IBM Security QRadar SOAR

 View Only
  • 1.  Resilient - Can we filter users by name in GET Users REST API?

    Posted Sun January 24, 2021 11:34 PM
    Hi,

    In Resilient GET /orgs/{org_id}/users REST API, I see that we can add "ids" as query to only return users with the specified ids. Can we filter users by user name or user email? 

    Also for GET /orgs/{org_id}/groups REST API, can we filter groups by group name?

    Thanks!

    ------------------------------
    Mei Thom
    ------------------------------


  • 2.  RE: Resilient - Can we filter users by name in GET Users REST API?
    Best Answer

    Posted Mon January 25, 2021 10:17 AM
    Those APIs are deprecated for performance issues.

    You can either use the query_paged versions of user/group searches:

    POST /orgs/{org_id}/groups/query_paged 

    POST /orgs/{org_id}/users/query_paged 

    Or you can use the principal search query paged search, which searches across users and groups and api keys:

    POST /orgs/{org_id}/principals/search


    Search by user name using query_paged:

    curl 'https://staging2.internal.resilientsystems.com/rest/orgs/230/users/query_paged' --data-raw '{"sorts":[{"field_name":"display_name","type":"asc"}],"filters":[{"conditions":[{"field_name":"display_name","method":"contains","value":"ben1"}]}],"start":0,"length":100}'


    Search by user email using query_paged:

    curl 'https://staging2.internal.resilientsystems.com/rest/orgs/230/users/query_paged' --data-raw '{"sorts":[{"field_name":"display_name","type":"asc"}],"filters":[{"conditions":[{"field_name":"email","method":"contains","value":"blurie"}]}],"start":0,"length":100}'


    Search group by name:

    curl 'https://staging2.internal.resilientsystems.com/rest/orgs/230/groups/query_paged' --data-raw '{"sorts":[{"field_name":"name","type":"asc"}],"filters":[{"conditions":[{"field_name":"name","method":"contains","value":"ben"}]}],"start":0,"length":10}'


    Search by all principals by "free text search" with ben:

    curl 'https://staging2.internal.resilientsystems.com/rest/orgs/230/principals/search' --data-raw '{"filters":[],"start":0,"length":20,"recordsTotal":0,"query":"ben"}'


    This returns any group, api key, user with either a display name or email that contains ben.

    Each of these apis allows searching by multiple fields in a query paged way. The principal search api also supports "free text search" which the other apis don't have. But also allows for field filtering searching as necessary.

    These are the fields for user:

    cell

    create_date

    display_name

    email

    fname

    groups

    id

    inherited_roles

    is_external

    last_login

    last_modified_time

    lname

    locked

    org_handles

    org_last_modified_time

    phone

    roles

    status

    title

    These are the fields for groups:

    id

    is_assignable

    is_default_owner

    is_task_assignable

    last_modified_time

    ldap_dn

    name

    roles

    Ben








    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Resilient - Can we filter users by name in GET Users REST API?

    Posted Mon January 25, 2021 10:45 AM
    Hi Ben, thank you very much for your detailed demonstrations. This is very helpful!

    ------------------------------
    Mei Thom
    ------------------------------