create a soc action with authentication and parameters

[fcblank]

Version

2.4.140

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

64GB

Storage for /

300GB

Storage for /nsm

150GB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Used to be easy back then when SOC actions were stored in a yaml file.
How would I enter a new action in the SOC Action Menu doing and authorized GET/ POST request with parameters using data from the alerts and/ or hunt interface? How can json return data be processed and displayed in a popup?
Many thanks for your help in advance

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

in SOC Administration -> configuration -> SOC -> config -> Actions

You can add a new option for actions
an example is

https://{:sublime.url}/messages/{:sublime.message_group_id}

Where the data from the event is wrapped like {:FIELD_NAME}

[fcblank]

Thank you very much for your answer @reyesj2
Unfortunately, I can't do anything with it, because my question was about a GET or POST request that requires authentication and additional parameters (see my original question).
To be specific, I would like to have a method with which I can, for example, achieve the following request using the new configuration method (SOC Administration -> configuration -> SOC -> config -> Actions):

json

{
  "name": "Get data from external API",
  "description": "Retrieves additional information from an external API",
  "icon": "fa-get-soandso",
  "background": true,
  "method": "GET",
  "options": {
    "headers": {
      "Authorization": "Bearer MY_TOKEN"
    },
   "params": {
     "parameter1": "naahh",
     "parameter2": "toldya"
  },
  "url": "https://api.example.com/data?alert_id={id}&src_ip={src_ip}&dest_ip={dest_ip}",
  "backgroundSuccessLink": "https://my-api.com/yeah",
  "backgroundFailureLink": "https://my-api.com/oops"
}

How can I achieve something like the above in the action menu?
Many thanks for your help in advance

[jertel]

Hello @fcblank. We are aiming to include support for custom background actions, via the new config actions UI, in the next release.

Note that the background actions do not support presenting information back to the user via a UI popup.

[fcblank]

Thanks, @jertel and @reyesj2
Waiting for the next release