IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Can we limit the response object to contain only some certain fields?

    Posted Tue May 19, 2020 11:08 AM
    Hi, we are using java REST API to integrate with Resilient. After creating an incident with this API:
    POST /orgs/{org_id}/incidents​

    the response object contains many fields. I used these params to exclude some fields sending back:
    want_full_data=false&want_tasks=false
    But I am not interested in some other fields like "pii". Can I further exclude them?

    Similar question with the API that gets back all incidents based on some filters:
    POST /orgs/{org_id}/incidents/query_paged​
    Is the "field_handle" query parameter for specifying what fields to return? If yes, what the value should be?

    Thanks!

    ------------------------------
    Mei Thom
    ------------------------------


  • 2.  RE: Can we limit the response object to contain only some certain fields?
    Best Answer

    Posted Tue May 19, 2020 11:23 AM
    Hi Mei
    Thank you for raising this in the community. 

    If I am getting you right, you want to do a query_paged call as normal but only return minimal incident info like names? 
    If so I think you can use the "return_level" param setting it to a value of "partial".

    Heres what the URL looks like :
    https://server/rest/orgs/{org_id}/incidents/query?return_level=partial​

    There are three available values: "partial", "normal", "full"

    If this is what you're looking for could you 'Recommend' the answer or mark it as best answer so others can find this info in future. 

    Hope this helps,
    Ryan 

    ------------------------------
    Ryan Gordon
    Security Software Engineer
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Can we limit the response object to contain only some certain fields?

    Posted Tue May 19, 2020 11:42 AM
    Hi Ryan, thank you for the quick response. I have tried the return_level. "partial" missed a couple fields that I need, but "normal" still has something like "pii", "gdpr", etc. which I hope to exclude, if doable. 

    What I am really interested in getting back are around 10 fields including the incident's name, id, members, plan_status, inc_last_modified_date, plus a couple more. I just wonder if I can specify all the interested fields that I need the response to contain, and have the response only returns those fields. Is this feature supported in resilient now?

    Thanks!



    ------------------------------
    Mei Thom
    ------------------------------

    Original Message


  • 4.  RE: Can we limit the response object to contain only some certain fields?
    Best Answer

    Posted Wed May 20, 2020 07:42 AM
    Currently it is not possible to exclude built-in fields from being returned. Can you help us understand the use case that you are trying to accomplish?

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 5.  RE: Can we limit the response object to contain only some certain fields?

    Posted Wed May 20, 2020 09:48 AM
    Just because I see that the response json contains a lot of fields that I am not interest in. I just wonder if user can indicate what fields to return, so that the response is much smaller. The return_level options serve this purpose to some extent. In my case, if I set return_level=partial, the members, inc_last_modified_date, properties.correlation_id  are not in the response and I need these fields. 

    I asked just in case I missed that feature if that is available. 

    Thanks!

    ------------------------------
    Mei Thom
    ------------------------------

    Original Message


Related Content