IBM Security QRadar SOAR

I am testing the Rest API app to make a query to lookup the geo location of an IP address using ipinfo.io. 
I was able to get the result but I never able to pull any data from the json dictionary to add to the Notes.   

I tried to load the json result to an python interpreter on another system but got an error when perform the json.loads due to invalid json format.
I wonder if anyone experienced with similar issue and if there is a way we can make the output in valid json format? 

In the SOAR output script, I tried to return any value but it always returned an error:

Function:

import json
headers = {
    'Content-Type': 'application/json'
}
inputs.rest_api_method = 'GET'
inputs.rest_api_headers = json.dumps(headers)
inputs.rest_api_url = 'https://ipinfo.io/{}/geo'.format(artifact.value)
inputs.rest_api_verify = True

API Result:

{'version': 2.0, 'success': True, 'reason': None, 'content': {'ok': True, 'url': 'https://ipinfo.io/8.8.8.8/geo', 'status_code': 200, 'reason': 'OK', 'cookies': {}, 'headers': {'server': 'nginx/1.24.0', 'date': 'Fri, 29 Mar 2024 02:35:08 GMT', 'content-type': 'application/json; charset=utf-8', 'Content-Length': '304', 'access-control-allow-origin': '*', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'x-envoy-upstream-service-time': '2', 'via': '1.1 google', 'strict-transport-security': 'max-age=2592000; includeSubDomains', 'Alt-Svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'}, 'elapsed': 249, 'apparent_encoding': 'ascii', 'text': '{\n "ip": "8.8.8.8",\n "hostname": "dns.google",\n "anycast": true,\n "city": "Mountain View",\n "region": "California",\n "country": "US",\n "loc": "37.4056,-122.0775",\n "org": "AS15169 Google LLC",\n "postal": "94043",\n "timezone": "America/Los_Angeles",\n "readme": "https://ipinfo.io/missingauth"\n}', 'json': {'ip': '8.8.8.8', 'hostname': 'dns.google', 'anycast': True, 'city': 'Mountain View', 'region': 'California', 'country': 'US', 'loc': '37.4056,-122.0775', 'org': 'AS15169 Google LLC', 'postal': '94043', 'timezone': 'America/Los_Angeles', 'readme': 'https://ipinfo.io/missingauth'}, 'links': {}}, 'raw': None, 'inputs': {'rest_api_cookies': {'format': 'text', 'content': None}, 'rest_api_headers': '{"Content-Type": "application/json"}', 'rest_api_method': 'GET', 'rest_api_verify': True, 'rest_api_allowed_status_codes': '', 'rest_api_url': 'https://ipinfo.io/8.8.8.8/geo', 'rest_api_body': {'format': 'text', 'content': None}, 'rest_api_timeout': None}, 'metrics': {'version': '1.0', 'package': 'fn-rest-api', 'package_version': '1.2.0', 'host': '2113c932-3251-4142-8c58-7d7f73b440aa-6cd9bb5d5c-999vd', 'execution_time_ms': 785, 'timestamp': '2024-03-29 02:35:08'}}

it looks like your result is a string instead of json and the json.loads function doesn't like that all the keys are in single quote marks.

Try this:

parsed = json.dumps(api_results, indent=4)
incident.addNote(json.loads(parsed))

I am testing the Rest API app to make a query to lookup the geo location of an IP address using ipinfo.io. 
I was able to get the result but I never able to pull any data from the json dictionary to add to the Notes.   

I tried to load the json result to an python interpreter on another system but got an error when perform the json.loads due to invalid json format.
I wonder if anyone experienced with similar issue and if there is a way we can make the output in valid json format? 

