IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Get Custom Field value from multiple incidents created in last 24 hours using REST API

    Posted Thu August 22, 2019 09:50 AM
    I have requirement to export field values of incidents created in last 24 hours  to external source using REST API, like 'Incident_name', 'create_date', 'incident_status', etc. Please anyone suggest me how to do it?


    ------------------------------
    Dastagirsab Mulla
    ------------------------------


  • 2.  RE: Get Custom Field value from multiple incidents created in last 24 hours using REST API

    Posted Fri August 23, 2019 08:49 AM
    Here is an example using the CURL command with the REST endpoint for getting incidents in a paged manner. 

    Notice the filters that limit based on the last modified time of the incident. 

    Notice the field_handle query parameters. This indicates which custom fields you are interested in getting back.

    With query paged endpoint the length indicates how many records you want back. I think 1000 is the max per request. Your code will have to iterate in a loop to ensure you get all the incidents.

    curl 'https://server/rest/orgs/230/incidents/query_paged?return_level=normal&field_handle=8472&field_handle=8477' -H 'Cookie: _ga=GA1.2.310013028.1554732927; CSRF_TOKEN=7b2276616c7565223a226265313261663836313362393534313563316161343264656366393661666633227d; JSESSIONID=79932C2166125CEABA1527DADE00B407' -H 'Origin: https://server' -H 'Accept-Encoding: gzip, deflate, br' -H 'handle_format: objects' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36' -H 'Content-Type: application/json; charset=UTF-8' -H 'Accept-Language: en-US,en;q=0.9' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Referer: https://server/' -H 'text_content_output_format: objects_convert' -H 'X-Requested-With: XMLHttpRequest' -H 'X-sess-id: 55cfb781798149f7bd39872fc16eaf61' -H 'Connection: keep-alive' --data-binary '{"filters":[{"conditions":[{"field_name":"inc_last_modified_date","method":"gte","value":1557924018803},{"field_name":"inc_last_modified_date","method":"lte","value":1566564018803}]}],"sorts":[],"start":0,"length":25}' --compressed --insecure

    You may also want to take a look at the Data Feeder extension for Resilient that is available on the Resilient App Exchange.

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Get Custom Field value from multiple incidents created in last 24 hours using REST API

    Posted Fri August 23, 2019 09:11 AM
    Here's a curl command that should accomplish it for you

    curl -k -H 'handle_format: objects' -H 'X-sess-id: 4ad514b3f61d1df81f01bdb26031b67a' -H 'Content-Type: application/json; charset=UTF-8' -H 'Cookie: JSESSIONID=9B6440650FD353CB2894C551CB3D0C8E' --data-binary '{"filters":[{"conditions":[{"field_name":"create_date","method":"gte","value":1566477533910},{"field_name":"create_date","method":"lte","value":1566563933910}]}],"sorts":[],"start":0,"length":100}' 'https://localhost:8443/rest/orgs/201/incidents/query_paged?return_level=normal&field_handle='

    Items of note:
    1. Session info in Cookie header and in X-sess-id are however you currently add your session information in - the values herein won't work directly for you
    2. The --data-binary argument is the json provided to filter on the last 24 hours - your values in the filter will need to change to reflect the correct range
    I'd recommend looking at the documentation for the query_paged endpoint so that you can explore some of the options available:(see https://{yourservername}/docs/rest-api/resource_IncidentREST.html#resource_IncidentREST_queryPaged_POST)

    ------------------------------
    Marty James
    ------------------------------