topic Re: Stealthwatch Cloud API not resolving alert in Other Security

Stealthwatch Cloud API not resolving alert

m2oswald — Thu, 19 Sep 2024 10:26:51 GMT

I'm trying to resolve alerts using our SOAR automation. I'm using the api/v3/alerts/alert/<alert_id> endpoint and this PUT command body:

{ "resolved": true, "merit": 8, }

I'm receiving a status code 200 from Stealthwatch, so it seems like it accepted the command. But the alerts remain open. Can anyone suggest what might be wrong or how I can troubleshoot this?

Re: Stealthwatch Cloud API not resolving alert

lrypl — Thu, 19 Sep 2024 11:52:51 GMT

Hi,

Do you have a link to documentation for this API? I do not see it at https://developer.cisco.com/docs/stealthwatch/enterprise/reporting-api-version-1/

Re: Stealthwatch Cloud API not resolving alert

m2oswald — Thu, 19 Sep 2024 11:56:00 GMT

Sorry - Stealthwatch Cloud. It's on this page:
https://developer.cisco.com/docs/stealthwatch/cloud/stealthwatch-cloud-api-version-3/

Re: Stealthwatch Cloud API not resolving alert

m2oswald — Thu, 19 Sep 2024 12:33:38 GMT

I should add that I've tried both PUT and PATCH - neither throw an error, but neither resolve the alert

Re: Stealthwatch Cloud API not resolving alert

chrivand — Thu, 19 Sep 2024 17:00:56 GMT

hello!

I just did it via the UI, and then checked the Chrome Inspect Network tab, when I marked it as closed, helpful and not snoozed, this is what happened in the PATCH:

{ "pk": 12345, "resolved": true, "scope": "gcp-west-42-vm", "priority": { "type": "Persistent Remote Control Connections", "override_priority": "No" }, "merit": 8 }

did you try to do it with the full JSON body like here in this example or with the partial data? not sure if that makes a difference, I guess it shouldn't as it is PATCH but might be worth to try.

API docs are here btw: https://<your-org-prefix>.obsrvbl.com/api/docs/#operation/partialUpdateAlert

Re: Stealthwatch Cloud API not resolving alert

m2oswald — Fri, 20 Sep 2024 09:48:40 GMT

Thanks for the help, and for the API doc link. Unfortunately I'm still stuck.

I tried sending the PATCH body using all of the fields shown in the API doc example, but still no change to the alert (and no error). I manually resolved the alert and checked the Inspect Network tab as you suggested - basically got the same body as you saw. But again, using those fields on a different alert resulted in no change and no error.

I tried just changing the assigned_to field - nothing.

I generated the API key with my account, and I'm able to GET alerts through the API and update alerts manually (e.g. resolve them, change the assigned_to fields) so I don't think it's an issue with permissions.

Any other suggestions would be greatly appreciated, as I just don't know what else to try.

Re: Stealthwatch Cloud API not resolving alert

m2oswald — Fri, 27 Sep 2024 11:53:44 GMT

Update for anyone having the same problem and looking for a solution...

My issue was the REST API endpoint I was using. It's not this:

api/v3/alerts/alert/<alert_id>

but this:

api/v3/alerts/alert/<alert_id>/

Adding the "/" to the end fixed my problem. Almost - I was actually missing the "Content-Type" and "Accept" header keys as well, but that was minor. The big thing was the slash. Thanks so much to Bryan @ Cisco Support for figuring this out!