Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

XSOAR 8 API - Attachment upload with entryID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XSOAR 8 API - Attachment upload with entryID

L1 Bithead

The code below, creates an incident with attachment uploaded but in the incident itself, when I see the context, I dont see any file. 

Since there is no entryID for the file, I cannot read the attachment and also cannot run the playbooks. 

 

 

Any change I need to make to make the attachment appear as File with entryID?

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR-8-API/Incidents

---------------------------------------------------------------------------------------------------------------------
from datetime import datetime, timezone
import secrets
import string
import hashlib
import requests
import os

def test_advanced_authentication(api_key_id, api_key, attachments, file):
# Generate a 64 bytes random string
nonce = "".join([secrets.choice(string.ascii_letters + string.digits) for _ in range(64)])
# Get the current timestamp as milliseconds.
timestamp = int(datetime.now(timezone.utc).timestamp()) * 1000
# Generate the auth key:
auth_key = "%s%s%s" % (api_key, nonce, timestamp)
# Convert to bytes object
auth_key = auth_key.encode("utf-8")
# Calculate sha256:
api_key_hash = hashlib.sha256(auth_key).hexdigest()
# Generate HTTP call headers
headers = {
"x-xdr-timestamp": str(timestamp),
"x-xdr-nonce": nonce,
"x-xdr-auth-id": str(api_key_id),
"Authorization": api_key_hash
}

parameters = {
"name": " Incident - " + file,
"severity": 3,
"type": "Spam Emails",
"attachment": attachments
}
res = requests.post(url="https://api-URL/xsoar/public/v1/incident",
headers=headers,
json=parameters, verify=False)
print(res.json())
return res

# Specify the folder path
folder_path = ""

# List all files in the folder
files = os.listdir(folder_path)
first_5_files = files[:5]
# Loop through the list of files

api_key = ""
apiid =

for file in first_5_files:
# Print the file name
print(file)
path = folder_path + "\\" + file
attachments = [{"name": file, "path": str(path)}]
print(test_advanced_authentication(apiid, api_key, attachments, file))

2 accepted solutions

Accepted Solutions

L4 Transporter

hi @Moh.Yasser ,

 

After the creating the incident, you can get the incident id. (res.json().get(id)) and run the below something like below.

file = "/abc/xyz/test.txt"
files = {
'file' : ('test.txt', open(file, 'rb'), 'text/plain')
}
data = {
'fileName' : 'test.txt',
'fileComment' : "",
'showMediaFile' : "false"
}
r = requests.post(url, data=data, files=files, headers=headers, verify=False)

View solution in original post

@gyldz  Thanks for the reply!

 

It gives the below as response. I gave in the incident ID not sure why we are getting this.

{'id': 'noInv', 'status': 400, 'title': 'Could not find investigations', 'detail': 'Could not find investigation', 'error': 'Could not find investigations:Could not find investigation', 'encrypted': False, 'multires': None} 

View solution in original post

2 REPLIES 2

L4 Transporter

hi @Moh.Yasser ,

 

After the creating the incident, you can get the incident id. (res.json().get(id)) and run the below something like below.

file = "/abc/xyz/test.txt"
files = {
'file' : ('test.txt', open(file, 'rb'), 'text/plain')
}
data = {
'fileName' : 'test.txt',
'fileComment' : "",
'showMediaFile' : "false"
}
r = requests.post(url, data=data, files=files, headers=headers, verify=False)

@gyldz  Thanks for the reply!

 

It gives the below as response. I gave in the incident ID not sure why we are getting this.

{'id': 'noInv', 'status': 400, 'title': 'Could not find investigations', 'detail': 'Could not find investigation', 'error': 'Could not find investigations:Could not find investigation', 'encrypted': False, 'multires': None} 

  • 2 accepted solutions
  • 1595 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!