I was wrong about partial supporting the ability to return custom properties. Unfortunately have to use normal or full. Here is the syntax to request multiple custom fields at the same time:
rest/orgs/202/incidents/query_paged?return_level=normal&field_handle=1561&field_handle=2087
You can use either the field ids or the field api names.
Original Message:
Sent: Wed April 14, 2021 04:46 AM
From: Timothyw Low
Subject: Resilient SOAR API - GET Incidents (specify what field data we require in results)
------------------------------
Timothyw Low
Original Message:
Sent: Wed April 14, 2021 12:58 AM
From: Timothyw Low
Subject: Resilient SOAR API - GET Incidents (specify what field data we require in results)
Hi Ben,
Adding on.. we tried /rest/orgs/202/incidents/query_paged?return_level=partial&field_handle=custom_field_1 and the API returns an error.
If we query /rest/orgs/205/types/incident/fields/properties.custom_field_1 to get the JSON data in the result array:
{ "id": 1493, "name": "custom_field_1", "text": "External Reference ID", "prefix": "properties", "type_id": 0, "tooltip": "", "placeholder": "", "input_type": "text", "hide_notification": false, "chosen": false, "default_chosen_by_server": false, "blank_option": false, "internal": false, "uuid": "2faca478-6480-41c1-be4e-b33fafd9043a", "operations": [ "changed", "changed_to", "contains", "equals", "has_a_value", "not_changed_to", "not_contains", "not_equals", "not_has_a_value" ], "operation_perms": { "changed": { "show_in_manual_actions": false, "show_in_auto_actions": true, "show_in_notifications": true }, "changed_to": { "show_in_manual_actions": false, "show_in_auto_actions": true, "show_in_notifications": true }, "contains": { "show_in_manual_actions": true, "show_in_auto_actions": true, "show_in_notifications": true }, "equals": { "show_in_manual_actions": true, "show_in_auto_actions": true, "show_in_notifications": true }, "has_a_value": { "show_in_manual_actions": true, "show_in_auto_actions": true, "show_in_notifications": true }, "not_changed_to": { "show_in_manual_actions": false, "show_in_auto_actions": true, "show_in_notifications": true }, "not_contains": { "show_in_manual_actions": true, "show_in_auto_actions": true, "show_in_notifications": true }, "not_equals": { "show_in_manual_actions": true, "show_in_auto_actions": true, "show_in_notifications": true }, "not_has_a_value": { "show_in_manual_actions": true, "show_in_auto_actions": true, "show_in_notifications": true } }, "values": [], "perms": { "delete": true, "modify_name": true, "modify_values": true, "modify_blank": true, "modify_required": true, "modify_operations": true, "modify_chosen": true, "modify_default": true, "show_in_manual_actions": true, "show_in_auto_actions": true, "show_in_notifications": true, "show_in_scripts": true, "modify_type": [ "textarea", "text" ], "sort": true }, "read_only": false, "changeable": true, "rich_text": false, "templates": [], "deprecated": false, "tags": [], "calculated": false, "is_tracked": false, "allow_default_value": false }
Then we query /rest/orgs/202/incidents/query_paged?return_level=partial&field_handle=1493 it doesn't include the custom_field_1 in the Incident JSON results also....
------------------------------
Timothyw Low
Original Message:
Sent: Wed April 14, 2021 12:42 AM
From: Timothyw Low
Subject: Resilient SOAR API - GET Incidents (specify what field data we require in results)
Hi Ben,
So if we specify...
/rest/orgs/202/incidents/query_paged?return_level=partial&field_handle=ben,custom_field_1
Should Resilient Incident API return me the default incident fields + custom fields (ben, custom_field_1)?
Regards, Tim
------------------------------
Timothyw Low
Original Message:
Sent: Tue April 13, 2021 08:50 AM
From: Ben Lurie
Subject: Resilient SOAR API - GET Incidents (specify what field data we require in results)
It is possible to use the query paged api and request only partial data with some custom fields. Here is an example:
/rest/orgs/202/incidents/query_paged?return_level=partial&field_handle=ben
Use multiple field_handle query parameters as needed.
