IBM Security QRadar SOAR

 View Only
  • 1.  Add Attachment in Resilient thru API call

    Posted Thu December 09, 2021 09:09 AM
    Hi All,

    I would like to request your help on how I can add an attachment to the Resilient system thru API. I saw that there's an api endpoint "IncidentAttachmentREST" but not sure about the parameters. If you have code snippet it will help me. I'm using python script.

    Thanks
    Sev

    ------------------------------
    Severino Culabat
    ------------------------------


  • 2.  RE: Add Attachment in Resilient thru API call

    Posted Thu December 09, 2021 10:24 AM
    Have you looked at the Interactive Rest API from SOAR? That's a good starting point.

    https://YOUR_INSTANCE.resilientsystems.com/docs/rest-api/ui/index.html#/IncidentAttachmentREST

    If using the Python SDK:
    rest_client().post_attachment('/incidents/{0}/attachments'.format(incident_id), path_to_file, filename)


    ------------------------------
    Jared Fagel
    Cyber Security Analyst
    ALLETE Inc.
    ------------------------------



  • 3.  RE: Add Attachment in Resilient thru API call

    Posted Thu December 09, 2021 08:50 PM
    Thanks Jared for your reply, yes I saw the Interactive Rest API from SOAR however I'm not sure what's the correct data that needs to put in the parameters "bodyPart, csrfToken, fileDetails and uploadedInputs" if you have a sample data appreciate if you can send it to me as my reference. I encountering an error when trying it in SOAR UI

    For csrfToken just want to know where did I get this is there's any API that I will use?

    Currently were creating Resilient Tickets and adding an attachment from different automation platform and using Python SDK(rest_client().post_attachment) but it require username and password. And now were aiming to to develop new connector for us to use the api key and secrets however we are unable to add an attachment thru API call

     


    ------------------------------
    Severino Culabat
    ------------------------------



  • 4.  RE: Add Attachment in Resilient thru API call

    Posted Tue December 14, 2021 03:09 AM
    Hi All,

    Is there's someone who tried the Resilient endpoint

    POST /orgs/{org_id}/incidents/{inc_id}/attachments


    I would like to request sample data for below parameters. For my reference, thanks


    ------------------------------
    Severino Culabat
    ------------------------------



  • 5.  RE: Add Attachment in Resilient thru API call

    Posted Wed December 15, 2021 03:55 AM
    You can view your instances from browser's (F12) function.
    By pressing F12, the separated screen for debugging in the browser.
    On "network" tab, you'll see your requests in detail for the interactions in your browser.

    In incident attachment tab, just upload a file. Then you'll see the POST request whose file column is "attachments".
    The concrete network traffic may be referred how SOAR handles attachment files.

    ------------------------------
    Yohji Amano
    ------------------------------



  • 6.  RE: Add Attachment in Resilient thru API call

    Posted Thu December 16, 2021 12:38 AM
    Hello Yohji

    Thanks for your reply, I was able to upload a file from attachment tab of an incident

    However when I tried to upload from Interactive Rest API I encountered an error "500 Internal Server Error". Please see below



    I also tried to upload the file in bodyPart, fileDetail and uploadInputsStrime
    I also tried to get the csrf_token in the result of gets session API and put it in csrfToken but still encountered the same error.



    ------------------------------
    Severino Culabat
    ------------------------------



  • 7.  RE: Add Attachment in Resilient thru API call

    Posted Thu December 16, 2021 03:40 AM
    I'm afraid that interactive REST API may not be good sample.
    I just attached two files:
      - add_attachment_to_incident-mock.py (python case)
      - addAttachmentToIncident.ps1.txt (originally addAttachmentToIncident.ps1 powershell case)

    Both case needs to set parameters for soar connection.

    ------------------------------
    Yohji Amano
    ------------------------------

    Attachment(s)



  • 8.  RE: Add Attachment in Resilient thru API call

    Posted Thu December 16, 2021 03:47 AM
    Thank you so much Yohji, will check on it.

    ------------------------------
    Severino Culabat
    ------------------------------



  • 9.  RE: Add Attachment in Resilient thru API call

    Posted Thu December 16, 2021 12:41 PM
    We have a python helper library routine for uploading attachments. See resilient-lib write_file_attachment. The docs are here: https://pages.github.ibm.com/Resilient/resilient-python-api/pages/resilient-lib/resilient-lib.html#module-resilient_lib.components.resilient_common. And you can view the code here: https://github.com/ibmresilient/resilient-python-api/blob/85e0ff684a88f744645c0ace414f51d769bcc3c2/resilient-lib/resilient_lib/components/resilient_common.py#L319

    Regards,
    Mark

    ------------------------------
    Mark Scherfling
    ------------------------------