IBM Security QRadar SOAR

 View Only

  • 1.  Call Rest API function script - authentication parameter help

    Posted Tue April 02, 2024 10:47 PM

    I am trying to configure the BigFix API to work with the Call Rest API function but I get stuck with the authentication parameter.
    Below is the format required by the Bigfix.  Since the authentication is not using the header method, How do we define the authentication in the function script? 

    This is what BigFix is expecting.  I tested using Python interpreter and works but I don't know how to translate this to the Rest API function script.
    'https://bigfix.server.com:50000/api/computer/', auth=('username', 'password'), verify=False

    Function script:
    inputs.rest_api_method = 'GET'
    inputs.rest_api_url = 'https://bigfix.server.com:50000/api/computer/'
    inputs.rest_api_verify = False



    ------------------------------
    Ray Tam
    ------------------------------


  • 2.  RE: Call Rest API function script - authentication parameter help

    Posted Wed April 03, 2024 01:39 AM

    Hi Ray.

    Not sure though, it may be the case.

    According to the site, The login from the REST API Client to the BigFix REST API server uses basic access authentication.

    Though I did not try with BigFix, I guess you can try the following Basic authentication snipet.

    api_key and api_secret can be substituted with user and password.

    # Basic Authentication
# 
# curl -u ${api_key}:{api_secret} <url>
# 
api_key="...."
api_secret="..."

# consutruct auth header
import base64
base64_api=base64.b64encode((api_key + ":" + api_secret).encode()).decode()
auth_header = "Basic " + base64_api

# construct request header
header = """
Authorization: {0}
Content-Type: application/json
"""
header = header.format(auth_header)

inputs.rest_api_headers = header if header else None


    ------------------------------
    Yohji Amano
    ------------------------------

    Original Message


  • 3.  RE: Call Rest API function script - authentication parameter help

    Posted Wed April 03, 2024 02:06 PM
    Hi, if you are using basic authentication or you have the token after authenticating you can send header, I put an example of a call that i made to Qradar that requires the token, In the call i put in the headers.

    I don't know if you use basic authentication so you need to use this header instead of SEC than im using

    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    The base64 is composed of 

    <user>:<passwd>. 

    in base64 coding


    import json

    api_access1 = workflow.properties.api_creds

    qtoken = api_access1.token

    qurl =

    api_access1.qradar_url+"api/ariel/searches?query_expression="+api_access1.parsed

    _query

    rheaders = """

    Accept: application/json

    Accept-encoding: gzip,deflate

    Content-Type: application/x-www-form-urlencoded

    SEC: """+qtoken+"""

    """

    inputs.rest_method = "POST"

    inputs.rest_url = qurl

    inputs.rest_headers = rheaders

    inputs.rest_verify = False

    inputs.rest_timeout = 300




    Luis Alejandro Moy Ruiz CISSP,CISA

    Mobile: +52 55 7865 9481

    Customer Success Manager




    Original Message


  • 4.  RE: Call Rest API function script - authentication parameter help

    Posted Wed April 03, 2024 07:17 PM

    Thanks for the suggestions but I don't have much luck to get it to work.
    The BigFix API authentication is very strange.  It is different from the one I work with before.

    Below is the vendor URL with authentication example in Python.  It didn't mention anything about the base64.

    https://developer.bigfix.com/rest-api/examples/get-computer.html

    import requests 
    r = requests.get('https://{server}:{port}/api/computer/{id}', auth=('{username}', '{password}'))
    print(r.text)



    ------------------------------
    Ray Tam
    ------------------------------

    Original Message


  • 5.  RE: Call Rest API function script - authentication parameter help
    Best Answer

    Posted Wed April 03, 2024 08:58 PM

    Hi Ray

    According to https://developer.bigfix.com/rest-api/examples/get-computer.html, it describes:

    cURL

    curl -X GET --user {username}:{password} https://{server}:{port}/api/computer/{id}

    The above implies Basic Authentication is used because the curl default authentication is basic authentication.

     So I think you can try with basic authentication  code in your playbook.



    ------------------------------
    Yohji Amano
    ------------------------------

    Original Message


  • 6.  RE: Call Rest API function script - authentication parameter help

    Posted Thu April 04, 2024 12:19 PM

    Thanks for all the help!   I finally able to get this to work using the basic auth method.  Below is what I have

    import json
    headers = {
        'Content-Type': 'application/json',
        "Authorization": f"Basic my_base64_secret"
    }
    inputs.rest_api_method = 'GET'
    inputs.rest_api_headers = json.dumps(headers)
    inputs.rest_api_url = 'https://mybigfixserver.domain.com:12345/api/computer'
    inputs.rest_api_verify = False



    ------------------------------
    Ray Tam
    ------------------------------

    Original Message