#!/bin/sh
#Author: Evan Pols - RSA NetWitness - Aug 2024

#usage examples
# ./respond_api_call.sh <Admin/NodeZero IP> <username> <password> <incident-id> <no alerts to return>
# example: 
# ./nw_respond_inc-alert_call.sh  192.168.5.168 admin netwitness INC-29932 5

## Variable Definitions ##
echo ""
echo "Variable Inputs : "
echo ""
echo ""
echo "Admin Server IP = "$1
echo "Username = "$2
echo "Password = "$3
echo "Incident ID = "$4
echo "Number of Alerts to Return = "$5
ADMINIP=$1
USER="username="$2
PASS="&password="$3
INCID=$4
ALERTNO=$5
CRED=$USER$PASS


## Retrieve Access Token with creds ##
ACCESSTOKEN=$(curl 'https://'$ADMINIP'/rest/api/auth/userpass'  -k -X POST -H 'Accept: application/json;charset=UTF-8' -H 'Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1' -d  $CRED 2>&1 | awk '/accessToken/' | cut -d ',' -f 3 | cut -d '"' -f 4)

echo ""
 echo "Transient Access Token: $ACCESSTOKEN"
echo ""
echo ""
 echo "Retrieving incident details for $INCID :"
echo ""
echo ""
## Retrieve Incident details ##
     curl 'https://'$ADMINIP'/rest/api/incidents/'$INCID  -k -X GET -H 'Accept: application/json;charset=UTF-8' -H NetWitness-Token:$ACCESSTOKEN
echo ""
echo ""
## Retrieve constituent alerts for specified Incident ##
 echo "Retrieving $ALERTNO Alerts details for $INCID :"
echo ""
echo ""
     curl 'https://'$ADMINIP'/rest/api/incidents/'$INCID'/alerts?pageSize='$ALERTNO'&pageNumber=0'  -k -X GET -H 'Accept: application/json;charset=UTF-8' -H NetWitness-Token:$ACCESSTOKEN