IBM Security QRadar SOAR

 View Only
  • 1.  Getting info from

    Posted Wed November 01, 2023 09:42 AM


    I am trying to use the "Utilities: Call REST API" function in order to get JSON info provided by the following IBM url

    I have tried a function's script as below but I am not able to get info as listed when I browse this URL:

    import base64
    import json

    inputs.rest_verify = "True"
    inputs.rest_method = "GET"

    api_key = 'aaaaaaaaa'
    api_password = 'bbbbbbbbb'

    # Create a dictionary for the headers
    headers = {
        'Authorization': 'Basic ' + base64.b64encode(f'{api_key}:{api_password}'.encode('utf-8')).decode('utf-8')

    # Convert the headers dictionary to a JSON object
    headers_json = json.dumps(headers)

    # Set the headers in the inputs
    inputs.rest_headers = headers_json

    base_url = '' + artifact.value
    inputs.rest_url = base_url

    Any hints how to get these info into SOAR results?

    Best Regards


    Nabil Nehme

  • 2.  RE: Getting info from

    Posted Thu November 02, 2023 06:44 AM
    Edited by Calvin Wynne Thu November 02, 2023 06:45 AM

    Hi Nabil,

    I see that you are still using Utilities: Call REST API to make REST requests. This application is outdated and is limited in features. Instead, I would like to recommend REST API Functions for SOAR which is an updated, standalone app with more features. I would also suggest you to take a look at the Call REST API example playbook (as shown below) to see all the various features and functionalities of this application.

    As for your question, you could do one of the following:

    1.  Write out the results to incident note or artifact description as shown below (script can be found in the Call REST API playbook):
    2. Add information as hits to a given artifact (provided the object type you are working on is an artifact):
      You can modify the sample playbook to add hits by providing it in this format. Things to keep in mind while adding hits:
      1.     Supported data-types: number, uri, string
      2.     Hits must be a list of dictionaries.
      3.     Each dictionary must have a name, type and value.
      4.     Name would be your json key, and value would be json value.
      5.     List doesnot support advance dataypes, all values must be string or number, no nested dict or list.

    I hope this information helps you.

    Calvin Wynne

  • 3.  RE: Getting info from

    Posted Thu November 02, 2023 08:45 AM

    Hello Calvin

    Thank you for your help

    I have downloaded and installed the updated version.

    I am using a URL that requires basic authentication 

    api_key = 'aaaaaaaaa'
    api_password = 'bbbbbbbbb'

    Please can you help me include the authentication credentials in the function?



    Nabil Nehme

  • 4.  RE: Getting info from

    Posted Thu November 02, 2023 11:35 AM

    Hey Nabil,

    Glad to know that helped. So, the way i would go about doing this is as shown below:

    You can use the base64 package to encode your username and password and set it as your Authorization header in request header.


    Calvin Wynne

  • 5.  RE: Getting info from

    Posted Thu November 02, 2023 12:19 PM
    Edited by WALTER HIGGINS Thu November 02, 2023 12:20 PM

    Hi Nabil,

    Try the following (it uses a different x-force call but illustrates how to encode the auth header)

    from base64 import b64encode
    # get x-force vulnerabilities
    url = ""
    api_key = "API-KEY-GOES-HERE"
    api_pwd = "API-PASSWORD-GOES-HERE" # better to use playbook input or other source
    auth = b64encode(f"{api_key}:{api_pwd}".encode('utf-8')).decode('utf-8')
    headers = f"""
    accept: application/json
    Authorization: Basic {auth}
    inputs.rest_method = "GET"
    inputs.rest_url = url
    inputs.rest_headers = headers
    inputs.rest_verify = True