IBM Security QRadar SOAR

I'm wondering if anyone has had experience with this. I want to be able to send an attachment from SOAR to a sandbox, there isn't an app made for the sandbox so I'm using REST API app. I can't figure out how to send the attachment though. I tried using the attachment id, filename, I changed it to base64 encoding I'm always getting a 502 bad gateway error.

I also tried sending the file path from the server using:

"""https://ouripadr/rest/orgs/201/incidents/{0}/attachments/{1}/contents""".format(incident.id, attachment.id)

which gets me 401 unauthorized, meaning I can't access the file. How would I get authorized? I can send a post request with my login details but I don't get any token to then pass on in the get request trying to grab the file.

Any advice on how to send an attachment would be appreciated

Hey Maria,

REST API app has built-in functionality that allows for directly sending attachments from an incident (I'll get to that in a bit). 

Firstly could you tell me how exactly does the sandbox expect the attachment to be sent? What i mean by this is, different endpoints can expect attachments to be sent in different ways.

• Sometimes the endpoint can expect the file to be sent as a multipart/form-data
• Sometimes, binary encoded into the body of the message

To accommodate such varied requests, REST API app's built-in attachment handler must be configured properly.

Now, moving on to the REST API app. If you open up the sample playbook `CALL REST API (PB)` that's shipped with the application by default, you can find a detailed guide, instructing you on how to use the application. If you scroll down to the attachment section, you should find information on how to specify your attachments with a rest request.

Things to remember:

• Any file you intend to send, must be uploaded to the incident as an `attachment` or `file based artifact`. Only certain artifact types (e.g email-attachment) qualifies as a file based artifact
• Should you wish to send as request body, set:
  • incident.id
  • attachment_id (or) artifact_id
  • send_file_as_body = True
  • attachment_form_field_name = ''
• If you wish to send as multipart/form-data
  • incident.id
  • attachment_id (or) artifact_id
  • send_file_as_body = False
  • attachment_form_field_name = 'file' // or the correct form field name specified by your endpoint
    
    
• Finally, construct a proper regular rest request with appropriate attributes such as rest_url, rest_method, rest_header, rest_body

Note: The attachment handler will automatically add all the attachment related request-headers automatically. Although, other request headers must be specified by the user.

File based artifact example:

If for some reason, you don't find the sample playbook, i have attached it here

#                                                    ================#                                                       Attachment   #                                                    ================# Incident attachments and artifacts (that contain attachments) can be bundled and sent with a REST request.# The following fields can be used to find and locate the file to be sent.# Note: Only one file can be sent per request. If both attachment_id and artifact_id is provided,#       the application will prioritize attachment over artifact# [Required] ID of the incident in which the artifact or attachment is present. dtype : intinputs.incident_id   = incident.id# [Optional] ID of the incident in which the artifact or attachment is present. dtype : intinputs.task_id = task.id if task else None# Used to identify the attachment that is to be sent with the REST request. dtype : intinputs.attachment_id = None# Used to identify file-based artifact that is to be sent with the REST request. dtype : intinputs.artifact_id   = None# REQUEST FORMAT# --------------# The endpoint has the capability to receive a REST request containing a file attachment in various formats.# The selection of the methodology for sending a file depends on the specific requirements of the endpoint.# 1. file bundled as a multipart/form-data:##  This methodology sends the attachment as ``Content-Type: multipart/form-data``, meaning that the body of the#  request is a series of parts, each of which contains files that are base64 encoded. The body of the request is#  divided into multiple parts, and each part is separated by a boundary defined that is auto-defined by the app.#  Each part typically contains a `Content-Disposition` header that describes the `name` and `type` of the data,#  along with the actual data itself. While the `type` is automatically assigned by the application, the `name`#  is supposed to be provided by the user in the below field.#  Each part in multipart/form-data is expected to contain a content-disposition header where the disposition type#  is automatically set by the application, and a disposition name. This disposition name changes with regard to#  the endpoint that is being used and is to be set by the user. Default value : "file"inputs.attachment_form_field_name = "file"# sends file as multipart/form-datainputs.send_file_as_body = False# 2. file bundled as request body:##   This methodology sends the binary data of the file as REST request body. Certain endpoints require#   files to be sent in this format. Although most endpoints tend to use multipart/form-data. Default: False# Uncomment the following line to send file as REST request body# inputs.send_file_as_body = True# Note: The body of the request has to be empty, i.e. inputs.rest_api_body = None, otherwise the application#       will raise an error

I'm wondering if anyone has had experience with this. I want to be able to send an attachment from SOAR to a sandbox, there isn't an app made for the sandbox so I'm using REST API app. I can't figure out how to send the attachment though. I tried using the attachment id, filename, I changed it to base64 encoding I'm always getting a 502 bad gateway error.

