Help with SecurityOnion API login

[AlexDumi29]

Hello,

I am trying to use the SecurityOnion API, but I ran into a problem.

I am trying to post to https://<ipaddress>/auth/self-service/login/ in order to get the ory_kratos_session.

I've set the cookie to be Cookie: csrf_token_<rest of name>=<value>; AUTH_REDIRECT=/, and made the body follow the
identifier = username
password = password
csrf_token = <other csrf token>
method = password

I am having issues with 403 Unauthorized, as I don't know how to get the value for the <other csrf token>.
Can anyone help me with this or guide me to some sort of documentation?

Thank you!

[jertel]

Hello! Security Onion does not support service account logins, for direct API access, at this time. We are considering this for a future release but there is currently no ETA.

[cklfe]

Not sure if this will help you but here's a sample of some code I am using to authenticate via PowerShell and pull Alerts via web API. I cobbled this together from exporting the web requests to PowerShell with Chrome developer tools, so I'm sure lots of the headers and such are unnecessary.

#Setup variables
$SoBaseUrl = ""
$SoUsername = ""
$SoPassword = ""
$SoQueryString = "" #Figure out what you need from looking at web request in browser dev tools

#Do initial request to get a Flow ID for this session
$WebSession = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$WebRequest1 = Invoke-WebRequest -UseBasicParsing -Uri $SoBaseUrl `
    -WebSession $WebSession `
    -Headers @{
    "method"                    = "GET"
    "path"                      = "/"
    "scheme"                    = "https"
    "accept"                    = "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
    "accept-encoding"           = "gzip, deflate, br"
    "accept-language"           = "en-US,en;q=0.9"
    "cache-control"             = "no-cache"
    "pragma"                    = "no-cache"
    "upgrade-insecure-requests" = "1"
}

#Get the Flow ID from the response (Note needed command differs from PowerShell 5 vs 7)
$WebFlowID = ($WebRequest1.BaseResponse.ResponseUri.Query).Split("=")[1] #Powershell 5 command
#$WebFlowID = ($WebRequest1.BaseResponse.RequestMessage.RequestUri.Query).Split("=")[1] #Powershell 7 command
$SoFlowUrl = "$SoBaseUrl/auth/self-service/login/flows?id=$WebFlowID"

#Do 2nd web request to get the CSRF token for auth
$WebRequest2 = Invoke-WebRequest -UseBasicParsing -Uri $SoFlowUrl  `
    -WebSession $WebSession `
    -Headers @{
    "Accept"          = "application/json, text/plain, */*"
    "Accept-Language" = "en-US,en;q=0.5"
    "Accept-Encoding" = "gzip, deflate, br"
    "Referer"         = "$SoBaseUrl/login/?flow=$WebFlowID"
    "Sec-Fetch-Dest"  = "empty"
    "Sec-Fetch-Mode"  = "cors"
    "Sec-Fetch-Site"  = "same-origin"
    "TE"              = "trailers"
}

#Parse the response from JSON
$WebResponse2 = $WebRequest2.Content | ConvertFrom-Json

#Extract the CSRF token from the response
$WebAuthCsrf_token = [System.Web.HttpUtility]::UrlEncode($WebResponse2.ui.nodes[0].attributes.value)

#Authenticate to SO
$SoAuthUrl = "$SoBaseUrl/auth/self-service/login?flow=$WebFlowID"
$WebAuthRequest = Invoke-WebRequest -UseBasicParsing -Uri $SoAuthUrl  `
    -Method "POST" `
    -WebSession $WebSession `
    -Headers @{
    "method"                    = "POST"
    "scheme"                    = "https"
    "cache-control"             = "no-cache"
    "pragma"                    = "no-cache"
    "upgrade-insecure-requests" = "1"
} `
    -ContentType "application/x-www-form-urlencoded" `
    -Body "identifier=$SoUsername&password=$SoPassword&csrf_token=$WebAuthCsrf_token&method=password"

#Send a query of events to return
$WebQueryRequest = Invoke-WebRequest -UseBasicParsing -Uri "$SoBaseUrl/api/events/?query=$SoQueryString"  `
    -WebSession $WebSession `
    -Headers @{
    "method"          = "GET"
    "scheme"          = "https"
    "accept"          = "application/json, text/plain, */*"
    "accept-encoding" = "gzip, deflate, br"
    "accept-language" = "en-US,en;q=0.9"
    "cache-control"   = "no-cache"
    "pragma"          = "no-cache"
}

$WebQueryResponse = $WebQueryRequest.Content | ConvertFrom-Json
$AlertsTable = $WebQueryResponse.events.payload