IBM Security SOAR

Expand all | Collapse all

Querying Incidents via API

  • 1.  Querying Incidents via API

    Posted Tue July 28, 2020 03:10 PM
    Edited by Jared Fagel Tue July 28, 2020 11:34 PM
    What's the best way to query incidents via the API?

    My use case is retrieving incidents with a field containing a certain value (efficiently). I'll be doing this through a Python script with resilient_client.get(uri)

    I see that these both are deprecated, without reason or further information:
    GET /orgs/{org_id}/incidents
    GET /orgs/{org_id}/incidents/open




    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------


  • 2.  RE: Querying Incidents via API

    Posted Wed July 29, 2020 07:15 AM
    Edited by Sean OGorman Wed July 29, 2020 07:16 AM

    Hi Jared,

    Thanks for your post, you mentioned the efficient nature of retrieving incidents data from the API endpoint in your post. The reason for deprecation of the existing endpoints is exactly that, system load and efficiently of retrieving such relevant incident data. The old API endpoints have been deprecated for performance reasons. Those APIs are very expensive in terms of cpu and memory on the Resilient instance, especially as you scale to large numbers of incidents.

    As mentioned in the deprecation message in the Interactive REST API:

    The POST /rest/incidents/query_paged endpoint should be used.

    The query paged API is much better for your use case anyway, since you can target exactly the set of incidents they want rather than all incidents or all open incidents where you need additional logic to process a further subset that is of interest to you. I hope this detail is of help to you, please don't hesitate to contact us if you have further questions.

    Kind regards,



    ------------------------------
    Sean OGorman
    ------------------------------



  • 3.  RE: Querying Incidents via API

    Posted Wed July 29, 2020 07:19 AM
    Hi @Jared Fagel

    It's something like this,

    def incidents_query(rest_client, field_name, value):
        query = {
                "filters":[
                    {"conditions":[
                        {
                            "field_name":field_name,
                            "method":"equals","value":value
                        },
                       ]}]}
    
        url = '/incidents/query?return_level=full'
    
        results = rest_client.post(url, query)
        return results​
    ​be careful about "return_level" . 

    Cheers

    ------------------------------
    Jasmine
    ------------------------------



  • 4.  RE: Querying Incidents via API

    Posted Wed July 29, 2020 11:06 AM
    Thanks for the information @Sean O'Gorman and for the good example @Jasmine.​​

    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------