IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Get Custom Field value from multiple incidents created in last 24 hours using REST API

  • 1.  Get Custom Field value from multiple incidents created in last 24 hours using REST API

    Posted Thu August 22, 2019 09:50 AM
    I have requirement to export field values of incidents created in last 24 hours  to external source using REST API, like 'Incident_name', 'create_date', 'incident_status', etc. Please anyone suggest me how to do it?


    ------------------------------
    Dastagirsab Mulla
    ------------------------------


  • 2.  RE: Get Custom Field value from multiple incidents created in last 24 hours using REST API

    Posted Fri August 23, 2019 08:49 AM
    Here is an example using the CURL command with the REST endpoint for getting incidents in a paged manner. 

    Notice the filters that limit based on the last modified time of the incident. 

    Notice the field_handle query parameters. This indicates which custom fields you are interested in getting back.

    With query paged endpoint the length indicates how many records you want back. I think 1000 is the max per request. Your code will have to iterate in a loop to ensure you get all the incidents.

    curl 'https://server/rest/orgs/230/incidents/query_paged?return_level=normal&field_handle=8472&field_handle=8477' -H 'Cookie: _ga=GA1.2.310013028.1554732927; CSRF_TOKEN=7b2276616c7565223a226265313261663836313362393534313563316161343264656366393661666633227d; JSESSIONID=79932C2166125CEABA1527DADE00B407' -H 'Origin: https://server' -H 'Accept-Encoding: gzip, deflate, br' -H 'handle_format: objects' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36' -H 'Content-Type: application/json; charset=UTF-8' -H 'Accept-Language: en-US,en;q=0.9' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Referer: https://server/' -H 'text_content_output_format: objects_convert' -H 'X-Requested-With: XMLHttpRequest' -H 'X-sess-id: 55cfb781798149f7bd39872fc16eaf61' -H 'Connection: keep-alive' --data-binary '{"filters":[{"conditions":[{"field_name":"inc_last_modified_date","method":"gte","value":1557924018803},{"field_name":"inc_last_modified_date","method":"lte","value":1566564018803}]}],"sorts":[],"start":0,"length":25}' --compressed --insecure

    You may also want to take a look at the Data Feeder extension for Resilient that is available on the Resilient App Exchange.

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Get Custom Field value from multiple incidents created in last 24 hours using REST API

    Posted Fri August 23, 2019 09:11 AM
    Here's a curl command that should accomplish it for you

    curl -k -H 'handle_format: objects' -H 'X-sess-id: 4ad514b3f61d1df81f01bdb26031b67a' -H 'Content-Type: application/json; charset=UTF-8' -H 'Cookie: JSESSIONID=9B6440650FD353CB2894C551CB3D0C8E' --data-binary '{"filters":[{"conditions":[{"field_name":"create_date","method":"gte","value":1566477533910},{"field_name":"create_date","method":"lte","value":1566563933910}]}],"sorts":[],"start":0,"length":100}' 'https://localhost:8443/rest/orgs/201/incidents/query_paged?return_level=normal&field_handle='

    Items of note:
    1. Session info in Cookie header and in X-sess-id are however you currently add your session information in - the values herein won't work directly for you
    2. The --data-binary argument is the json provided to filter on the last 24 hours - your values in the filter will need to change to reflect the correct range
    I'd recommend looking at the documentation for the query_paged endpoint so that you can explore some of the options available:(see https://{yourservername}/docs/rest-api/resource_IncidentREST.html#resource_IncidentREST_queryPaged_POST)

    ------------------------------
    Marty James
    ------------------------------