In the SOAR output script, I tried to return any value but it always returned an error:

Function:

import json
headers = {
    'Content-Type': 'application/json'
}
inputs.rest_api_method = 'GET'
inputs.rest_api_headers = json.dumps(headers)
inputs.rest_api_url = 'https://ipinfo.io/{}/geo'.format(artifact.value)
inputs.rest_api_verify = True

API Result:

{'version': 2.0, 'success': True, 'reason': None, 'content': {'ok': True, 'url': 'https://ipinfo.io/8.8.8.8/geo', 'status_code': 200, 'reason': 'OK', 'cookies': {}, 'headers': {'server': 'nginx/1.24.0', 'date': 'Fri, 29 Mar 2024 02:35:08 GMT', 'content-type': 'application/json; charset=utf-8', 'Content-Length': '304', 'access-control-allow-origin': '*', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'x-envoy-upstream-service-time': '2', 'via': '1.1 google', 'strict-transport-security': 'max-age=2592000; includeSubDomains', 'Alt-Svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'}, 'elapsed': 249, 'apparent_encoding': 'ascii', 'text': '{\n "ip": "8.8.8.8",\n "hostname": "dns.google",\n "anycast": true,\n "city": "Mountain View",\n "region": "California",\n "country": "US",\n "loc": "37.4056,-122.0775",\n "org": "AS15169 Google LLC",\n "postal": "94043",\n "timezone": "America/Los_Angeles",\n "readme": "https://ipinfo.io/missingauth"\n}', 'json': {'ip': '8.8.8.8', 'hostname': 'dns.google', 'anycast': True, 'city': 'Mountain View', 'region': 'California', 'country': 'US', 'loc': '37.4056,-122.0775', 'org': 'AS15169 Google LLC', 'postal': '94043', 'timezone': 'America/Los_Angeles', 'readme': 'https://ipinfo.io/missingauth'}, 'links': {}}, 'raw': None, 'inputs': {'rest_api_cookies': {'format': 'text', 'content': None}, 'rest_api_headers': '{"Content-Type": "application/json"}', 'rest_api_method': 'GET', 'rest_api_verify': True, 'rest_api_allowed_status_codes': '', 'rest_api_url': 'https://ipinfo.io/8.8.8.8/geo', 'rest_api_body': {'format': 'text', 'content': None}, 'rest_api_timeout': None}, 'metrics': {'version': '1.0', 'package': 'fn-rest-api', 'package_version': '1.2.0', 'host': '2113c932-3251-4142-8c58-7d7f73b440aa-6cd9bb5d5c-999vd', 'execution_time_ms': 785, 'timestamp': '2024-03-29 02:35:08'}}

I am testing the Rest API app to make a query to lookup the geo location of an IP address using ipinfo.io. 
I was able to get the result but I never able to pull any data from the json dictionary to add to the Notes.   

I tried to load the json result to an python interpreter on another system but got an error when perform the json.loads due to invalid json format.
I wonder if anyone experienced with similar issue and if there is a way we can make the output in valid json format? 

In the SOAR output script, I tried to return any value but it always returned an error:

Function:

import json
headers = {
    'Content-Type': 'application/json'
}
inputs.rest_api_method = 'GET'
inputs.rest_api_headers = json.dumps(headers)
inputs.rest_api_url = 'https://ipinfo.io/{}/geo'.format(artifact.value)
inputs.rest_api_verify = True

API Result:

