IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Obtaining the Incident data - API tools on the SOAR server

    Posted Wed January 31, 2024 02:01 AM

    To IBM qradar soar community,

    I have some implementation that needed the usage of the API tools to interact with the servers. Referring to the image below:

    Currently what I needed to do is to list out all the new incident using the Incident Rest method. Unfortunately, the method is already deprecated and I have not found any replacement that does similar function.

    Will the /orgs​/{org_id}​/incidents​/query_paged be able to query open incident? there is no indication of headers to specify for only open incident

    My current method that I want to implement goes like this:

    • Request for the incident that are currently open
    • Filter the most recent open incident
    • Obtain the value inside the incident using the following API method
    • Process the value within the scripts and save it.

    Also, referring to the interactive API swagger file, is there any more details guide to using the SOAR API especially the authentication needed. 



    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------


  • 2.  RE: Obtaining the Incident data - API tools on the SOAR server

    Posted Wed January 31, 2024 06:53 AM

    Hi Luqman

      I have reached out to the team to identify the new REST query to identify new Incidents.

    Regards

    John



    ------------------------------
    John Quirke
    ------------------------------

    Original Message


  • 3.  RE: Obtaining the Incident data - API tools on the SOAR server

    Posted Wed January 31, 2024 09:12 PM

    Hi John,

    Thanks for the reply, may I also know if there's a detailed documentation on how the API authentication works especially via Postman and/or scripting language like Python. I have generated the API keys in the SOAR admin tab but from my knowledge that is more onto integrating own custom application and allowing that application to access data to the SOAR.



    ------------------------------
    Luqman Nur
    Techlab
    ------------------------------

    Original Message


  • 4.  RE: Obtaining the Incident data - API tools on the SOAR server
    Best Answer

    Posted Thu February 01, 2024 09:57 AM
    Edited by Luqman Nur Thu February 01, 2024 10:21 PM

    Hi Luqman - 

    So the new query_paged endpoint is a POST so you pass your filters through as body in the POST, rather than headers or queries in the URL.

    I think the best way to understand how it works is to run a filter in the SOAR UI and monitor the traffic in your browser. This will give you a great sense of how the query is built and how you can reproduce it in your client.

    Here's an example of how the UI would construct such a query:

    As for authentication, the authentication is using basic HTTP auth with the API key. And yes, you can use the API key for all of these operations, in fact, it is designed exactly for that.

    Let me know if there is anything more specific I can answer for you.

    Bo



    ------------------------------
    Bo Bleckel
    ------------------------------

    Original Message


Related Content