10-26-2021 11:18 AM - edited 10-26-2021 11:21 AM
Hello,
I am trying to upload IOC's with this API reference:
Insert Simple Indicators, CSV (paloaltonetworks.com)
I'm posting the data with the requests module in python and always get a 401 response for "Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters."
headers = {
'x-xdr-auth-id': '300',
'authorization': 'APIKEY',
'content-type': 'application/json',
}
data = '{"request_data": "' + request_data + '"}'
response = requests.post('https://api-xxx.paloaltonetworks.com/public_api/v1/indicators/insert_csv/', headers=headers, data=data)
We have a Pro per Endpoint licence and I am generating an API key with full permissions for testing. I get the {API_KEY_ID} from the ID column after the key is generated.
Any ideas why this is failing?
Thanks,
John.
10-29-2021 06:13 AM - edited 10-29-2021 06:16 AM
Eventually worked this out with more trial and error.
I had to change the 'data' variable from a string to a dictionary and serialize the JSON in the request.
data = {"request_data": request_data}
response = requests.post('https://api-xxx.paloaltonetworks.com/public_api/v1/indicators/insert_csv/', headers=headers, json=data)
I was also missing the CSV headers, I believe that is what creates these errors:
"err_extra": "Invalid control character
10-27-2021 02:02 PM
Not sure what I did differently but I managed to get past this but now I'm on a 400 error, here are a few examples:
b'{"reply": {"err_code": 400, "err_msg": "Bad Request. Got an invalid JSON.", "err_extra": "Invalid control character at: line 1 column 94 (char 93)"}}'
b'{"reply": {"err_code": 400, "err_msg": "Bad Request. Got an invalid JSON.", "err_extra": "Expecting value: line 1 column 1 (char 0)"}}'
This is an example of the JSON I'm posting, the IOC's are from XDR's sample file in the upload interface:
{
"request_data": "192.168.2.1,IP,INFO,Never,Comment string,BAD,C,Malware,Vendor string,GOOD,C\nC:\tmp\risky_script.py,PATH,INFO,Never,Comment string,BAD,C,Malware,Vendorstring,GOOD,C\ncrypto_v.exe,FILENAME,INFO,Never,Comment string,BAD,C,Malware,Vendor string,GOOD,C\nwww.lottery4free.biz,DOMAIN_NAME,INFO,Never,Commentstring,BAD,C,Malware,Vendor string,GOOD,C\n900150983cd24fb0d6963f7d28e17f72,HASH,INFO,Never,Commentstring,BAD,C,Malware,Vendor string,GOOD,C\nba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad,HASH,INFO,Never,Comment string,BAD,C,Malware,Vendor string,GOOD,C\n"
}
I put this into a JSON validator which said it's good. I've played around with a few variations but haven't had any luck. Does anyone have advice on the JSON formatting expected by the API?
10-29-2021 06:13 AM - edited 10-29-2021 06:16 AM
Eventually worked this out with more trial and error.
I had to change the 'data' variable from a string to a dictionary and serialize the JSON in the request.
data = {"request_data": request_data}
response = requests.post('https://api-xxx.paloaltonetworks.com/public_api/v1/indicators/insert_csv/', headers=headers, json=data)
I was also missing the CSV headers, I believe that is what creates these errors:
"err_extra": "Invalid control character
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