{'version': 2.0, 'success': True, 'reason': None, 'content': {'ok': True, 'url': 'https://ipinfo.io/8.8.8.8/geo', 'status_code': 200, 'reason': 'OK', 'cookies': {}, 'headers': {'server': 'nginx/1.24.0', 'date': 'Fri, 29 Mar 2024 02:35:08 GMT', 'content-type': 'application/json; charset=utf-8', 'Content-Length': '304', 'access-control-allow-origin': '*', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'x-envoy-upstream-service-time': '2', 'via': '1.1 google', 'strict-transport-security': 'max-age=2592000; includeSubDomains', 'Alt-Svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'}, 'elapsed': 249, 'apparent_encoding': 'ascii', 'text': '{\n "ip": "8.8.8.8",\n "hostname": "dns.google",\n "anycast": true,\n "city": "Mountain View",\n "region": "California",\n "country": "US",\n "loc": "37.4056,-122.0775",\n "org": "AS15169 Google LLC",\n "postal": "94043",\n "timezone": "America/Los_Angeles",\n "readme": "https://ipinfo.io/missingauth"\n}', 'json': {'ip': '8.8.8.8', 'hostname': 'dns.google', 'anycast': True, 'city': 'Mountain View', 'region': 'California', 'country': 'US', 'loc': '37.4056,-122.0775', 'org': 'AS15169 Google LLC', 'postal': '94043', 'timezone': 'America/Los_Angeles', 'readme': 'https://ipinfo.io/missingauth'}, 'links': {}}, 'raw': None, 'inputs': {'rest_api_cookies': {'format': 'text', 'content': None}, 'rest_api_headers': '{"Content-Type": "application/json"}', 'rest_api_method': 'GET', 'rest_api_verify': True, 'rest_api_allowed_status_codes': '', 'rest_api_url': 'https://ipinfo.io/8.8.8.8/geo', 'rest_api_body': {'format': 'text', 'content': None}, 'rest_api_timeout': None}, 'metrics': {'version': '1.0', 'package': 'fn-rest-api', 'package_version': '1.2.0', 'host': '2113c932-3251-4142-8c58-7d7f73b440aa-6cd9bb5d5c-999vd', 'execution_time_ms': 785, 'timestamp': '2024-03-29 02:35:08'}}

The output is in json format but specifically in a python dictionary. The signature of all output is:

{
version: xx,
success: True/False,
reason: "failure message",
content: <api json result>
}

If you prettify the result above, you'll see the API result under "content" and "json". Abbreviated, your post-processing script would look like this, if using playbooks:

results = playbook.function.results.<your restapi output>

if not results.success:
incident.addNote(f"RestAPI failure: {results.reason}")
else:
content = results.content.json
  geo_loc = content.loc

Hope this helps.

I am testing the Rest API app to make a query to lookup the geo location of an IP address using ipinfo.io. 
I was able to get the result but I never able to pull any data from the json dictionary to add to the Notes.   

I tried to load the json result to an python interpreter on another system but got an error when perform the json.loads due to invalid json format.
I wonder if anyone experienced with similar issue and if there is a way we can make the output in valid json format? 

In the SOAR output script, I tried to return any value but it always returned an error:

Function:

import json
headers = {
    'Content-Type': 'application/json'
}
inputs.rest_api_method = 'GET'
inputs.rest_api_headers = json.dumps(headers)
inputs.rest_api_url = 'https://ipinfo.io/{}/geo'.format(artifact.value)
inputs.rest_api_verify = True

API Result:

