XSOAR 8 API - Attachment upload with entryID

Moh.Yasser — Sun, 29 Oct 2023 05:33:56 GMT

The code below, creates an incident with attachment uploaded but in the incident itself, when I see the context, I dont see any file.

Since there is no entryID for the file, I cannot read the attachment and also cannot run the playbooks.

Any change I need to make to make the attachment appear as File with entryID?

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR-8-API/Incidents

---------------------------------------------------------------------------------------------------------------------
from datetime import datetime, timezone
import secrets
import string
import hashlib
import requests
import os

def test_advanced_authentication(api_key_id, api_key, attachments, file):
# Generate a 64 bytes random string
nonce = "".join([secrets.choice(string.ascii_letters + string.digits) for _ in range(64)])
# Get the current timestamp as milliseconds.
timestamp = int(datetime.now(timezone.utc).timestamp()) * 1000
# Generate the auth key:
auth_key = "%s%s%s" % (api_key, nonce, timestamp)
# Convert to bytes object
auth_key = auth_key.encode("utf-8")
# Calculate sha256:
api_key_hash = hashlib.sha256(auth_key).hexdigest()
# Generate HTTP call headers
headers = {
"x-xdr-timestamp": str(timestamp),
"x-xdr-nonce": nonce,
"x-xdr-auth-id": str(api_key_id),
"Authorization": api_key_hash
}

parameters = {
"name": " Incident - " + file,
"severity": 3,
"type": "Spam Emails",
"attachment": attachments
}
res = requests.post(url="https://api-URL/xsoar/public/v1/incident",
headers=headers,
json=parameters, verify=False)
print(res.json())
return res

# Specify the folder path
folder_path = ""

# List all files in the folder
files = os.listdir(folder_path)
first_5_files = files[:5]
# Loop through the list of files

api_key = ""
apiid =

for file in first_5_files:
# Print the file name
print(file)
path = folder_path + "\\" + file
attachments = [{"name": file, "path": str(path)}]
print(test_advanced_authentication(apiid, api_key, attachments, file))

Re: XSOAR 8 API - Attachment upload with entryID

gyldz — Wed, 15 Nov 2023 10:02:07 GMT

hi @Moh.Yasser ,

After the creating the incident, you can get the incident id. (res.json().get(id)) and run the below something like below.

file = "/abc/xyz/test.txt"

files = {

'file' : ('test.txt', open(file, 'rb'), 'text/plain')

}

data = {

'fileName' : 'test.txt',

'fileComment' : "",

'showMediaFile' : "false"

}

url = f"https://xsoarurl/xsoar/entry/upload/incident_id"

r = requests.post(url, data=data, files=files, headers=headers, verify=False)

Re: XSOAR 8 API - Attachment upload with entryID

Moh.Yasser — Wed, 15 Nov 2023 15:29:43 GMT

@gyldz Thanks for the reply!

It gives the below as response. I gave in the incident ID not sure why we are getting this.

{'id': 'noInv', 'status': 400, 'title': 'Could not find investigations', 'detail': 'Could not find investigation', 'error': 'Could not find investigations:Could not find investigation', 'encrypted': False, 'multires': None}

topic Re: XSOAR 8 API - Attachment upload with entryID in Cortex XSOAR Discussions

XSOAR 8 API - Attachment upload with entryID

Re: XSOAR 8 API - Attachment upload with entryID

Re: XSOAR 8 API - Attachment upload with entryID