IBM Security QRadar SOAR

 View Only
  • 1.  REST API request issue

    Posted Mon February 17, 2020 07:39 AM
    There is an issue with such REST API request "POST /orgs/{org_id}/incidents/query"
    The problem appears when we use several conditions for search query and apply logic type "any" for them, it anyway shows results like we used "all".
    To be more accurate:
    I have created some incidents with such names "test1", "test2", "test3". Two of them have severity "critical" (id of this severity_code status = 404). The third one has severity "high" (its id - 405). Now I'm using such filter as json in body of my request:
    {
    "filters" : [ {
    "conditions" : [ {
    "method" : "contains",
    "field_name" : "name",
    "value" : "test"
    }, {
    "method" : "equals",
    "field_name" : "severity_code",
    "value" : 405
    } ],
    "logic_type" : "all"
    } ]
    }


    This json means that I'm looking only for those incidents which name contains "test" string in it AND their severity is high. And as a result I receive only 1 incident (it is "test3") which is correct!
    But now I'd like to search for incidents which EITHER contain "test" in their names, OR severity_code "high", so I've changed logic type and used such filter:

    {
    "filters" : [ {
    "conditions" : [ {
    "method" : "contains",
    "field_name" : "name",
    "value" : "test"
    }, {
    "method" : "equals",
    "field_name" : "severity_code",
    "value" : 405
    } ],
    "logic_type" : "any"
    } ]
    }


    What we wish to see as a result: all three incidents to be shown, because they satisfy our filter, but instead, we get the same result as it was in previous example (we get only "test3" incident), as if we used "all" logic type again.
    I have tried a different combinations of conditions, fields, methods and values, but always my logic type "any" works as logic type "all". Is it a defect or I miss something? If I'm wrong - please post here a correct JSON filter where logic_type "any" works properly and clear.

    ------------------------------
    Maksym Matviienko
    ------------------------------


  • 2.  RE: REST API request issue

    Posted Mon February 24, 2020 03:21 PM
    Unfortunately it is not possible to use OR logic in incident filtering currently. 

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: REST API request issue

    Posted Tue February 25, 2020 02:58 AM
    I believe it means that logic type "advanced" is not working also for incident filtering...
    That is extremely sad!
    The only solution I can see - is to retrieve all incidents (as a list of tuples) and then filter them manually using custom python algorithm to make the result seem like logic "OR" was involved...

    ------------------------------
    Maksym Matviienko
    ------------------------------