IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  AppHost - REST API Function

    Posted Mon October 28, 2024 05:21 AM

    Hi Everyone,

    We are using the App "REST API Functions for SOAR" and trying to reference secrets that we have defined as shown below in the app.config:

    • cert_soar =  $CERT_TEST

    from a function within a playbook. We have tried several methods for referencing it from the playbook but none of them work:

    • "${cert_soar}"
    • "$CERT_TEST"
    • "{{cert_soar}}"
    • $CERT_TEST
    • ^CERT_TEST
    • "^CERT_TEST"

    Anyone has solved this please?

    Thanks,



    ------------------------------
    A P
    ------------------------------


  • 2.  RE: AppHost - REST API Function

    Posted Tue October 29, 2024 08:22 AM

    Hi A P,

    If I understand you correctly, you'd like to access the cert_soar app.config settings from within a playbook. This is not directly possible. If you were writing your own app, you could echo the settings in the FunctionResult reply back to the playbook. But from the fn_rest_api app, you don't have a way to introduce that logic.

    Regards,

    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: AppHost - REST API Function

    Posted Tue October 29, 2024 11:11 AM
    Edited by A P Tue October 29, 2024 11:48 AM

    Just to clarify, I would like to access the certificate and key that are inputs of the function "Call REST API", it is not the certificate used for installing the app. It is the certificate and key to call the rest api using mTLS.

    Do you have a workaround now that the playbook is already created as it is an IBM supported app. Has it been designed for certificates and keys to be used as plain text? That is the only option showed on the README of the app.

    What is the difference with secrets that I am able to use? I have tried adding "/n" but it seems like it is still not correct.



    ------------------------------
    A P
    ------------------------------



  • 4.  RE: AppHost - REST API Function

    Posted Tue October 29, 2024 12:09 PM

    If there are settings you want to make common for functions(s) and scripts within a playbook, you can run a script at the beginning of the playbook to add the json settings to a playbook.property:

    settings = {
      "cert_auth_cert" = """
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    """
    }

    playbook.addProperty("common", settings)

    Then, in subsequent functions or scripts, you can refer back to that property and access those settings:

    common_settings = playbook.properties.common

    inputs.cert_auth_cert = common_settings.cert_auth_cert

    Currently, there is no way to save an app secret and refer back to it in a playbook script. 

    Regards,
    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------