Add Sample for updating an asset

[makefu]

I am trying to update an asset via the /asset_model/assets/ interface but the documentation is pretty vague how the 'asset' data in the post request should look like and which fields can be updated and this should be reflected in the request. I tried replying data from /asset_model/assets but without success (returned body is empty -> no valid json) Thanks!

[ChrisMeenan]

Hi,

checkout this script here

https://github.com/ibm-security-intelligence/data-import/blob/master/assets/update_assets.py

It updates assets from a .csv file using the same rest end point

essentially you can update any asset field returned by the "asset_model/properties endpoint". That includes all the 'out of the box' asset fields, as well as any custom ones you add.

The key thing to note is that you need to use the id of the property in the update, not the name.

e.g. this body updates the business owner of an asset

{ "properties": [ { "type_id": 1006, "value": "Chris Meenan" } ] }

Chris

[makefu]

thanks, what the API expects as input structure was what i was looking for. I looked at the data importer and imho building json with string concatination is a very bad habit. it would be much cleaner to understand and use json.dumps({'properties':[ {'type_id': 1006, 'value': 'Chris Meenan' }]})

Is it possible to update other fields which are not properties, like interfaces or the mac address? Too bad the REST API is not very verbose when it comes to invalid input ... :)

[ChrisMeenan]

thanks,

the structure of the input is also outlined in the online API documentation available at https:///restapi/doc. If you open the end point and click on the 'View' link you will see a sample for each parameter. I just copied and pasted that and inserted a couple of examples as above.

I think they could be more verbose, but thankfully the data structures are pretty straightforward.

Currently the asset API only accepts properties returned by the properties end point, but we do want to expand it to include MACs, interfaces and IPs. Those can be feed in via identity events into QRAdar, but I do admit via the API would be much better (in this instance!).

[makefu]

In the previous version of Qradar the sample was not very helpful and stated for the sample something like this: {'key1' :'value1'} which was not really helpful. I am glad this changed :D

For me (QRadar v7.2.3 Build 918945) the api for /asset_model//properties returns nothing, but of course i can just fill an asset with all the data available and check out what /asset_model/assets returns.

Thanks for the support, it still would be great if this repository has an example for updating an asset :) or at least a link to the repository you mentioned before.

[makefu]

i hope that qradar will have an 'asset insert' soon :)