I also tried sending the file path from the server using:

"""https://ouripadr/rest/orgs/201/incidents/{0}/attachments/{1}/contents""".format(incident.id, attachment.id)

which gets me 401 unauthorized, meaning I can't access the file. How would I get authorized? I can send a post request with my login details but I don't get any token to then pass on in the get request trying to grab the file.

Any advice on how to send an attachment would be appreciated

Hi Calvin,

Thank you for your detailed response. It turns out we're using an outdated version of the REST API app. Will have to upgrade it and check if this works.

Hey Maria,

REST API app has built-in functionality that allows for directly sending attachments from an incident (I'll get to that in a bit). 

Firstly could you tell me how exactly does the sandbox expect the attachment to be sent? What i mean by this is, different endpoints can expect attachments to be sent in different ways.

• Sometimes the endpoint can expect the file to be sent as a multipart/form-data
• Sometimes, binary encoded into the body of the message

To accommodate such varied requests, REST API app's built-in attachment handler must be configured properly.

Now, moving on to the REST API app. If you open up the sample playbook `CALL REST API (PB)` that's shipped with the application by default, you can find a detailed guide, instructing you on how to use the application. If you scroll down to the attachment section, you should find information on how to specify your attachments with a rest request.

Things to remember:

• Any file you intend to send, must be uploaded to the incident as an `attachment` or `file based artifact`. Only certain artifact types (e.g email-attachment) qualifies as a file based artifact
• Should you wish to send as request body, set:
  • incident.id
  • attachment_id (or) artifact_id
  • send_file_as_body = True
  • attachment_form_field_name = ''
• If you wish to send as multipart/form-data
  • incident.id
  • attachment_id (or) artifact_id
  • send_file_as_body = False
  • attachment_form_field_name = 'file' // or the correct form field name specified by your endpoint
    
    
• Finally, construct a proper regular rest request with appropriate attributes such as rest_url, rest_method, rest_header, rest_body

Note: The attachment handler will automatically add all the attachment related request-headers automatically. Although, other request headers must be specified by the user.

File based artifact example:

If for some reason, you don't find the sample playbook, i have attached it here

#                                                    ================#                                                       Attachment   #                                                    ================# Incident attachments and artifacts (that contain attachments) can be bundled and sent with a REST request.# The following fields can be used to find and locate the file to be sent.# Note: Only one file can be sent per request. If both attachment_id and artifact_id is provided,#       the application will prioritize attachment over artifact# [Required] ID of the incident in which the artifact or attachment is present. dtype : intinputs.incident_id   = incident.id# [Optional] ID of the incident in which the artifact or attachment is present. dtype : intinputs.task_id = task.id if task else None# Used to identify the attachment that is to be sent with the REST request. dtype : intinputs.attachment_id = None# Used to identify file-based artifact that is to be sent with the REST request. dtype : intinputs.artifact_id   = None# REQUEST FORMAT# --------------# The endpoint has the capability to receive a REST request containing a file attachment in various formats.# The selection of the methodology for sending a file depends on the specific requirements of the endpoint.# 1. file bundled as a multipart/form-data:##  This methodology sends the attachment as ``Content-Type: multipart/form-data``, meaning that the body of the#  request is a series of parts, each of which contains files that are base64 encoded. The body of the request is#  divided into multiple parts, and each part is separated by a boundary defined that is auto-defined by the app.#  Each part typically contains a `Content-Disposition` header that describes the `name` and `type` of the data,#  along with the actual data itself. While the `type` is automatically assigned by the application, the `name`#  is supposed to be provided by the user in the below field.#  Each part in multipart/form-data is expected to contain a content-disposition header where the disposition type#  is automatically set by the application, and a disposition name. This disposition name changes with regard to#  the endpoint that is being used and is to be set by the user. Default value : "file"inputs.attachment_form_field_name = "file"# sends file as multipart/form-datainputs.send_file_as_body = False# 2. file bundled as request body:##   This methodology sends the binary data of the file as REST request body. Certain endpoints require#   files to be sent in this format. Although most endpoints tend to use multipart/form-data. Default: False# Uncomment the following line to send file as REST request body# inputs.send_file_as_body = True# Note: The body of the request has to be empty, i.e. inputs.rest_api_body = None, otherwise the application#       will raise an error

I'm wondering if anyone has had experience with this. I want to be able to send an attachment from SOAR to a sandbox, there isn't an app made for the sandbox so I'm using REST API app. I can't figure out how to send the attachment though. I tried using the attachment id, filename, I changed it to base64 encoding I'm always getting a 502 bad gateway error.

I also tried sending the file path from the server using:

"""https://ouripadr/rest/orgs/201/incidents/{0}/attachments/{1}/contents""".format(incident.id, attachment.id)

which gets me 401 unauthorized, meaning I can't access the file. How would I get authorized? I can send a post request with my login details but I don't get any token to then pass on in the get request trying to grab the file.

