XSOAR Cisco Secure Cloud Analytics (stealthwatch) integration

QShah — Mon, 15 Aug 2022 13:59:11 GMT

If I configure the integration in SOAR using an API key from Cisco Secure Cloud Analytics, I get an authorization error:

Executed: test-module
Instance Stealthwatch Cloud_instance_1d4e2580e-a33d-4ace-8877-59165345b343
Arguments {}
Start time 2022-07-27T15:48:54.437265548Z

2022-07-27T15:48:54.562896279Z info: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) debug-mode started.
#### http client print found: False.
#### Env {'LANG': 'C.UTF-8', 'PYTHONIOENCODING': 'UTF-8', 'HOSTNAME': '49bd2400eca7', 'PYTHON_GET_PIP_SHA256': '40ee07eac6674b8d60fce2bbabc148cf0e2f1408c167683f110fd608b8d6f416', 'PYTHON_VERSION': '2.7.18', 'https_proxy': '', 'PYTHON_PIP_VERSION': '20.3.4', 'HOME': '/root', 'http_proxy': '', 'HTTPS_PROXY': '', 'GPG_KEY': 'C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF', 'HTTP_PROXY': '', 'PATH': '/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'PYTHON_GET_PIP_URL': 'https://github.com/pypa/get-pip/raw/831b5dd0bec03caf24aa6d736a28dc2ba80f91cc/public/2.7/get-pip.py', 'DOCKER_IMAGE': 'demisto/python:2.7.18.27799'}.
#### Params: {
"APIKey": "<XX_REPLACED>",
"proxy": false,
"incidentType": null,
"isFetch": false,
"incidentFetchInterval": "1",
"insecure": false,
"serverURL": "https://mycompany.obsrvbl.com"
}.
#### Docker image: [demisto/python:2.7.18.27799]
#### Integration: brand: [Stealthwatch Cloud] instance: [Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343]
2022-07-27T15:48:54.56354458Z debug: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) running GET request with url=https://mycompany.obsrvbl.com/api/v3/alerts/alert/ params={}
2022-07-27T15:48:54.565385782Z info: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) python logging: DEBUG [urllib3.connectionpool] - Starting new HTTPS connection (1): mycompany.obsrvbl.com:443
2022-07-27T15:48:54.999865337Z info: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) python logging: DEBUG [urllib3.connectionpool] - https://mycompany.obsrvbl.com:443 "GET /api/v3/alerts/alert/ HTTP/1.1" 403 58
2022-07-27T15:48:55.00235194Z debug: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) 403 Client Error: Forbidden for url: https://mycompany.obsrvbl.com/api/v3/alerts/alert/
2022-07-27T15:48:55.00267294Z debug: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) 403 Client Error: Forbidden for url: https://mycompany.obsrvbl.com/api/v3/alerts/alert/
Exception message is [Traceback (most recent call last):
File "/tmp/pyrunner/_script_docker_python_loop.py", line 735, in <module>
exec(code, sub_globals, sub_globals)
File "<string>", line 12089, in <module>
File "<string>", line 11762, in list_alerts_command
File "<string>", line 11737, in list_alerts
File "<string>", line 11610, in http_request
HTTPError: 403 Client Error: Forbidden for url: https://mycompany.obsrvbl.com/api/v3/alerts/alert/
]

End time 2022-07-27T15:48:55.003248541Z

The format for the API key in the SOAR config is: ApiKey:jon.smith@mycompanyname.com:b8f59f6ec2d940868d09b841c28772ab also tried ApiKeyjon.smith@mycompany.com:b8f59f6ec2d940868d09b841c28772ab

If I use the cli on the XSOAR server and a python script, the credentials work fine.

The credentials are read from a conf file:

root@devsiemsoar1:~/stealthwatch-cloud-sample-scripts/python# cat env.conf

# Enter environment information for Stealthwatch Cloud

[StealthwatchCloud]

PORTAL_URL = mycompany.obsrvbl.com

API_USER = jon.smith@mycompany.com

API_KEY = b8f59f6ec2d940868d09b841c28772ab

The script to pull alerts is below:

root@devsiemsoar1:~/stealthwatch-cloud-sample-scripts/python# cat get_alerts.py

#!/usr/bin/env python

"""

This script will get alerts from Stealthwatch Cloud using the REST API.

