IBM Security QRadar SOAR

 View Only
  • 1.  Incident - query_paged

    Posted Fri May 10, 2019 10:55 AM
    Hello all,

    I am attempted to use /orgs/{org_id}/incidents/query_paged to pull back most, if not all, of my incidents to that I can work with the JSON data for custom reporting. Does anyone have an example of how to use this properly?

    url = '/incidents/query_paged?return_level=normal'
    filter = {"filters":[{"conditions":[{"field_name":"resolution_id","method":"in","value":[xxx,xxx,xxx,xxx]},{"field_name":"inc_training","method":"equals","value": False}]}]}
    incidents = client.post(url, filter)

    When I try this I still only get a max of 1000 results. I assume I'm doing something wrong.

    Thanks in advance!

    ------------------------------
    Frank Urbanski
    ------------------------------


  • 2.  RE: Incident - query_paged

    Posted Tue May 14, 2019 09:35 AM
    Frank,

    The server only returns a maximum of 1000 results at a time. This limit is there so that a single API request won't use excessive CPU and memory.

    The client needs to be built to perform paging. After getting the first page, set the start value to get results after the first page. The start value is effectively the number of results you've already retrieved. length is the number of results to return each request (up to a maximum of 1000).

    {"filters":[{"conditions":[{"field_name":"confirmed","method":"equals","value":[true,false]},{"field_name":"plan_status","method":"in","value":["A"]}]}],"sorts":[],"start":10,"length":10}



    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Incident - query_paged

    Posted Tue May 14, 2019 01:36 PM
    Hi Frank,

    Here is an example how to use it:
        @staticmethod
        def _page_incidents(rest_client):
            query = {
                'start': 0,
                'length': FeedComponent.INC_PAGE_SIZE,
                'sorts': [
                    {
                        'field_name': 'id',
                        'type': 'asc'
                    }
                ]
            }
    
            url = '/incidents/query_paged?return_level=normal'
    
            paged_results = rest_client.post(url, query)
    
            while paged_results.get('data'):
                data = paged_results.get('data')
    
                for result in data:
                    yield result
    
                query['start'] = len(data) + query['start']
    
                paged_results = rest_client.post(url, query)

    That method will "yield" results so it can be used like this:

    try:
        for incident in self._page_incidents(rest_client):
            inc_id = incident['id']
    
            ...
    except StopIteration:
        pass

    Hope this helps,
    Tamara



    ------------------------------
    Tamara Zlender
    ------------------------------



  • 4.  RE: Incident - query_paged

    Posted Wed May 15, 2019 08:12 AM
    Thanks everyone, I got it working the way I want to now! I really appreciate you time on this.

    ------------------------------
    Frank Urbanski
    ------------------------------