{'version': 2.0, 'success': True, 'reason': None, 'content': {'ok': True, 'url': 'https://ipinfo.io/8.8.8.8/geo', 'status_code': 200, 'reason': 'OK', 'cookies': {}, 'headers': {'server': 'nginx/1.24.0', 'date': 'Fri, 29 Mar 2024 02:35:08 GMT', 'content-type': 'application/json; charset=utf-8', 'Content-Length': '304', 'access-control-allow-origin': '*', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'x-envoy-upstream-service-time': '2', 'via': '1.1 google', 'strict-transport-security': 'max-age=2592000; includeSubDomains', 'Alt-Svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'}, 'elapsed': 249, 'apparent_encoding': 'ascii', 'text': '{\n "ip": "8.8.8.8",\n "hostname": "dns.google",\n "anycast": true,\n "city": "Mountain View",\n "region": "California",\n "country": "US",\n "loc": "37.4056,-122.0775",\n "org": "AS15169 Google LLC",\n "postal": "94043",\n "timezone": "America/Los_Angeles",\n "readme": "https://ipinfo.io/missingauth"\n}', 'json': {'ip': '8.8.8.8', 'hostname': 'dns.google', 'anycast': True, 'city': 'Mountain View', 'region': 'California', 'country': 'US', 'loc': '37.4056,-122.0775', 'org': 'AS15169 Google LLC', 'postal': '94043', 'timezone': 'America/Los_Angeles', 'readme': 'https://ipinfo.io/missingauth'}, 'links': {}}, 'raw': None, 'inputs': {'rest_api_cookies': {'format': 'text', 'content': None}, 'rest_api_headers': '{"Content-Type": "application/json"}', 'rest_api_method': 'GET', 'rest_api_verify': True, 'rest_api_allowed_status_codes': '', 'rest_api_url': 'https://ipinfo.io/8.8.8.8/geo', 'rest_api_body': {'format': 'text', 'content': None}, 'rest_api_timeout': None}, 'metrics': {'version': '1.0', 'package': 'fn-rest-api', 'package_version': '1.2.0', 'host': '2113c932-3251-4142-8c58-7d7f73b440aa-6cd9bb5d5c-999vd', 'execution_time_ms': 785, 'timestamp': '2024-03-29 02:35:08'}}

I am testing the Rest API app to make a query to lookup the geo location of an IP address using ipinfo.io. 
I was able to get the result but I never able to pull any data from the json dictionary to add to the Notes.   

I tried to load the json result to an python interpreter on another system but got an error when perform the json.loads due to invalid json format.
I wonder if anyone experienced with similar issue and if there is a way we can make the output in valid json format? 

In the SOAR output script, I tried to return any value but it always returned an error:

Function:

import json
headers = {
    'Content-Type': 'application/json'
}
inputs.rest_api_method = 'GET'
inputs.rest_api_headers = json.dumps(headers)
inputs.rest_api_url = 'https://ipinfo.io/{}/geo'.format(artifact.value)
inputs.rest_api_verify = True

API Result:

{'version': 2.0, 'success': True, 'reason': None, 'content': {'ok': True, 'url': 'https://ipinfo.io/8.8.8.8/geo', 'status_code': 200, 'reason': 'OK', 'cookies': {}, 'headers': {'server': 'nginx/1.24.0', 'date': 'Fri, 29 Mar 2024 02:35:08 GMT', 'content-type': 'application/json; charset=utf-8', 'Content-Length': '304', 'access-control-allow-origin': '*', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'x-envoy-upstream-service-time': '2', 'via': '1.1 google', 'strict-transport-security': 'max-age=2592000; includeSubDomains', 'Alt-Svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'}, 'elapsed': 249, 'apparent_encoding': 'ascii', 'text': '{\n "ip": "8.8.8.8",\n "hostname": "dns.google",\n "anycast": true,\n "city": "Mountain View",\n "region": "California",\n "country": "US",\n "loc": "37.4056,-122.0775",\n "org": "AS15169 Google LLC",\n "postal": "94043",\n "timezone": "America/Los_Angeles",\n "readme": "https://ipinfo.io/missingauth"\n}', 'json': {'ip': '8.8.8.8', 'hostname': 'dns.google', 'anycast': True, 'city': 'Mountain View', 'region': 'California', 'country': 'US', 'loc': '37.4056,-122.0775', 'org': 'AS15169 Google LLC', 'postal': '94043', 'timezone': 'America/Los_Angeles', 'readme': 'https://ipinfo.io/missingauth'}, 'links': {}}, 'raw': None, 'inputs': {'rest_api_cookies': {'format': 'text', 'content': None}, 'rest_api_headers': '{"Content-Type": "application/json"}', 'rest_api_method': 'GET', 'rest_api_verify': True, 'rest_api_allowed_status_codes': '', 'rest_api_url': 'https://ipinfo.io/8.8.8.8/geo', 'rest_api_body': {'format': 'text', 'content': None}, 'rest_api_timeout': None}, 'metrics': {'version': '1.0', 'package': 'fn-rest-api', 'package_version': '1.2.0', 'host': '2113c932-3251-4142-8c58-7d7f73b440aa-6cd9bb5d5c-999vd', 'execution_time_ms': 785, 'timestamp': '2024-03-29 02:35:08'}}

Hi Ray

I suppose you're working with output returned by "Call REST API" function.

