IBM Security QRadar SOAR

Dears,

I am trying to use the "Utilities: Call REST API" function in order to get JSON info provided by the following IBM url https://exchange.xforce.ibmcloud.com/ip/185.99.32.36

I have tried a function's script as below but I am not able to get info as listed when I browse this URL:

import base64
import json

inputs.rest_verify = "True"
inputs.rest_method = "GET"

api_key = 'aaaaaaaaa'
api_password = 'bbbbbbbbb'

# Create a dictionary for the headers
headers = {
    'Authorization': 'Basic ' + base64.b64encode(f'{api_key}:{api_password}'.encode('utf-8')).decode('utf-8')
}

# Convert the headers dictionary to a JSON object
headers_json = json.dumps(headers)

# Set the headers in the inputs
inputs.rest_headers = headers_json

base_url = 'https://exchange.xforce.ibmcloud.com/ip/' + artifact.value
inputs.rest_url = base_url

Any hints how to get these info into SOAR results?

Best Regards

Nabil

------------------------------
Nabil Nehme
------------------------------

Hi Nabil,

I see that you are still using Utilities: Call REST API to make REST requests. This application is outdated and is limited in features. Instead, I would like to recommend REST API Functions for SOAR which is an updated, standalone app with more features. I would also suggest you to take a look at the Call REST API example playbook (as shown below) to see all the various features and functionalities of this application.

As for your question, you could do one of the following:

1.  Write out the results to incident note or artifact description as shown below (script can be found in the Call REST API playbook):
   
2. Add information as hits to a given artifact (provided the object type you are working on is an artifact):
   You can modify the sample playbook to add hits by providing it in this format. Things to keep in mind while adding hits:
   1.     Supported data-types: number, uri, string
   2.     Hits must be a list of dictionaries.
   3.     Each dictionary must have a name, type and value.
   4.     Name would be your json key, and value would be json value.
   5.     List doesnot support advance dataypes, all values must be string or number, no nested dict or list.

I hope this information helps you.

------------------------------
Calvin Wynne

Original Message:
Sent: Wed November 01, 2023 09:42 AM
From: Nabil Nehme
Subject: Getting info from exchange.xforce.ibmcloud.com

Dears,

I am trying to use the "Utilities: Call REST API" function in order to get JSON info provided by the following IBM url https://exchange.xforce.ibmcloud.com/ip/185.99.32.36

I have tried a function's script as below but I am not able to get info as listed when I browse this URL:

import base64
import json

inputs.rest_verify = "True"
inputs.rest_method = "GET"

api_key = 'aaaaaaaaa'
api_password = 'bbbbbbbbb'

# Create a dictionary for the headers
headers = {
    'Authorization': 'Basic ' + base64.b64encode(f'{api_key}:{api_password}'.encode('utf-8')).decode('utf-8')
}

# Convert the headers dictionary to a JSON object
headers_json = json.dumps(headers)

# Set the headers in the inputs
inputs.rest_headers = headers_json

base_url = 'https://exchange.xforce.ibmcloud.com/ip/' + artifact.value
inputs.rest_url = base_url

Any hints how to get these info into SOAR results?

Best Regards

Nabil

------------------------------
Nabil Nehme
------------------------------

Hello Calvin

Thank you for your help

I have downloaded and installed the updated version.

I am using a URL that requires basic authentication 

api_key = 'aaaaaaaaa'
api_password = 'bbbbbbbbb'

Please can you help me include the authentication credentials in the function?

Best

Nabil

Hi Nabil,

I see that you are still using Utilities: Call REST API to make REST requests. This application is outdated and is limited in features. Instead, I would like to recommend REST API Functions for SOAR which is an updated, standalone app with more features. I would also suggest you to take a look at the Call REST API example playbook (as shown below) to see all the various features and functionalities of this application.

As for your question, you could do one of the following:

1.  Write out the results to incident note or artifact description as shown below (script can be found in the Call REST API playbook):
   
2. Add information as hits to a given artifact (provided the object type you are working on is an artifact):
   You can modify the sample playbook to add hits by providing it in this format. Things to keep in mind while adding hits:
   1.     Supported data-types: number, uri, string
   2.     Hits must be a list of dictionaries.
   3.     Each dictionary must have a name, type and value.
   4.     Name would be your json key, and value would be json value.
   5.     List doesnot support advance dataypes, all values must be string or number, no nested dict or list.

