IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

ServiceNow API Post Worklog to Request Item- "'Retry limit exceeded'"

  • 1.  ServiceNow API Post Worklog to Request Item- "'Retry limit exceeded'"

    Posted yesterday

    I'm encountering a challenge with building a SOAR playbook to post a comment to the ServiceNow Request Item worklog. I know the ServiceNow function app includes an "update worklog" feature for incidents and tasks, but it doesn't seem to support request items. Has anyone else faced a similar issue? Could this be related to the format of the variable?  I am sharing a couple of scripts I am using with the "Call REST API" function.


    Script #1 - [Good] This one works when the comment is regular text.  No issue

    import json
     
    # Define the website name
    #website_name = artifact.value
     
    comments_content = "This is an internal worklog note added via API test."
     
    # Base headers for the API requests
    headers = {
        'Accept': 'application/json',
        'Authorization': 'Basic ***********'  # Replace with your actual API token
    }
    data = f"""
    {{
        "comments": "{comments_content}"
    }}
    """
     
    # Set inputs for QRadar SOAR
    inputs.rest_api_method = 'PATCH'
    inputs.rest_api_url =  'https://mycompany.service-now.com/api/now/table/sc_req_item/0123456789'
    inputs.rest_api_headers = json.dumps(headers)
    inputs.rest_api_verify = False  # Optional: Disable SSL verification if needed
    inputs.rest_api_body = json.dumps(data)

    Script 2: This one does work when the comment is from a variable.  In this case, the variable content is from the SOAR incident Note text.
    And it displayed an error "'Retry limit exceeded'"

    import json
    results = playbook.functions.results.add_worklog_ritm_output
    data = results.content.json
    latest_incident = max(data, key=lambda incident: incident.get('id', 0))
    latest_text = latest_incident.get('text', 'No text found')
     
    headers = {
        'Accept': 'application/json',
        'Authorization': 'Basic *********'  # Replace with your actual API token
    }
    data = f"""{
        "comments": "{latest_text}"
    }
    """
     
    # Set inputs for QRadar SOAR
    inputs.rest_api_method = 'PATCH'
    inputs.rest_api_url =  'https://mycompany.service-now.com/api/now/table/sc_req_item/01123456789'
    inputs.rest_api_headers = json.dumps(headers)
    inputs.rest_api_verify = False  # Optional: Disable SSL verification if needed
    inputs.rest_api_body = json.dumps(data)



    ------------------------------
    Raymond Tam
    ------------------------------


Related Content