Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SOAR HTTP app to Cisco Secure Endpoint API

m22oswald
Engager
‎01-18-2024 06:58 AM

I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3).  I've generated the access token following the instructions found here.    I can send a curl request in POSTMAN, using the access token, to get organisation details.  So I know the access token is ok:

 

 

 

curl -s 'https://api.amp.cisco.com/v3/organizations?size=10' \
                --header "Authorization: Bearer eyJhbGciOiJ....."

 

 

 

When I enter the same value in the access_token field in the HTTP app and test connectivity, I always receive the following error status code:

error 401 Data from server: {"errors":["Missing token"]}

I'm not sure what to enter for the Type of Authentication Token, so maybe that's where I'm messing it up.  I think it should be Bearer, because that's the only thing in POSTMAN header other than the token itself.

Note that I haven't entered anything in any of the other authentication fields (username, password, url, Client ID, Client Secret).  And also - I get the same error if I don't enter anything in the access token field.  Basically, it's just ignored.

Labels (2)
0 Karma
Reply

Carloszavala121
Explorer
‎01-18-2024 03:44 PM

Another solution that I would do to solve the problem would be with an executed actions in this case a code within a flow make the request through python code where the same url enter the token like this example

import requests url = 'https://api.amp.cisco.com/v3/organizations?size=10' headers = { 'Authorization': 'Bearer eyJhbGciOiJ.....' # Asegúrate de reemplazar esto con tu token real } # Realizar la petición GET response = requests.get(url, headers=headers) # Verificar si la petición fue exitosa (código de estado 200) if response.status_code == 200: # Imprimir la respuesta JSON print(response.json()) else: # Imprimir el código de estado y el mensaje de error en caso de falla print(f'Error: {response.status_code} - {response.text}')

0 Karma
Reply

Carloszavala121
Explorer
‎01-18-2024 03:40 PM

Carloszavala121_0-1705621107014.png

Hello, apparently in SOAR the token section is optional, an idea would be that you do not enter anything in the token but you do enter the necessary credentials to carry out your request, in this case your username and password

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...