IBM Security QRadar SOAR

 View Only
  • 1.  Using 3rd party tools API endpoint

    Posted Thu December 01, 2022 12:01 PM
    Hi Team, 

    Currently we are using OOTB App from IBM App Exchange which is used to integrate 3rd party tool with Resilient SOAR. 
    We can see only few functions available in app. If we want to use any other API endpoint corresponding to 3rd party Tool how can we use it with the help of existing app ? Do we have any other OOTB functionality or app which we can use to call API endpoints ?

    ------------------------------
    Shubham Agarwal
    ------------------------------


  • 2.  RE: Using 3rd party tools API endpoint

    Posted Fri December 02, 2022 07:45 AM
    Hi Shubham,

    Can you clarify what you mean what app you're referring to by OOTB? What functions are you interested to see included?

    Thanks,
    Mark


    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: Using 3rd party tools API endpoint

    Posted Sun December 04, 2022 09:39 PM
    Hi Mark, 

    We are referring Apps present on IBM App exchange as OOTB App. 
    For Example we have integrated Crowdstrike App with Resilient but we do not see other important functions which is required in our use case. 
    Functions like taking input as mac address and output will be host id from crowdstrike.(API endpoint = /devices/queries/devices-scroll/v1). 
    How can we achieve above function in Resilient ?

    ------------------------------
    Shubham Agarwal
    ------------------------------



  • 4.  RE: Using 3rd party tools API endpoint

    Posted Mon December 05, 2022 07:55 AM
    Hi. I suppose you're talking about this, right?

    https://exchange.xforce.ibmcloud.com/hub/extension/8f2e16035b6adffe6da4a8c18d045fc7

    If this is correct, since it's a 3rd party component, you can just ask Crowdstrike support to implement the missing functionality and cross your fingers.

    Or, you can install 

    https://exchange.xforce.ibmcloud.com/hub/extension/2b6699ac8a3976b67dfbddee26dbe3a5

    which will allow you to call any REST APIs directly from inside SOAR.

    I hope it helps

    Leo

    ------------------------------
    []

    Leonardo Kenji Shikida
    ------------------------------



  • 5.  RE: Using 3rd party tools API endpoint

    Posted Mon December 05, 2022 12:31 PM
    Hi Leonardo, 

    Thanks for your input. Yes we are using Utility Functions to call any REST API for any 3rd party tool. But for authentication with any 3rd party tool we need to pass some token like access token or Basic authentication in Headers. Is it possible to hide that token. If we don't hide that token or credentials (like client id and client secret) which are generating that token inside playbook than it will be a compliance related issues or security breach related issues.

    ------------------------------
    Shubham Agarwal
    ------------------------------



  • 6.  RE: Using 3rd party tools API endpoint

    Posted Mon December 05, 2022 01:38 PM
    Hi,
    We are facing the same problem with the Utility Functions to call any REST API: the access token or password or whatever credentials have to be coded within the call.  This is a major security issue.

    With version v47, it is now possible to encrypt a secret for the app.config file.  What would be needed, is the possibility to may be define some of the parameters in the app.config file.  A bit like the OS command you must authorize when you use the function to run arbitrary shell scripts.

    Another example would be the LDAP function. You have to put the password in the app.config file.  But you can hide this password by using a secret. And now in version 47 you can even encrypt it.  This kind of mechanism could surely be implemented in the cal REST API function.


    ------------------------------
    Pierre Dufresne
    ------------------------------



  • 7.  RE: Using 3rd party tools API endpoint

    Posted Thu December 08, 2022 12:53 AM
    Hi Pierre, 

    Thanks for your input. This information is very helpful. 

    Can you please share a link if this is documented somewhere.

    ------------------------------
    Shubham Agarwal
    ------------------------------



  • 8.  RE: Using 3rd party tools API endpoint

    Posted Fri December 09, 2022 09:14 AM
    Here is a pointer to new V47 encrypted secrets functionality.


    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 9.  RE: Using 3rd party tools API endpoint

    Posted Thu December 15, 2022 02:47 AM
    Hi AnnMarie and Pierre, 

    Thanks for your input and the documentation shared was very helpful. If we have to use some passwords or credentials while calling "REST API function" inside "Utility function" app than is it possible that we keep those credentials in Secrets sections of app configuration and use it while calling "REST API" function. 

    Thanks..

    ------------------------------
    Shubham Agarwal
    ------------------------------