IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Using Fn_utilities : Call Rest API for Microsoft DATP incidents

  • 1.  Using Fn_utilities : Call Rest API for Microsoft DATP incidents

    Posted Wed January 13, 2021 05:34 AM
    Hello All,

    Anyone used fn_utilities : call Rest API to call Defender ATP. In my workflow, I am using a authentication token : bearer from "postman" and able to fetch the details. Is it possible to use the Client_ID, Client_secret and Tenant_ID in the request body and get the details. The token expires after limited time period and this cannot be the case.

    Below is my configuration, this works fine. But need to use the Client_ID and secret in order to get rid of the token every time. Please let me know if any other way possible to have this fixed.

    rest_method : GET
    rest_url  : https://api.security.microsoft.com/api/incidents/
    rest_headers  : Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVPZjlQNUY5Z0NDd0NtRjJCT0hIeEREUS1EayIsImtpZCI6IjVPZjlQNUY5Z0NDd0NtRjJCT0hIeEREUS1EayJ9.eyJhdWQiOiJodHRwczovL2FwaS5zZWN1cml0eS5taWNyb3NvZnQuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZjY2ZmFlMDItNWQzNi00OTViLWJmZTAtNzhhNmZmOWY4ZTZlLyIsImlhdCI6MTYxMDQ1MDQxNCwibmJmIjoxNjEwNDUwNDE0LCJleHAiOjE2MTA0NTQzMTQsImFpbyI6IkUySmdZUEJuZjFReXFhRmlGK1BXUS9iZlVpVWNBQT09IiwiYXBwaWQiOiJhY2I0ZjlmYy0wMGRkLTQyMWYtYjc3NC04YWM4ZGUwNzAyYjEiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mNjZmYWUwMi01ZDM2LTQ5NWItYmZlMC03OGE2ZmY5ZjhlNmUvIiwib2lkIjoiN2ZlZjAwOTktY2MxNy00NzhhLTgyM2ItYTYxOTIzYTM5MDI3IiwicmgiOiIwLkFRd0FBcTV2OWpaZFcwbV80SGltXzUtT2J2ejV0S3pkQUI5Q3QzU0t5TjRIQXJFTUFBQS4iLCJyb2xlcyI6WyJJbmNpZGVudC5SZWFkV3JpdGUuQWxsIiwiSW5jaWRlbnQuUmVhZC5BbGwiLCJBZHZhbmNlZEh1bnRpbmcuUmVhZC5BbGwiXSwic3ViIjoiN2ZlZjAwOTktY2MxNy00NzhhLTgyM2ItYTYxOTIzYTM5MDI3IiwidGVuYW50X3JlZ2lvbl9zY29wZSI6IkVVIiwidGlkIjoiZjY2ZmFlMDItNWQzNi00OTViLWJmZTAtNzhhNmZmOWY4ZTZlIiwidXRpIjoidDVkVi1RSGp3RTZDNV9XWGFiOFJBQSIsInZlciI6IjEuMCJ9.p6SyYM8ovjSP6vhCG2NaaMHhNYuwl1uQ0yNfziuPnq9bPesm4L5BtSQ2e2SaRwnQnJLr9LaNzi-kSDsP9cDyMfXioFHwGuJk8g1etcRtvXM2im7CidzWE1pz6mk549vz6n7lGRdxEAUASmf1THCnw8kYhTOEzts3KcJUx4g3TftC5znOK16GEkZ_Ov_5P6L0gstjp4CfR2QXheF3i6mZkgLHmnxbAQhDZw9Mv_HLpi0UziYTzzQ29uGpkpg9kw1EtPVxDn9LVdQfpuF_c_OR3DHqWYKPSf2UT6pSpnc4Jt-vkcuuG_jNthkExO7l2QaQHNGZ_BRJJdgLtm5LHTsk6A
    Content-Type: application/json
    rest_verify  : No

    Above is my configuration, this works fine. But need to use the CLient_ID and secret in order to get rid of the token every time.

    ------------------------------
    Srinivas Joshi
    ------------------------------