I hope this information helps you.

------------------------------
Calvin Wynne

Original Message:
Sent: Wed November 01, 2023 09:42 AM
From: Nabil Nehme
Subject: Getting info from exchange.xforce.ibmcloud.com

Dears,

I am trying to use the "Utilities: Call REST API" function in order to get JSON info provided by the following IBM url https://exchange.xforce.ibmcloud.com/ip/185.99.32.36

I have tried a function's script as below but I am not able to get info as listed when I browse this URL:

import base64
import json

inputs.rest_verify = "True"
inputs.rest_method = "GET"

api_key = 'aaaaaaaaa'
api_password = 'bbbbbbbbb'

# Create a dictionary for the headers
headers = {
    'Authorization': 'Basic ' + base64.b64encode(f'{api_key}:{api_password}'.encode('utf-8')).decode('utf-8')
}

# Convert the headers dictionary to a JSON object
headers_json = json.dumps(headers)

# Set the headers in the inputs
inputs.rest_headers = headers_json

base_url = 'https://exchange.xforce.ibmcloud.com/ip/' + artifact.value
inputs.rest_url = base_url

Any hints how to get these info into SOAR results?

Best Regards

Nabil

------------------------------
Nabil Nehme
------------------------------

Hello Calvin

Thank you for your help

I have downloaded and installed the updated version.

I am using a URL that requires basic authentication 

api_key = 'aaaaaaaaa'
api_password = 'bbbbbbbbb'

Please can you help me include the authentication credentials in the function?

Best

Nabil

------------------------------
Nabil Nehme

Original Message:
Sent: Thu November 02, 2023 06:43 AM
From: Calvin Wynne
Subject: Getting info from exchange.xforce.ibmcloud.com

Hi Nabil,

I see that you are still using Utilities: Call REST API to make REST requests. This application is outdated and is limited in features. Instead, I would like to recommend REST API Functions for SOAR which is an updated, standalone app with more features. I would also suggest you to take a look at the Call REST API example playbook (as shown below) to see all the various features and functionalities of this application.

As for your question, you could do one of the following:

1.  Write out the results to incident note or artifact description as shown below (script can be found in the Call REST API playbook):
   
2. Add information as hits to a given artifact (provided the object type you are working on is an artifact):
   You can modify the sample playbook to add hits by providing it in this format. Things to keep in mind while adding hits:
   1.     Supported data-types: number, uri, string
   2.     Hits must be a list of dictionaries.
   3.     Each dictionary must have a name, type and value.
   4.     Name would be your json key, and value would be json value.
   5.     List doesnot support advance dataypes, all values must be string or number, no nested dict or list.

I hope this information helps you.

------------------------------
Calvin Wynne

Original Message:
Sent: Wed November 01, 2023 09:42 AM
From: Nabil Nehme
Subject: Getting info from exchange.xforce.ibmcloud.com

Dears,

I am trying to use the "Utilities: Call REST API" function in order to get JSON info provided by the following IBM url https://exchange.xforce.ibmcloud.com/ip/185.99.32.36

I have tried a function's script as below but I am not able to get info as listed when I browse this URL:

import base64
import json

inputs.rest_verify = "True"
inputs.rest_method = "GET"

api_key = 'aaaaaaaaa'
api_password = 'bbbbbbbbb'

# Create a dictionary for the headers
headers = {
    'Authorization': 'Basic ' + base64.b64encode(f'{api_key}:{api_password}'.encode('utf-8')).decode('utf-8')
}

# Convert the headers dictionary to a JSON object
headers_json = json.dumps(headers)

# Set the headers in the inputs
inputs.rest_headers = headers_json

base_url = 'https://exchange.xforce.ibmcloud.com/ip/' + artifact.value
inputs.rest_url = base_url

Any hints how to get these info into SOAR results?

Best Regards

Nabil

------------------------------
Nabil Nehme
------------------------------