IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Patching incident closed through REST API

    Posted Mon May 17, 2021 10:16 AM
    Hi All,

    Trying to write a script to help me close 10,000+ incidents automatically. Having issues with the actual patching stage.
    Below is my code - eventually everything below the for loop will be included in the loop but just whilst testing it only patches one at a time.

    I've also tried adding the snippet below but this didn't work either. I've been receiving either a 500 HTTP status code or "TypeError: 'Patch' object is not iterable". Any suggestions on how to go about doing this?
    resolution_id = {
    "name": "Escalated"
}

resolution_summary = {
    "format": "text",
    "content": "Closed in QRadar"
}
​


    import datetime
import time
import resilient
import logging
import requests
import json as jsonlib

try:
        userCredentials={
       "email" : "",
       "password" : '' }
        newSession = requests.Session()
        response = newSession.post('https://.com/rest/session',json=userCredentials,verify=False)

except Exception as e:
        print("Error connecting to Resilient.")
        print(repr(e))

time_from = datetime.datetime.now() - datetime.timedelta(days=7)
time_from = int(time_from.timestamp())

payload={
  "filters": [
    {
      "conditions": [
        {
          "field_name":"create_date",
          "method": "gt",
          "value": time_from
        },
        {
          "field_name":"plan_status",
          "method": "equals",
          "value": "A"
        }
      ]
    }
  ],
  "sorts": [
    {
      "field_name": "create_date",
      "type": "asc"
    }
  ]
}

uri = "https://.com/rest/orgs/201/incidents/query_paged?field_handle=-1"
response = newSession.post(uri,json=payload,verify=False)

uri_closed = 'https://.com/rest/orgs/201/incidents/'



content = jsonlib.loads(response.content)

for x in content['data']:
    url = "https://.com/rest/orgs/201/incidents/{}".format(x['id'])

data = newSession.get(url)

patch = resilient.Patch(data)

patch.add_value("plan_status", "C")
patch.add_value("resolution_id", 'Escalated')
patch.add_value("resolution_summary", 'Closed in QR')

result = newSession.patch(url, patch, overwrite_conflict=True)
​



    ------------------------------
    Thanks,
    Gareth
    ------------------------------


  • 2.  RE: Patching incident closed through REST API

    Posted Tue May 18, 2021 08:45 AM
    The message 'TypeError: 'Patch' object is not iterable' would happen if
    patch = resilient.Patch(data)​
    doesn't return incident data. Most likely when there is a 500 error returned. The 500 error probably means that the Patch data is incorrect in some way.

    The code to get the incident list from query paged looks ok. But I'm not certain about the remainder of the code. Not sure what is going on here:
    for x in content['data']:
    url = "https://.com/rest/orgs/201/incidents/{}".format(x['id'])​

    Are you trying to get all the ids? This seems like it would just reset the url for each incident?

    Are you trying to patch each incident at a time? Or using multipatch?

    It would be interesting to see what the values of url and patch are here:

    result = newSession.patch(url, patch, overwrite_conflict=True)



    Ben




    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 3.  RE: Patching incident closed through REST API

    Posted Tue May 18, 2021 04:28 PM
    Edited by Gareth Pearson Tue May 18, 2021 04:29 PM
    Hey Ben!

    Basically, this part:
    for x in content['data']:
    url = "https://.com/rest/orgs/201/incidents/{}".format(x['id'])​​

    Is just a safety net whilst I test the code and get it working. Instead of updating all of the incidents and potentially breaking something. This just means that it'll only update one at a time. This is just setting the URL to the last incident ID so that the incident can be pulled via a get request and then patched.

    Currently, I'm just patching each at a time. There doesn't seem to be much in the way of clear-cut documentation on how to patch the incidents. All I can find are scripts that do this amongst a number of other actions.

    The values of url and patch end up as:
    url - https://[redacted].com/rest/orgs/201/incidents/41518
    patch - <resilient.patch.Patch object at 0x7f2e2cdb0208>


    What may also give more questions than answers is that it also errors when using overwrite_conflict. It returns that "request() got an unexpected keyword argument 'overwrite_conflict' "

    ------------------------------
    Thanks,
    Gareth
    ------------------------------

    Original Message


  • 4.  RE: Patching incident closed through REST API

    Posted Wed May 19, 2021 08:19 AM
    Edited by Ben Lurie Thu May 20, 2021 06:52 AM
    I not as familiar with the resilient_lib patch capabilities so I won't have as much information there.

    I find useful information on using the API by seeing how the UI does patching:


    curl 'https://staging2/rest/orgs/202/incidents/28508?return_dto=true' -X PATCH --data-raw '
    { "changes": [ { "field": "addr", "old_value": { "text": null }, "new_value": { "text": "Cambridge, MA" } }, { "field": "workspace", "old_value": { "id": 405 }, "new_value": { "id": 390 } } ] }'
    Basically a change list. You'll need the old value to use the patching mechanism.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


Related Content