When I access to SOAR rest API via "Call REST API" function, I did the following ways:

---
import json
outputs = playbook.functions.results.output
text_data = outputs["content"]["text"]
json_data = json.loads(text_data)

# to view on web
incident.addNote(str(json_data))

# to view on terminal 
log.info(str(json_data))    # output goes to /var/log/resilient-scripting/resilient-scripting.log
                # To view the loggs, sudo grep LoggerContext /var/log/resilient-scripting/resilient-scripting.log

---

I am testing the Rest API app to make a query to lookup the geo location of an IP address using ipinfo.io. 
I was able to get the result but I never able to pull any data from the json dictionary to add to the Notes.   

I tried to load the json result to an python interpreter on another system but got an error when perform the json.loads due to invalid json format.
I wonder if anyone experienced with similar issue and if there is a way we can make the output in valid json format? 

In the SOAR output script, I tried to return any value but it always returned an error:

Function:

import json
headers = {
    'Content-Type': 'application/json'
}
inputs.rest_api_method = 'GET'
inputs.rest_api_headers = json.dumps(headers)
inputs.rest_api_url = 'https://ipinfo.io/{}/geo'.format(artifact.value)
inputs.rest_api_verify = True

API Result:

{'version': 2.0, 'success': True, 'reason': None, 'content': {'ok': True, 'url': 'https://ipinfo.io/8.8.8.8/geo', 'status_code': 200, 'reason': 'OK', 'cookies': {}, 'headers': {'server': 'nginx/1.24.0', 'date': 'Fri, 29 Mar 2024 02:35:08 GMT', 'content-type': 'application/json; charset=utf-8', 'Content-Length': '304', 'access-control-allow-origin': '*', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'x-envoy-upstream-service-time': '2', 'via': '1.1 google', 'strict-transport-security': 'max-age=2592000; includeSubDomains', 'Alt-Svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'}, 'elapsed': 249, 'apparent_encoding': 'ascii', 'text': '{\n "ip": "8.8.8.8",\n "hostname": "dns.google",\n "anycast": true,\n "city": "Mountain View",\n "region": "California",\n "country": "US",\n "loc": "37.4056,-122.0775",\n "org": "AS15169 Google LLC",\n "postal": "94043",\n "timezone": "America/Los_Angeles",\n "readme": "https://ipinfo.io/missingauth"\n}', 'json': {'ip': '8.8.8.8', 'hostname': 'dns.google', 'anycast': True, 'city': 'Mountain View', 'region': 'California', 'country': 'US', 'loc': '37.4056,-122.0775', 'org': 'AS15169 Google LLC', 'postal': '94043', 'timezone': 'America/Los_Angeles', 'readme': 'https://ipinfo.io/missingauth'}, 'links': {}}, 'raw': None, 'inputs': {'rest_api_cookies': {'format': 'text', 'content': None}, 'rest_api_headers': '{"Content-Type": "application/json"}', 'rest_api_method': 'GET', 'rest_api_verify': True, 'rest_api_allowed_status_codes': '', 'rest_api_url': 'https://ipinfo.io/8.8.8.8/geo', 'rest_api_body': {'format': 'text', 'content': None}, 'rest_api_timeout': None}, 'metrics': {'version': '1.0', 'package': 'fn-rest-api', 'package_version': '1.2.0', 'host': '2113c932-3251-4142-8c58-7d7f73b440aa-6cd9bb5d5c-999vd', 'execution_time_ms': 785, 'timestamp': '2024-03-29 02:35:08'}}