IBM Security QRadar SOAR

 View Only
  • 1.  Adding an "image" to Incident (Note/Rich text field), or attachments via REST API

    Posted Mon November 14, 2022 06:51 AM
    Hello,

    I am using utilities rest api function to integrate with cofense trigae, I have built couple of workflows that authenticates, and takes actions on reported emails.
    I am trying to get an image of a reported email, using one more utilities Rest fn in the workflow, but not sure what is the best practice to handle the response.

    Below is example of the curl request I am drafting in the utilities REST function.

    curl --location --request GET 'https://triage.example.com/api/public/v2/reports/1234/download.jpg' \

    --header 'Accept: image/jpeg' \

    --header 'Authorization: Bearer 00000000000000000006j7trYbcRCUv6khshG66xLMQ'

    I posted str(results) to the notes, to see the actual response structure and select the correct value of key for that image, but it seems no such key.

    Please let me know if this can be used to post an image directly to the notes, or at least as an attachment to an incident.

    Thanks in advance for the support.

    ------------------------------
    ahmed abushanab
    ------------------------------


  • 2.  RE: Adding an "image" to Incident (Note/Rich text field), or attachments via REST API

    Posted Mon November 14, 2022 01:07 PM
    Hi Ahmed -- it depends on your specific response format. There are a few functions available in the fn_utilities app that allow you to convert base64 content to attachments. If the response value here is in base64 format, then you could make use of that function. Otherwise, we'd need a little more info on what exactly the content is to determine how to get it to an attachment.

    Let me know if this helps!

    ------------------------------
    Bo Bleckel
    ------------------------------



  • 3.  RE: Adding an "image" to Incident (Note/Rich text field), or attachments via REST API

    Posted Tue November 15, 2022 06:14 AM
    Hello Bo Bleckel,
    Thanks for your reply,

    I have taken the response from the resilient circuit, and only replaced the actual data with "pic" word below, as the actual string is huge, and I don't understand the actual format of it. 

    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    {
    'cookies': {},
    'links': {},
    'text': u' pic',
    'elapsed': 61,
    'apparent_encoding': None,
    'reason': 'OK',
    'ok': True,
    'url': u'https://10.16.52.214/api/public/v2/reports/29577/download.jpg',
    'headers': {
    'Status': '200 OK',
    'X-Request-Id': '71d4b41d-adf5-410d-827d-5c5c70cb41dd',
    'X-XSS-Protection': '1; mode=block',
    'X-Download-Options': 'noopen',
    'Content-Disposition': 'attachment; filename="report_29577.jpg"; filename*=UTF-8\'\'report_29577.jpg',
    'Transfer-Encoding': 'chunked',
    'Strict-Transport-Security': 'max-age=63072000; includeSubDomains',
    'Vary': 'Origin',
    'X-Runtime': '0.043125',
    'X-Content-Type-Options': 'nosniff',
    'Content-Transfer-Encoding': 'binary',
    'Connection': 'keep-alive',
    'ETag': 'W/"5cd110087453c3e6f73eabb22321d766"',
    'X-Permitted-Cross-Domain-Policies': 'none',
    'Cache-Control': 'private',
    'Date': 'Tue, 15 Nov 2022 07:03:08 GMT',
    'X-Frame-Options': 'SAMEORIGIN',
    'Referrer-Policy': 'strict-origin-when-cross-origin',
    'Content-Type': 'image/jpeg',
    },
    'json': None,
    'status_code': 200,
    }







    ------------------------------
    ahmed abushanab
    ------------------------------



  • 4.  RE: Adding an "image" to Incident (Note/Rich text field), or attachments via REST API

    Posted Tue November 15, 2022 12:54 PM
    Hi Ahmed - yeah so it looks like the content of the response is in raw JPEG format. So we'll have to do some extra work to get you there.

    There is a function "Utilities: Base64 to Attachment" in fn_utilities. If we can get your JPEG data into base64, we can use that function to post the attachment.

    That would probably look something like this (in the preprocessing script of the call to the Utilities: Base64 to Attachment function):
    import base64
    
    text_as_str = <results_from_previous_REST_call>.get("text")
    text_as_base64 = base64.b64encode(text_as_str.encode("ascii"))
    
    inputs.base64content = text_as_base64
    inputs.incident_id = incident.id
    inputs.file_name = "thumbnail.jpeg" # make this your own, maybe get from response
    inputs.content_type = "image/jpeg"​


    I will just note that I have not tested this, but this is generally the idea... Play around with it, give it a shot. Hopefully this give you a start in the right direction to be able to figure something that works.



    ------------------------------
    Bo Bleckel
    ------------------------------



  • 5.  RE: Adding an "image" to Incident (Note/Rich text field), or attachments via REST API

    Posted Thu November 17, 2022 06:02 AM
    Dear Bo Bleckel,
    Thanks for your reply,

    I have followed same way to handle the output, encode it and add it as attachment.
    I have faced an issue with the encode('ascii), but it fails with error out of range- mentioned below, I tried the utf-8 encode, it worked but the attachement is not opening.


    import base64
    from base64 import b64encode

    text_as_str = str(workflow.properties.triage_report['text'])
    text_as_base64 = base64.b64encode(text_as_str.encode('utf-8'))#('ascii'))

    inputs.base64content = text_as_base64
    inputs.incident_id = incident.id
    inputs.file_name = "Report.png"
    inputs.content_type = "image/png"

    Error with ascii:
    Was unable to complete because: UnicodeEncodeError: 'ascii' codec can't encode character '\ufffd' in position 0: ordinal not in range(128)

    The attachments added to inc, with utf-8 encoded results, is not opening.



     I am I missing something here?



    ------------------------------
    ahmed abushanab
    ------------------------------



  • 6.  RE: Adding an "image" to Incident (Note/Rich text field), or attachments via REST API

    Posted Thu November 17, 2022 11:41 AM
    Hi Ahmed -- it is hard for me to know for sure, you might have to just play around with it a bit more.

    I would try removing all of the encoding, maybe the response is already encoded? And then see where you get to... I'm sorry I can't help more.

    ------------------------------
    Bo Bleckel
    ------------------------------