IBM QRadar SOAR

I am trying to write a script exporting playbooks created within IBM QRadar SOAR. So far I failed ot achieve my gloal.

I am using the following Python packages:

resilient                    49.1.51
resilient-app-config-plugins 1.0.0

I am able to retrieve a list of all playbooks

Hey Michael,

I have never done this before, but I think what you would be looking for is the post command for export extracting. This would allow you to grab the export that you just completed by supplying the export_id from the previously run command.

/orgs/{org_id}/playbooks/exports/{export_id}

I can do some further testing if you need it!

I am trying to write a script exporting playbooks created within IBM QRadar SOAR. So far I failed ot achieve my gloal.

I am using the following Python packages:

resilient                    49.1.51
resilient-app-config-plugins 1.0.0

I am able to retrieve a list of all playbooks

Thank you very much for your response. That is what I was expecting as well.

When I run the commands

Hey Michael,

I have never done this before, but I think what you would be looking for is the post command for export extracting. This would allow you to grab the export that you just completed by supplying the export_id from the previously run command.

/orgs/{org_id}/playbooks/exports/{export_id}

I can do some further testing if you need it!

I am trying to write a script exporting playbooks created within IBM QRadar SOAR. So far I failed ot achieve my gloal.

I am using the following Python packages:

resilient                    49.1.51
resilient-app-config-plugins 1.0.0

I am able to retrieve a list of all playbooks

Ok so I did some more testing and found that basically you can't just do this with the rest_client from the Resilient Python Module just yet. Hopefully with my findings this will be added in the future. I had to use requests as well. Here is my code to get this to work.

import resilient, requests# Create the client.parser = resilient.ArgumentParser(config_file=resilient.get_config_file())opts = parser.parse_args()rest_client = resilient.get_client(opts)# Establish Auth for Request.soar_fqdn = 'soar.company.com'api_key_id = 'API_KEY_ID'api_key_secret = 'API_KEY_SECRET'org_id = {org_num}# Collect All Playbook Data.filters = {    'filters': [    ]}playbooks = rest_client.post('/playbooks/query_paged?return_level=full', payload=filters)['data']# Iterated through each Playbook and Export them individually.for playbook in playbooks:    # Collect Playbook Info.    playbook_id = playbook['id']    playbook_name = playbook['name']    playbook_filename = playbook['display_name']        #Initiate Playbook Export.    export_data = {'id': playbook_id, 'name': playbook_name}    export_id = rest_client.post('/playbooks/exports', payload=export_data)['export_id']        # Pull resulting Playbook Export down.    files = {'file_name': (None, playbook_filename)}        response = requests.post(        'https://{}/rest/orgs/{}/playbooks/exports/{}'.format(soar_fqdn,org_id,export_id),        auth=(api_key_id, api_key_secret),        files=files,        verify=False    )        # Write data to file.    open(playbook_filename+'.resz', 'wb').write(response.content)

Using this code I am able to automate exporting every single playbook within my environment. 

I might also point out that resilient-sdk has this capability too by using the Extract function, however it is limited on what all can be pulled like it doesn't also pull the integration and add the integration to your server when importing back in. This will actually pull the playbooks specified itself and allow you to import all playbooks at 1 time using the Admin -> Settings Import option. See the command below to understand how that command will work.

resilient-sdk extract -n "PREPENDED_NAME" -o "OUTPUT/PATH" -pb PLAYBOOK1 PLAYBOOK2 PLAYBOOK3

More on Extract can be found here as you can extract a lot more as well. https://ibmresilient.github.io/resilient-python-api/pages/resilient-sdk/resilient-sdk.html#extract

------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security

Original Message:
Sent: Fri September 08, 2023 02:10 AM
From: Michael Herren
Subject: Export Playbook via API

Thank you very much for your response. That is what I was expecting as well.

When I run the commands

------------------------------
Michael Herren
Security Analyst
PostFinance AG
Bern

Original Message:
Sent: Wed September 06, 2023 06:03 PM
From: Nick Mumaw
Subject: Export Playbook via API

Hey Michael,

I have never done this before, but I think what you would be looking for is the post command for export extracting. This would allow you to grab the export that you just completed by supplying the export_id from the previously run command.

/orgs/{org_id}/playbooks/exports/{export_id}

I can do some further testing if you need it!

