IBM Security QRadar SOAR

I am using the restAPI /newsfeed to get the newsfeeds of the organization, but I have a problem:
it gives me the maximum number of the last 1000 entries, even if I set the parameter since_date = 1571235291000 (/newsfeed?since_date=1571235291000 ).
am I doing something wrong or is it the correct behavior? can't we go further back in the search?

------------------------------
Matteo Pedersoli
------------------------------

The newsfeed data comes back ordered by "date" with most current date first to oldest date. So changing the "since date" won't change what is returned by default, just potentially increase the amount of older data returned. So changing the call from Oct 19 to Sept 10 won't bring more data if 1000 rows are already return for Oct 19.

If you want to "go back in time", you will need to use the to_date query parameter. I'd actually recommend using to_date and since_date together to go back in time. Here is an example to get data from Oct 18 back to Oct 17:

https://staging2.internal.resilientsystems.com/rest/orgs/202/newsfeed?to_date=1603065600000&since_date=1602892800000

Unfortunately the API doesn't provide a way to tell if it has limited the result set to 1000 entries. So you'll have to assume that if the API returns 1000 entries then you'll have to start at oldest entry and go back from there.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Fri October 16, 2020 10:16 AM
From: Matteo Pedersoli
Subject: some doubts about the restAPI /newsfeed

I am using the restAPI /newsfeed to get the newsfeeds of the organization, but I have a problem:
it gives me the maximum number of the last 1000 entries, even if I set the parameter since_date = 1571235291000 (/newsfeed?since_date=1571235291000 ).
am I doing something wrong or is it the correct behavior? can't we go further back in the search?

------------------------------
Matteo Pedersoli
------------------------------

I've used exactly your quer:
/newsfeed?to_date=1603065600000&since_date=1602892800000

but I got the newsfeed from date 1603117633856 (2020/10/19 16:27:13.856000) to date 1603125235998 (2020/10/19 18:33:55.998000).

I'm using resilient v 37.2 and python (3.7.3) to make the request (resilient 32.0.140 - resilient-circuits 32.0.140) from a windows server.

------------------------------
Matteo Pedersoli
------------------------------

Original Message:
Sent: Mon October 19, 2020 12:07 PM
From: Ben Lurie
Subject: some doubts about the restAPI /newsfeed

The newsfeed data comes back ordered by "date" with most current date first to oldest date. So changing the "since date" won't change what is returned by default, just potentially increase the amount of older data returned. So changing the call from Oct 19 to Sept 10 won't bring more data if 1000 rows are already return for Oct 19.

If you want to "go back in time", you will need to use the to_date query parameter. I'd actually recommend using to_date and since_date together to go back in time. Here is an example to get data from Oct 18 back to Oct 17:

https://staging2.internal.resilientsystems.com/rest/orgs/202/newsfeed?to_date=1603065600000&since_date=1602892800000

Unfortunately the API doesn't provide a way to tell if it has limited the result set to 1000 entries. So you'll have to assume that if the API returns 1000 entries then you'll have to start at oldest entry and go back from there.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Fri October 16, 2020 10:16 AM
From: Matteo Pedersoli
Subject: some doubts about the restAPI /newsfeed

I am using the restAPI /newsfeed to get the newsfeeds of the organization, but I have a problem:
it gives me the maximum number of the last 1000 entries, even if I set the parameter since_date = 1571235291000 (/newsfeed?since_date=1571235291000 ).
am I doing something wrong or is it the correct behavior? can't we go further back in the search?

------------------------------
Matteo Pedersoli
------------------------------

Not sure why it is not working for you. You can try this directly from the command line using curl which may be easier than iterating on it with the circuits environment. But I would first try the to_date parameter. When you vary it to older dates it should not bring back newer dates. If that works, then you can combine it with the since_date to get a window of information.

I find using the browser to get the curl command and then modifying it from the command line is easiest to test differing query parameters:



Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Mon October 19, 2020 12:45 PM
From: Matteo Pedersoli
Subject: some doubts about the restAPI /newsfeed

I've used exactly your quer:
/newsfeed?to_date=1603065600000&since_date=1602892800000

but I got the newsfeed from date 1603117633856 (2020/10/19 16:27:13.856000) to date 1603125235998 (2020/10/19 18:33:55.998000).

I'm using resilient v 37.2 and python (3.7.3) to make the request (resilient 32.0.140 - resilient-circuits 32.0.140) from a windows server.

------------------------------
Matteo Pedersoli

Original Message:
Sent: Mon October 19, 2020 12:07 PM
From: Ben Lurie
Subject: some doubts about the restAPI /newsfeed

The newsfeed data comes back ordered by "date" with most current date first to oldest date. So changing the "since date" won't change what is returned by default, just potentially increase the amount of older data returned. So changing the call from Oct 19 to Sept 10 won't bring more data if 1000 rows are already return for Oct 19.

If you want to "go back in time", you will need to use the to_date query parameter. I'd actually recommend using to_date and since_date together to go back in time. Here is an example to get data from Oct 18 back to Oct 17:

https://staging2.internal.resilientsystems.com/rest/orgs/202/newsfeed?to_date=1603065600000&since_date=1602892800000

Unfortunately the API doesn't provide a way to tell if it has limited the result set to 1000 entries. So you'll have to assume that if the API returns 1000 entries then you'll have to start at oldest entry and go back from there.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Fri October 16, 2020 10:16 AM
From: Matteo Pedersoli
Subject: some doubts about the restAPI /newsfeed

I am using the restAPI /newsfeed to get the newsfeeds of the organization, but I have a problem:
it gives me the maximum number of the last 1000 entries, even if I set the parameter since_date = 1571235291000 (/newsfeed?since_date=1571235291000 ).
am I doing something wrong or is it the correct behavior? can't we go further back in the search?

------------------------------
Matteo Pedersoli
------------------------------