicate the token used which produced the artifact.


    I hope this helps.
    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 9.  RE: Using API KEY

    Posted Mon August 05, 2019 08:46 AM
    Hi Mark,

    Many thanks for your help.

    Best
    Jasmine

    ------------------------------
    Jasmine
    ------------------------------



  • 10.  RE: Using API KEY

    Posted Mon August 12, 2019 10:10 AM
    Hi Mark,

    I just tried circuits v33 with an API key configured. The manual states you should configure either an API key/secret or the older email/password. When only configuring the API keys, circuits fails to start because email is supposedly a required parameter.

    The manual further states that when both are configured, the API settings are used by default. However, looking at my logs, when both are configured, the regular user is chosen over the API settings.

    Could you (or someone else) clarify/confirm?

    Jerome

    ------------------------------
    Jerome Kleinen
    ------------------------------



  • 11.  RE: Using API KEY

    Posted Wed August 14, 2019 03:31 PM
    Hello Jerome,

    Could you please give us more information regarding how you used resilient-circuits? Did you create/run a function?

    Thanks,

    Yongjian

    ------------------------------
    Yongjian Feng
    ------------------------------



  • 12.  RE: Using API KEY

    Posted Tue August 20, 2019 10:28 AM
    Hello Yongjian,

    We are running resilient circuits using a systemd service file. The error we get is the following:

    Aug 20 16:13:28 abcdef resilient-circuits: usage: resilient-circuits [-h] --email EMAIL [--password PASSWORD]
    Aug 20 16:13:28 abcdef resilient-circuits: [--host HOST] [--port PORT]
    Aug 20 16:13:28 abcdef resilient-circuits: [--proxy [PROXY [PROXY ...]]] [--org ORG]
    Aug 20 16:13:28 abcdef resilient-circuits: [--cafile CAFILE] [--cache-ttl CACHE_TTL]
    Aug 20 16:13:28 abcdef resilient-circuits: [--proxy_host PROXY_HOST] [--proxy_port PROXY_PORT]
    Aug 20 16:13:28 abcdef resilient-circuits: [--proxy_user PROXY_USER]
    Aug 20 16:13:28 abcdef resilient-circuits: [--proxy_password PROXY_PASSWORD]
    Aug 20 16:13:28 abcdef resilient-circuits: [--stomp-prefetch-limit STOMP_PREFETCH_LIMIT]
    Aug 20 16:13:28 abcdef resilient-circuits: [--stomp-port STOMP_PORT]
    Aug 20 16:13:28 abcdef resilient-circuits: [--stomp-cafile STOMP_CAFILE]
    Aug 20 16:13:28 abcdef resilient-circuits: [--componentsdir COMPONENTSDIR] [--noload NOLOAD]
    Aug 20 16:13:28 abcdef resilient-circuits: [--logdir LOGDIR] [--loglevel LOGLEVEL]
    Aug 20 16:13:28 abcdef resilient-circuits: [--logfile LOGFILE]
    Aug 20 16:13:28 abcdef resilient-circuits: [--no-prompt-password NO_PROMPT_PASSWORD]
    Aug 20 16:13:28 abcdef resilient-circuits: [--test-actions] [--resilient-mock RESILIENT_MOCK]
    Aug 20 16:13:28 abcdef resilient-circuits: [--test-host TEST_HOST] [--test-port TEST_PORT]
    Aug 20 16:13:28 abcdef resilient-circuits: [--log-http-responses LOG_HTTP_RESPONSES]
    Aug 20 16:13:28 abcdef resilient-circuits: resilient-circuits: error: argument --email is required
    Aug 20 16:13:29 abcdef systemd: resilient_circuits.service: main process exited, code=exited, status=2/INVALIDARGUMENT​

    We have configured an API user in the Resilient UI, we have giving it all permissions and we have added it to several message destinations. In the app.config we commented out the email and password in favor of the api_key_id and api_key_secret, as per manual (Integration Server Guide, Chapter 6, Page 15).

    Kr,

    Jerome

    ------------------------------
    Jerome Kleinen
    ------------------------------



  • 13.  RE: Using API KEY

    Posted Tue August 20, 2019 11:48 AM
    Jerome,

    Try using --config-file with resilient-circuits run command to reference your app.config file.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 14.  RE: Using API KEY

    Posted Wed August 21, 2019 03:31 AM
    Hi Mark,

    My resilient-circuits claims that that command line parameter does not exist.