------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security

Original Message:
Sent: Fri September 01, 2023 07:38 AM
From: Michael Herren
Subject: Export Playbook via API

I am trying to write a script exporting playbooks created within IBM QRadar SOAR. So far I failed ot achieve my gloal.

I am using the following Python packages:

resilient                    49.1.51
resilient-app-config-plugins 1.0.0

I am able to retrieve a list of all playbooks

------------------------------
Michael Herren
Security Analyst
PostFinance AG
Bern
------------------------------

Thank you very much for your response.

I will soon test your code but don't see a reason it will not work for me as well.

Once more thank you

------------------------------
Michael Herren
Security Analyst
PostFinance AG
Bern

Original Message:
Sent: Fri September 08, 2023 02:57 PM
From: Nick Mumaw
Subject: Export Playbook via API

Ok so I did some more testing and found that basically you can't just do this with the rest_client from the Resilient Python Module just yet. Hopefully with my findings this will be added in the future. I had to use requests as well. Here is my code to get this to work.

import resilient, requests# Create the client.parser = resilient.ArgumentParser(config_file=resilient.get_config_file())opts = parser.parse_args()rest_client = resilient.get_client(opts)# Establish Auth for Request.soar_fqdn = 'soar.company.com'api_key_id = 'API_KEY_ID'api_key_secret = 'API_KEY_SECRET'org_id = {org_num}# Collect All Playbook Data.filters = {    'filters': [    ]}playbooks = rest_client.post('/playbooks/query_paged?return_level=full', payload=filters)['data']# Iterated through each Playbook and Export them individually.for playbook in playbooks:    # Collect Playbook Info.    playbook_id = playbook['id']    playbook_name = playbook['name']    playbook_filename = playbook['display_name']        #Initiate Playbook Export.    export_data = {'id': playbook_id, 'name': playbook_name}    export_id = rest_client.post('/playbooks/exports', payload=export_data)['export_id']        # Pull resulting Playbook Export down.    files = {'file_name': (None, playbook_filename)}        response = requests.post(        'https://{}/rest/orgs/{}/playbooks/exports/{}'.format(soar_fqdn,org_id,export_id),        auth=(api_key_id, api_key_secret),        files=files,        verify=False    )        # Write data to file.    open(playbook_filename+'.resz', 'wb').write(response.content)

Using this code I am able to automate exporting every single playbook within my environment. 

I might also point out that resilient-sdk has this capability too by using the Extract function, however it is limited on what all can be pulled like it doesn't also pull the integration and add the integration to your server when importing back in. This will actually pull the playbooks specified itself and allow you to import all playbooks at 1 time using the Admin -> Settings Import option. See the command below to understand how that command will work.

resilient-sdk extract -n "PREPENDED_NAME" -o "OUTPUT/PATH" -pb PLAYBOOK1 PLAYBOOK2 PLAYBOOK3

More on Extract can be found here as you can extract a lot more as well. https://ibmresilient.github.io/resilient-python-api/pages/resilient-sdk/resilient-sdk.html#extract

------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security

Original Message:
Sent: Fri September 08, 2023 02:10 AM
From: Michael Herren
Subject: Export Playbook via API

Thank you very much for your response. That is what I was expecting as well.

When I run the commands

------------------------------
Michael Herren
Security Analyst
PostFinance AG
Bern

Original Message:
Sent: Wed September 06, 2023 06:03 PM
From: Nick Mumaw
Subject: Export Playbook via API

Hey Michael,

I have never done this before, but I think what you would be looking for is the post command for export extracting. This would allow you to grab the export that you just completed by supplying the export_id from the previously run command.

/orgs/{org_id}/playbooks/exports/{export_id}

I can do some further testing if you need it!

------------------------------
Nick Mumaw, GPEN, GPYC
Cyber Security Specialist - SOAR
IBM - Security

Original Message:
Sent: Fri September 01, 2023 07:38 AM
From: Michael Herren
Subject: Export Playbook via API

I am trying to write a script exporting playbooks created within IBM QRadar SOAR. So far I failed ot achieve my gloal.

I am using the following Python packages:

resilient                    49.1.51
resilient-app-config-plugins 1.0.0

I am able to retrieve a list of all playbooks

------------------------------
Michael Herren
Security Analyst
PostFinance AG
Bern
------------------------------