The boolean logic for query paged does not currently support OR logic.
Ben
------------------------------
Ben Lurie
Original Message:
Sent: Mon April 12, 2021 09:22 PM
From: Timothyw Low
Subject: Resilient SOAR API - GET Incidents (specify what field data we require in results)
Hi AnnMarie,
1) If we need the fields in "partial" + a few custom fields, is there any way to do it? If we stare return_level=full, it will return the entire Incident data.
2) The following will be an AN condition right? WHERE create_date > 55555 AND create_date < 111111 AND plan_status = 'A'?
query = { 'filters': [{ 'conditions': [ { 'field_name': 'create_date', 'method': 'lte', 'value': 55555555 }, { 'field_name': 'create_date', 'method': 'gte', 'value': 111111111 }, { 'field_name': 'plan_status', 'method': 'equals', 'value': 'A' } ] }], "sorts": [{ "field_name": "create_date", "type": "desc" }] }
I am looking for a filter where it will be WHERE (create_date > 55555 AND create_date < 111111) OR plan_status = 'A'?
Regards,
Tim
------------------------------
Timothyw Low
Original Message:
Sent: Mon April 12, 2021 05:23 PM
From: AnnMarie Norcross
Subject: Resilient SOAR API - GET Incidents (specify what field data we require in results)
Hi Timothyw,
Here is sample code for querying open incidents which uses "partial" return level as specified by the partialIncidentDTO in the Resilient REST API documentation to see which predefined fields are returned.
def get_resilient_incidents(self): """ Just a Placeholder to scrape all incident data from Resilient """ r_incidents = [] query_uri = '/incidents/query?return_level=partial' query = { 'filters': [{ 'conditions': [ { 'field_name': 'plan_status', 'method': 'equals', 'value': 'A' } ] }], 'sorts': [{ 'field_name': 'create_date', 'type': 'desc' }] } try: r_incidents = self.rest_client().post(query_uri, query) except SimpleHTTPException as ex: LOG.error("Failed to pull incidents:%s", ex) r_incidents = 'Failed' return r_incidents
You can use the MethodName data types to form the conditions like this:
query = { 'filters': [{ 'conditions': [ { 'field_name': 'create_date', 'method': 'lte', 'value': 55555555 }, { 'field_name': 'create_date', 'method': 'gte', 'value': 111111111 }, { 'field_name': 'plan_status', 'method': 'equals', 'value': 'A' } ] }], "sorts": [{ "field_name": "create_date", "type": "desc" }] }
You can can query with a condition like this to search for incident ids in a list of incident id like this:
req_ids = [result["id"] for result in results] query_uri = u"/incidents/query?return_level=normal&field_handle={}".format(REQUEST_ID_FIELDNAME) query = { 'filters': [{ 'conditions': [ { 'field_name': 'id', 'method': 'in', 'value': req_ids }, { 'field_name': 'plan_status', 'method': 'equals', 'value': 'A' } ] }] }
Hope these samples help. Let me know if you need more information
AnnMarie
------------------------------
AnnMarie Norcross
Original Message:
Sent: Mon April 12, 2021 03:30 AM
From: Timothyw Low
Subject: Resilient SOAR API - GET Incidents (specify what field data we require in results)
We are using the Resilient API to retrieve incident information via:
POST /orgs/{org_id}/incidents/query
POST /orgs/{org_id}/incidents/query_paged
I understand the setting return_level=partial will return a smaller subset of Incident fields and if we do a return_level=full, we will retrieve ALL the incident field information which is too much.
We have 2 use cases for querying Resilient Incidents:
1) ALL Incidents where within a date range filtered by create_date gte X and create_date lte Y = only require incident fields: id
2) ALL Incidents where ID in (1,2,3,4,5,6,7,8,9,10) = only require incident fields: id, description, plan_status, create_date, properties.custom_field_1, properties.custom_field_2, etc...
Is there a way to define that fields we want to be included only? (e.g. id, created_date, plan_status, custom_field_1) in the results?
------------------------------
Timothyw Low
------------------------------