XSOAR Cisco Secure Cloud Analytics (stealthwatch) integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSOAR Cisco Secure Cloud Analytics (stealthwatch) integration

L0 Member

If I configure the integration in SOAR using an API key from Cisco Secure Cloud Analytics, I get an authorization error:

 

Executed: test-module
Instance Stealthwatch Cloud_instance_1d4e2580e-a33d-4ace-8877-59165345b343
Arguments {}
Start time 2022-07-27T15:48:54.437265548Z


2022-07-27T15:48:54.562896279Z info: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) debug-mode started.
#### http client print found: False.
#### Env {'LANG': 'C.UTF-8', 'PYTHONIOENCODING': 'UTF-8', 'HOSTNAME': '49bd2400eca7', 'PYTHON_GET_PIP_SHA256': '40ee07eac6674b8d60fce2bbabc148cf0e2f1408c167683f110fd608b8d6f416', 'PYTHON_VERSION': '2.7.18', 'https_proxy': '', 'PYTHON_PIP_VERSION': '20.3.4', 'HOME': '/root', 'http_proxy': '', 'HTTPS_PROXY': '', 'GPG_KEY': 'C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF', 'HTTP_PROXY': '', 'PATH': '/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'PYTHON_GET_PIP_URL': 'https://github.com/pypa/get-pip/raw/831b5dd0bec03caf24aa6d736a28dc2ba80f91cc/public/2.7/get-pip.py', 'DOCKER_IMAGE': 'demisto/python:2.7.18.27799'}.
#### Params: {
"APIKey": "<XX_REPLACED>",
"proxy": false,
"incidentType": null,
"isFetch": false,
"incidentFetchInterval": "1",
"insecure": false,
"serverURL": "https://mycompany.obsrvbl.com"
}.
#### Docker image: [demisto/python:2.7.18.27799]
#### Integration: brand: [Stealthwatch Cloud] instance: [Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343]
2022-07-27T15:48:54.56354458Z debug: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) running GET request with url=https://mycompany.obsrvbl.com/api/v3/alerts/alert/ params={}
2022-07-27T15:48:54.565385782Z info: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) python logging: DEBUG [urllib3.connectionpool] - Starting new HTTPS connection (1): mycompany.obsrvbl.com:443
2022-07-27T15:48:54.999865337Z info: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) python logging: DEBUG [urllib3.connectionpool] - https://mycompany.obsrvbl.com:443 "GET /api/v3/alerts/alert/ HTTP/1.1" 403 58
2022-07-27T15:48:55.00235194Z debug: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) 403 Client Error: Forbidden for url: https://mycompany.obsrvbl.com/api/v3/alerts/alert/
2022-07-27T15:48:55.00267294Z debug: (Stealthwatch Cloud_instance_1d4e2580e-a55d-4ace-8877-591658b7b343_Stealthwatch Cloud_test-module) 403 Client Error: Forbidden for url: https://mycompany.obsrvbl.com/api/v3/alerts/alert/
Exception message is [Traceback (most recent call last):
File "/tmp/pyrunner/_script_docker_python_loop.py", line 735, in <module>
exec(code, sub_globals, sub_globals)
File "<string>", line 12089, in <module>
File "<string>", line 11762, in list_alerts_command
File "<string>", line 11737, in list_alerts
File "<string>", line 11610, in http_request
HTTPError: 403 Client Error: Forbidden for url: https://mycompany.obsrvbl.com/api/v3/alerts/alert/
]

End time 2022-07-27T15:48:55.003248541Z

 

 

 

The format for the API key in the SOAR config is:  ApiKey:jon.smith@mycompanyname.com:b8f59f6ec2d940868d09b841c28772ab  also tried ApiKeyjon.smith@mycompany.com:b8f59f6ec2d940868d09b841c28772ab

 

If I use the cli on the XSOAR server and a python script, the credentials work fine.

 

The credentials are read from a conf file:

 

root@devsiemsoar1:~/stealthwatch-cloud-sample-scripts/python# cat env.conf

# Enter environment information for Stealthwatch Cloud

[StealthwatchCloud]

PORTAL_URL = mycompany.obsrvbl.com

API_USER = jon.smith@mycompany.com

API_KEY = b8f59f6ec2d940868d09b841c28772ab

 

 

The script to pull alerts is below:

 

 

root@devsiemsoar1:~/stealthwatch-cloud-sample-scripts/python# cat get_alerts.py

#!/usr/bin/env python

 

"""

This script will get alerts from Stealthwatch Cloud using the REST API.

