IBM Security QRadar SOAR

 View Only
  • 1.  Does Incident Exist - Python Method

    IBM Champion
    Posted Tue March 12, 2019 01:26 PM
    I've encountered an issue where if a function (that takes time to execute) is running, and the incident from which it was called is deleted, it will continue to run-- even across integration server reboots (which restarts it)-- until it completes.

    I'd like a way to check if the incident exists within my Python function. I have incident_id as a parameter.

    What is the best way to do this? I'd imagine there is a rest_client() call to make?

    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------


  • 2.  RE: Does Incident Exist - Python Method
    Best Answer

    Posted Wed March 13, 2019 05:54 AM
    Hi Jared,

    Yes, you can use the Resilient REST API to GET an Incident using the incident_id

    Here is a function you may find useful:

    import logging
    from resilient import SimpleHTTPException
    
    
    def get_incident(client, incident_id):
        """Function that gets the incident from Resilient. 
        Return None if no incident found. 
        Raises a ValueError is any other error occurs"""
    
        log = logging.getLogger(__name__)
        err_msg = None
        get_url = "/incidents/{0}?text_content_output_format=always_text&handle_format=names".format(incident_id)
    
        # Get the incident from resilient api
        try:
            log.debug("GET Incident from Resilient: ID %s URL: %s", incident_id, get_url)
            incident = client.get(get_url)
            log.debug("Incident got successfully: %s", incident)
            return incident
        except Exception as err:
            err_msg = "Error trying to get Incident {0}.".format(incident_id)
    
            if err.message and "not found" in err.message.lower():
                err_msg = "{0} Could not find Incident with ID {1}".format(err_msg, incident_id)
                log.error(err_msg)
                return None
            elif isinstance(err, SimpleHTTPException):
                err_msg = "{0}\nServer Error.\nStatus Code: {1}\nURL: {2}\n{3}".format(err_msg, err.response.status_code, err.response.url, err.message)
            else:
                err_msg = "{0} {1}".format(err_msg, err)
    
            raise ValueError(err_msg)

    Also note that you can explore the Resilient REST API by going to: Help/Contact > Interactive REST API:
    thumbnail image


    ------------------------------
    Shane Curtin
    Integrations Engineer - IBM Resilient
    ------------------------------