IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Retrieving and incident's artifacts via rest api

    Posted Tue March 01, 2022 04:09 PM
    Hello,
    I recently noticed that the rest api call to retrieve an incidents artifacts has been deprecated (/orgs/{org id}/incident/{inc id}/artifacts) now only allowing an artifact to be retrieved by specifying the artifact id.
    I do see that the api call to /orgs/{org id}/incident/{inc id} returns a list of artifacts, which I would assume provide the artifact id to then retrieve the artifact.
    Unfortunately when I make this call, using the provided interactive restful api, no artifacts are returned. The section just says "artifacts: null" even though there are definitely artifacts for the incident.

    Any idea what could be the issue?

    ------------------------------
    Tim Gray
    ------------------------------


  • 2.  RE: Retrieving and incident's artifacts via rest api

    Posted Wed March 02, 2022 05:23 AM
    Hi Tim,
    If you want to retrieve the artifacts under an incident, it's recommended to use "POST /orgs/{org_id}/incidents/{inc_id}/artifacts/query_paged" endpoint. It returns the artifacts with pagination manner to avoid performance issue when there are huge number of artifacts to return. Our UI in incident artifact page already adopts this api so you can just check how it uses the api. Below is an example to query the first 100 artifacts whose type is "IP Address" and sorted by "last modified time".



    ------------------------------
    Gilbert Liao
    ------------------------------

    Original Message


Related Content