 

For more information on this API, please visit:

https://developer.cisco.com/docs/stealthwatch-cloud/

 

Script Dependencies:

    requests

Depencency Installation:

    $ pip install requests

 

import requests

import json

import configparser

try:

    requests.packages.urllib3.disable_warnings()

except:

    pass

 

 

# Read the config file

config = configparser.ConfigParser()

config.read("env.conf")

 

# Set the URL

url = https:// + config["StealthwatchCloud"]["PORTAL_URL"] + "/api/v3/alerts/alert/"

 

# Set the authorization string

authorization = "ApiKey " + config["StealthwatchCloud"]["API_USER"] + ":" + config["StealthwatchCloud"]["API_KEY"]

 

# Create the request headers with authorization

request_headers = {

    "Content-Type" : "application/json",

    "Accept" : "application/json",

    "Authorization" : authorization

}

 

# Initialize the requests session

api_session = requests.Session()

 

# Get the list of alerts from Stealthwatch Cloud

response = api_session.request("GET", url, headers=request_headers, verify=False)

 

# If successfully able to get list of alerts

if (response.status_code == 200):

 

    # Loop through the list and print each alert

    alerts = json.loads(response.content)["objects"]

    for alert in alerts:

        #print(json.dumps(alert, indent=4)) # formatted print

        print(alert)

 

# If unable to fetch list of alerts

else:

    print("An error has ocurred, while fetching alerts, with the following code {}".format(response.status_code))

 

 

Truncated output example:

 

root@devsiemsoar1:~/stealthwatch-cloud-sample-scripts/python# /usr/bin/python get_alerts.py

{u'next_steps': u'Reference the supporting observations to identify the external entity that port scanned your internal entity. Determine if it is the result of planned penetration testing or other intended behavior, or if it is malicious. Update your IP scanner and allow list rules to allow the traffic if it is intended. Block the traffic if it is not intended. Update your firewall rules as necessary, including port access.', u'hostname': None, u'source_name': u'Network', u'text': u'Inbound Port Scanner on Network\nhttps://mycompany.obsrvbl.com/#/alerts/2645', u'assigned_to_username': None, u'merit': 0, u'obj_created': u'2022-03-29T17:56:23.485636Z', u'new_comment': None, u'id': 2645, u'source_info': {u'name': u'Network', u'created': u'2021-08-28T12:16:18.684534+00:00'}, u'source': 5, u'resolved_user': None, u'natural_time': u'7\xa0hours ago', u'comments': {u'count': 32, u'text': u'32 comments', u'comments': [{u'comment': u'Updated by 4 observations', u'user': None, u'time': u'2022-07-27T09:32:56.833642+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T07:48:20.479984+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-27T07:30:06.460700+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T06:58:38.625201+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T05:39:33.428356+00:00'}, {u'comment': u'Updated by 3 observations', u'user': None, u'time': u'2022-07-27T05:30:59.543393+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-27T05:18:20.616043+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T01:40:47.427726+00:00'}, {u'comment': u'Updated by 1 observations', u'user': None, u'time': u'2022-07-27T01:32:01.344308+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-26T21:10:47.743214+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-26T18:19:29.809016+00:00'}, {u'comment': u'Updated by 2 observations', u'user': None, u'time': u'2022-07-26T17:

 

Anyone have any ideas why XSOAR does not accept the API key format, and comes back with HTTP 403 ‘Forbidden’ error?  CLI command works fine...

1 REPLY 1

L3 Networker

Hi @QShah – The required format for the Stealthwatch Cloud API key is: 

ApiKey <username>:<apikey>

 

Please note the space after "ApiKey", which is consistent with your custom script. Per your post, you tried with a colon after "ApiKey" and with nothing after "ApiKey", but not with a space.

 

If that still doesn't work, please open a support case with all of your findings, logs, and working code from this post.

  • 1875 Views
  • 1 replies
  • 0 Likes
  • 31 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!