    I have noticed that our resilient package is stuck at version 32. When trying to update it to v33 I get the following error:

    pip install resilient -U
    DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
    Collecting resilient
      Using cached https://files.pythonhosted.org/packages/02/63/bdec37826ae09b1c6b41ce2ccb55dd677f54098b28bed1a42d76fdd4552a/resilient-33.0.189.tar.gz
    Requirement already satisfied, skipping upgrade: argparse in /usr/lib/python2.7/site-packages (from resilient) (1.4.0)
    Requirement already satisfied, skipping upgrade: requests>=2.6.0 in /usr/lib/python2.7/site-packages (from resilient) (2.21.0)
    Requirement already satisfied, skipping upgrade: requests-toolbelt>=0.6.0 in /usr/lib/python2.7/site-packages (from resilient) (0.9.1)
    Requirement already satisfied, skipping upgrade: requests-mock>=1.2.0 in /usr/lib/python2.7/site-packages (from resilient) (1.5.2)
    Requirement already satisfied, skipping upgrade: six in /usr/lib/python2.7/site-packages (from resilient) (1.9.0)
    Requirement already satisfied, skipping upgrade: cachetools<3.0.0 in /usr/lib/python2.7/site-packages (from resilient) (2.1.0)
    Requirement already satisfied, skipping upgrade: keyring<19.0.0,>=5.4 in /usr/lib/python2.7/site-packages (from resilient) (17.1.1)
    Requirement already satisfied, skipping upgrade: configparser in /usr/lib/python2.7/site-packages (from resilient) (3.7.1)
    Requirement already satisfied, skipping upgrade: urllib3<1.25,>=1.21.1 in /usr/lib/python2.7/site-packages (from requests>=2.6.0->resilient) (1.24.1)
    Requirement already satisfied, skipping upgrade: chardet<3.1.0,>=3.0.2 in /usr/lib/python2.7/site-packages (from requests>=2.6.0->resilient) (3.0.4)
    Requirement already satisfied, skipping upgrade: idna<2.9,>=2.5 in /usr/lib/python2.7/site-packages (from requests>=2.6.0->resilient) (2.8)
    Requirement already satisfied, skipping upgrade: certifi>=2017.4.17 in /usr/lib/python2.7/site-packages (from requests>=2.6.0->resilient) (2018.11.29)
    Requirement already satisfied, skipping upgrade: entrypoints in /usr/lib/python2.7/site-packages (from keyring<19.0.0,>=5.4->resilient) (0.3)
    Requirement already satisfied, skipping upgrade: secretstorage<3; (sys_platform == "linux2" or sys_platform == "linux") and python_version < "3.5" in /usr/lib/python2.7/site-packages (from keyring<19.0.0,>=5.4->resilient) (2.3.1)
    Requirement already satisfied, skipping upgrade: cryptography in /usr/lib64/python2.7/site-packages (from secretstorage<3; (sys_platform == "linux2" or sys_platform == "linux") and python_version < "3.5"->keyring<19.0.0,>=5.4->resilient) (2.5)
    Requirement already satisfied, skipping upgrade: enum34; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography->secretstorage<3; (sys_platform == "linux2" or sys_platform == "linux") and python_version < "3.5"->keyring<19.0.0,>=5.4->resilient) (1.1.6)
    Requirement already satisfied, skipping upgrade: asn1crypto>=0.21.0 in /usr/lib/python2.7/site-packages (from cryptography->secretstorage<3; (sys_platform == "linux2" or sys_platform == "linux") and python_version < "3.5"->keyring<19.0.0,>=5.4->resilient) (0.24.0)