Any advice on how to send an attachment would be appreciated

Hey Maria,

No worries.  Let me know how it goes!

Regards,

Hi Calvin,

Thank you for your detailed response. It turns out we're using an outdated version of the REST API app. Will have to upgrade it and check if this works.

Hey Maria,

REST API app has built-in functionality that allows for directly sending attachments from an incident (I'll get to that in a bit). 

Firstly could you tell me how exactly does the sandbox expect the attachment to be sent? What i mean by this is, different endpoints can expect attachments to be sent in different ways.

• Sometimes the endpoint can expect the file to be sent as a multipart/form-data
• Sometimes, binary encoded into the body of the message

To accommodate such varied requests, REST API app's built-in attachment handler must be configured properly.

Now, moving on to the REST API app. If you open up the sample playbook `CALL REST API (PB)` that's shipped with the application by default, you can find a detailed guide, instructing you on how to use the application. If you scroll down to the attachment section, you should find information on how to specify your attachments with a rest request.

Things to remember:

• Any file you intend to send, must be uploaded to the incident as an `attachment` or `file based artifact`. Only certain artifact types (e.g email-attachment) qualifies as a file based artifact
• Should you wish to send as request body, set:
  • incident.id
  • attachment_id (or) artifact_id
  • send_file_as_body = True
  • attachment_form_field_name = ''
• If you wish to send as multipart/form-data
  • incident.id
  • attachment_id (or) artifact_id
  • send_file_as_body = False
  • attachment_form_field_name = 'file' // or the correct form field name specified by your endpoint
    
    
• Finally, construct a proper regular rest request with appropriate attributes such as rest_url, rest_method, rest_header, rest_body

Note: The attachment handler will automatically add all the attachment related request-headers automatically. Although, other request headers must be specified by the user.

File based artifact example:

If for some reason, you don't find the sample playbook, i have attached it here

#                                                    ================#                                                       Attachment   #                                                    ================# Incident attachments and artifacts (that contain attachments) can be bundled and sent with a REST request.# The following fields can be used to find and locate the file to be sent.# Note: Only one file can be sent per request. If both attachment_id and artifact_id is provided,#       the application will prioritize attachment over artifact# [Required] ID of the incident in which the artifact or attachment is present. dtype : intinputs.incident_id   = incident.id# [Optional] ID of the incident in which the artifact or attachment is present. dtype : intinputs.task_id = task.id if task else None# Used to identify the attachment that is to be sent with the REST request. dtype : intinputs.attachment_id = None# Used to identify file-based artifact that is to be sent with the REST request. dtype : intinputs.artifact_id   = None# REQUEST FORMAT# --------------# The endpoint has the capability to receive a REST request containing a file attachment in various formats.# The selection of the methodology for sending a file depends on the specific requirements of the endpoint.# 1. file bundled as a multipart/form-data:##  This methodology sends the attachment as ``Content-Type: multipart/form-data``, meaning that the body of the#  request is a series of parts, each of which contains files that are base64 encoded. The body of the request is#  divided into multiple parts, and each part is separated by a boundary defined that is auto-defined by the app.#  Each part typically contains a `Content-Disposition` header that describes the `name` and `type` of the data,#  along with the actual data itself. While the `type` is automatically assigned by the application, the `name`#  is supposed to be provided by the user in the below field.#  Each part in multipart/form-data is expected to contain a content-disposition header where the disposition type#  is automatically set by the application, and a disposition name. This disposition name changes with regard to#  the endpoint that is being used and is to be set by the user. Default value : "file"inputs.attachment_form_field_name = "file"# sends file as multipart/form-datainputs.send_file_as_body = False# 2. file bundled as request body:##   This methodology sends the binary data of the file as REST request body. Certain endpoints require#   files to be sent in this format. Although most endpoints tend to use multipart/form-data. Default: False# Uncomment the following line to send file as REST request body# inputs.send_file_as_body = True# Note: The body of the request has to be empty, i.e. inputs.rest_api_body = None, otherwise the application#       will raise an error

I'm wondering if anyone has had experience with this. I want to be able to send an attachment from SOAR to a sandbox, there isn't an app made for the sandbox so I'm using REST API app. I can't figure out how to send the attachment though. I tried using the attachment id, filename, I changed it to base64 encoding I'm always getting a 502 bad gateway error.

I also tried sending the file path from the server using:

"""https://ouripadr/rest/orgs/201/incidents/{0}/attachments/{1}/contents""".format(incident.id, attachment.id)

which gets me 401 unauthorized, meaning I can't access the file. How would I get authorized? I can send a post request with my login details but I don't get any token to then pass on in the get request trying to grab the file.

Any advice on how to send an attachment would be appreciated