For more information on this API, please visit:

https://developer.cisco.com/docs/stealthwatch-cloud/

Script Dependencies:

requests

Depencency Installation:

$ pip install requests

import requests

import json

import configparser

try:

requests.packages.urllib3.disable_warnings()

except:

pass

# Read the config file

config = configparser.ConfigParser()

config.read("env.conf")

# Set the URL

url = https:// + config["StealthwatchCloud"]["PORTAL_URL"] + "/api/v3/alerts/alert/"

# Set the authorization string

authorization = "ApiKey " + config["StealthwatchCloud"]["API_USER"] + ":" + config["StealthwatchCloud"]["API_KEY"]

# Create the request headers with authorization

request_headers = {

"Content-Type" : "application/json",

"Accept" : "application/json",

"Authorization" : authorization

}

# Initialize the requests session

api_session = requests.Session()

# Get the list of alerts from Stealthwatch Cloud

response = api_session.request("GET", url, headers=request_headers, verify=False)

# If successfully able to get list of alerts

if (response.status_code == 200):

# Loop through the list and print each alert

alerts = json.loads(response.content)["objects"]

for alert in alerts:

#print(json.dumps(alert, indent=4)) # formatted print

print(alert)

# If unable to fetch list of alerts

else:

print("An error has ocurred, while fetching alerts, with the following code {}".format(response.status_code))

Truncated output example:

root@devsiemsoar1:~/stealthwatch-cloud-sample-scripts/python# /usr/bin/python get_alerts.py

{u'next_steps': u'Reference the supporting observations to identify the external entity that port scanned your internal entity. Determine if it is the result of planned penetration testing or other intended behavior, or if it is malicious. Update your IP scanner and allow list rules to allow the traffic if it is intended. Block the traffic if it is not intended. Update your firewall rules as necessary, including port access.', u'hostname': None, u'source_name': u'Network', u'text': u'Inbound Port Scanner on Network\nhttps://mycompany.obsrvbl.com/#/alerts/2645', u'assigned_to_username': None, u'merit': 0, u'obj_created': u'2022-03-29T17:56:23.485636Z', u'new_comment': None, u'id': 2645, u'source_info': {u'name': u'Network', u'created': u'2021-08-28T12:16:18.684534+00:00'}, u'source': 5, u'resolved_user': None, u'natural_time': u'7\xa0hours ago', u'comments': {u'count': 32, u'text': u'32 comments', u'comments': [{u'comment': u'Updated by 4 observations', u'user': None, u'time': u'2022-07-27T09:32:56.833642+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T07:48:20.479984+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-27T07:30:06.460700+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T06:58:38.625201+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T05:39:33.428356+00:00'}, {u'comment': u'Updated by 3 observations', u'user': None, u'time': u'2022-07-27T05:30:59.543393+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-27T05:18:20.616043+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T01:40:47.427726+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T01:32:01.344308+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-26T21:10:47.743214+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-26T18:19:29.809016+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-26T17:

Anyone have any ideas why XSOAR does not accept the API key format, and comes back with HTTP 403 ‘Forbidden’ error? CLI command works fine...

Re: XSOAR Cisco Secure Cloud Analytics (stealthwatch) integration

asawyer — Tue, 27 Sep 2022 23:17:13 GMT

Hi @QShah – The required format for the Stealthwatch Cloud API key is:

ApiKey <username>:<apikey>

Please note the space after "ApiKey", which is consistent with your custom script. Per your post, you tried with a colon after "ApiKey" and with nothing after "ApiKey", but not with a space.

If that still doesn't work, please open a support case with all of your findings, logs, and working code from this post.

topic XSOAR Cisco Secure Cloud Analytics (stealthwatch) integration in Cortex XSOAR Discussions

XSOAR Cisco Secure Cloud Analytics (stealthwatch) integration

Re: XSOAR Cisco Secure Cloud Analytics (stealthwatch) integration