    Requirement already satisfied, skipping upgrade: cffi!=1.11.3,>=1.8 in /usr/lib64/python2.7/site-packages (from cryptography->secretstorage<3; (sys_platform == "linux2" or sys_platform == "linux") and python_version < "3.5"->keyring<19.0.0,>=5.4->resilient) (1.11.5)
    Requirement already satisfied, skipping upgrade: ipaddress; python_version < "3" in /usr/lib/python2.7/site-packages (from cryptography->secretstorage<3; (sys_platform == "linux2" or sys_platform == "linux") and python_version < "3.5"->keyring<19.0.0,>=5.4->resilient) (1.0.16)
    Requirement already satisfied, skipping upgrade: pycparser in /usr/lib/python2.7/site-packages (from cffi!=1.11.3,>=1.8->cryptography->secretstorage<3; (sys_platform == "linux2" or sys_platform == "linux") and python_version < "3.5"->keyring<19.0.0,>=5.4->resilient) (2.19)
    Installing collected packages: resilient
      Found existing installation: resilient 32.0.140
        Uninstalling resilient-32.0.140:
          Successfully uninstalled resilient-32.0.140
      Running setup.py install for resilient ... error
        ERROR: Complete output from command /usr/bin/python2 -u -c 'import setuptools, tokenize;__file__='"'"'/tmp/pip-install-8RX0Qj/resilient/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record /tmp/pip-record-PtD2F8/install-record.txt --single-version-externally-managed --compile:
        ERROR: Traceback (most recent call last):
          File "<string>", line 1, in <module>
          File "/tmp/pip-install-8RX0Qj/resilient/setup.py", line 35, in <module>
            check_deps()
          File "/tmp/pip-install-8RX0Qj/resilient/setup.py", line 26, in check_deps
            distro = get_distribution(pkg.project_name)
          File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 479, in get_distribution
            dist = Requirement.parse(dist)
          File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3138, in parse
            req, = parse_requirements(s)
          File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3085, in parse_requirements
            yield Requirement(line)
          File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3094, in __init__
            raise RequirementParseError(str(e))
        pkg_resources.RequirementParseError: Invalid requirement, parse error at "'-esilien'"
        ----------------------------------------
      Rolling back uninstall of resilient
      Moving to /usr/bin/finfo
       from /tmp/pip-uninstall-pL6Lzq/finfo
      Moving to /usr/bin/gadget
       from /tmp/pip-uninstall-pL6Lzq/gadget
      Moving to /usr/bin/res-keyring
       from /tmp/pip-uninstall-pL6Lzq/res-keyring
      Moving to /usr/lib/python2.7/site-packages/co3
       from /usr/lib/python2.7/site-packages/~o3
      Moving to /usr/lib/python2.7/site-packages/resilient
       from /usr/lib/python2.7/site-packages/~esilient
      Moving to /usr/lib/python2.7/site-packages/resilient-32.0.140-py2.7.egg-info
       from /usr/lib/python2.7/site-packages/~esilient-32.0.140-py2.7.egg-info
    ERROR: Command "/usr/bin/python2 -u -c 'import setuptools, tokenize;__file__='"'"'/tmp/pip-install-8RX0Qj/resilient/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record /tmp/pip-record-PtD2F8/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-install-8RX0Qj/resilient/
    ​


    Could this be the problem? Any idea on how to resolve the setup error?

    Jerome

    ------------------------------
    Jerome Kleinen
    ------------------------------



  • 15.  RE: Using API KEY

    Posted Wed August 21, 2019 04:23 AM
    I have upgraded the resilient package to v33 but still getting the same issue. Resilient circuits won't run without an email address and the --config-file command line parameter simply does not exist.

    ------------------------------
    Jerome Kleinen
    ------------------------------



  • 16.  RE: Using API KEY

    Posted Wed August 21, 2019 10:03 AM
    I tested this syntax and it worked for me:

    resilient-circuits run --config-file /tmp/app.config


    Do you get any other log entries when you try this?

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 17.  RE: Using API KEY

    Posted Wed August 21, 2019 08:41 AM
    Can you check the version of resilient package ? 

    Check command:
    pip list | grep resilient

    Sample Output:
    • resilient 33.0.189                  <== This should be above 33
    • resilient-circuits 33.0.189
    • resilient-lib 33.0.189 


    ------------------------------
    Yohji Amano
    ------------------------------



  • 18.  RE: Using API KEY

    Posted Wed August 21, 2019 09:52 AM
    Hi Yohji,

    Yes.  resilient-33.0.189 is the correct version in order to use API Keys.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 19.  RE: Using API KEY

    Posted Fri August 23, 2019 10:54 AM
    As mentioned, I have updated the resilient package...

     pip list | grep resilient
    DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
    resilient                        33.0.189
    resilient-circuits               33.0.189
    resilient-lib                    33.0.189
    ​


    Furthermore, regarding the syntax:

    resilient-circuits run --config-file /tmp/app.config
    usage: resilient-circuits [-h] --email EMAIL [--password PASSWORD]
                              [--host HOST] [--port PORT]
                              [--proxy [PROXY [PROXY ...]]] [--org ORG]
                              [--cafile CAFILE] [--cache-ttl CACHE_TTL]
                              [--proxy_host PROXY_HOST] [--proxy_port PROXY_PORT]
                              [--proxy_user PROXY_USER]
                              [--proxy_password PROXY_PASSWORD]
                              [--stomp-prefetch-limit STOMP_PREFETCH_LIMIT]
                              [--stomp-port STOMP_PORT]
                              [--stomp-cafile STOMP_CAFILE]
                              [--componentsdir COMPONENTSDIR] [--noload NOLOAD]
                              [--logdir LOGDIR] [--loglevel LOGLEVEL]
                              [--logfile LOGFILE]
                              [--no-prompt-password NO_PROMPT_PASSWORD]
                              [--test-actions] [--resilient-mock RESILIENT_MOCK]
                              [--test-host TEST_HOST] [--test-port TEST_PORT]
                              [--log-http-responses LOG_HTTP_RESPONSES]
    resilient-circuits: error: argument --email is required
    


    I am starting to feel a bit like I am repeating myself here ...

    Jerome

    ------------------------------
    Jerome Kleinen
    ------------------------------



  • 20.  RE: Using API KEY

    Posted Fri August 23, 2019 08:39 PM
    Guessing from the output of your resilient-circuits, your running resilient-circuits may be the version of V32.

    The help message of V33 resilient-circuits should contain options related to api-key such as "--api_key_id":
    $ resilient-circuits run meaningless-text
    usage: resilient-circuits [-h] [--email EMAIL] [--password PASSWORD]
                              [--api_key_id API_KEY_ID]
                              [--api_key_secret API_KEY_SECRET] [--host HOST]
                              [--port PORT] [--proxy [PROXY [PROXY ...]]]
                              [--org ORG] [--cafile CAFILE]
                              [--cache-ttl CACHE_TTL] [--proxy_host PROXY_HOST]
                              [--proxy_port PROXY_PORT] [--proxy_user PROXY_USER]
                              [--proxy_password PROXY_PASSWORD]
                              [--stomp-prefetch-limit STOMP_PREFETCH_LIMIT]
                              [--stomp-port STOMP_PORT]
                              [--stomp-cafile STOMP_CAFILE]
                              [--componentsdir COMPONENTSDIR] [--noload NOLOAD]
                              [--logdir LOGDIR] [--loglevel LOGLEVEL]
                              [--logfile LOGFILE]
                              [--no-prompt-password NO_PROMPT_PASSWORD]
                              [--test-actions] [--resilient-mock RESILIENT_MOCK]
                              [--test-host TEST_HOST] [--test-port TEST_PORT]
                              [--log-http-responses LOG_HTTP_RESPONSES]
    resilient-circuits: error: unrecognized arguments: meaningless-text
    $​
    Can you check resilient-circuits in your environments with the date option?

    Search command:
         find / -name resilient-circuits -type f -ls 2>/dev/null

    Then check which file is the possible V33 resilient-circuits.


    ------------------------------
    Yohji Amano
    ------------------------------



  • 21.  RE: Using API KEY

    Posted Mon August 26, 2019 01:07 PM
    We did miss the cmd line arguments for --api_key and --api_secret. That will add that to the next release of the 'resilient' library.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 22.  RE: Using API KEY

    Posted Mon September 09, 2019 10:20 AM
    Hi Mark,

    For whatever reason pip was showing the resilient library as v33 but I guess it had not updated properly. I completely removed it, including all files under site-packages related to the resilient library and installed it freshly from pypi. Finally the api options appeared.

    Thanks,

    Jerome

    ------------------------------
    Jerome Kleinen
    ------------------------------