IBM Security QRadar SOAR

 View Only

  • 1.  Attached incidents?

    Posted Mon August 12, 2019 04:29 PM
    I need to know if an incident has attachments or not.

    Im using "IncidentAttachmentREST" but not seenumber of attach

    /orgs/{org_id}/incidents/{inc_id}/attachments/{attach_id}



    ------------------------------
    Juan Cruz Del Col
    ------------------------------


  • 2.  RE: Attached incidents?

    Posted Mon August 12, 2019 08:03 PM
    Hi Juan,

    You can use "POST /orgs/{org_id}/incidents/{inc_id}/attachments/query" endpoint.
    It will returns attachment as an array, so you can check the length of "response['attachments']" if it's greater than 0.

    ------------------------------
    LILY WANG
    ------------------------------

    Original Message


  • 3.  RE: Attached incidents?

    Posted Tue August 13, 2019 10:13 AM
    Lily, thank you very much for the answer.
    I have tried this, but I had no answer.
    Look:


    DEBUG Log:
    2019-08-13 11:08:45,199 DEBUG [actions_component] Task: <function _call_the_task at 0x7f0a764c51b8>
2019-08-13 11:08:45,200 DEBUG [decorators] Thread-3: _call_the_task
2019-08-13 11:08:45,200 INFO [utilities_call_rest_api] rest_method: POST
2019-08-13 11:08:45,201 INFO [utilities_call_rest_api] rest_url: https://10.4.0.22/rest/orgs/201/incidents/6776/attachments/query?include_tasks=true
2019-08-13 11:08:45,201 INFO [utilities_call_rest_api] rest_headers:
Content-Type: application/json
X-Frooble: Baz

2019-08-13 11:08:45,202 INFO [utilities_call_rest_api] rest_body:
{

}

2019-08-13 11:08:45,202 INFO [utilities_call_rest_api] rest_verify: False
2019-08-13 11:08:45,204 DEBUG [connectionpool] Starting new HTTPS connection (1): 10.4.0.22
2019-08-13 11:08:45,232 DEBUG [connectionpool] https://10.4.0.22:443 "POST /rest/orgs/201/incidents/6776/attachments/query?include_tasks=true HTTP/1.1" 401 None
2019-08-13 11:08:45,236 DEBUG [universaldetector] no data received!
2019-08-13 11:08:45,236 DEBUG [universaldetector] no probers hit minimum threshold
2019-08-13 11:08:45,237 DEBUG [decorators] [utilities_call_rest_api] FunctionResult: <resilient_circuits.action_message.FunctionResult object at 0x7f0a7651d850>
2019-08-13 11:08:45,603 DEBUG [actions_component] success! [<resilient_circuits.action_message.FunctionResult object at 0x7f0a7651d850>], <utilities_call_rest_api[functions.utilities_call_rest_api] (id=7, workflow=busca_adjunto, user=jdelcol@xelere.com) 2019-08-13 14:08:44.596000>
2019-08-13 11:08:45,604 DEBUG [actions_component] Message: Completed
2019-08-13 11:08:45,604 DEBUG [actions_component] Ack ID:xelres.xelerelocal.com-35915-1564572685106-3:3:719:1:1
2019-08-13 11:08:45,605 DEBUG [actions_component] Result: {'cookies': {'JSESSIONID': 'B4ED28B6F9FCB6B1B23A5B33C12CF532'}, 'links': {}, 'text': u'', 'elapsed': 30, 'apparent_encoding': None, 'reason': 'Unauthorized', 'ok': False, 'url': u'https://10.4.0.22/rest/orgs/201/incidents/6776/attachments/query?include_tasks=true', 'headers': {'Transfer-Encoding': 'chunked', 'Set-Cookie': 'JSESSIONID=B4ED28B6F9FCB6B1B23A5B33C12CF532; Path=/; Secure; HttpOnly', 'Server': 'Co3', 'X-Content-Type-Options': 'nosniff', 'Date': 'Tue, 13 Aug 2019 14:08:44 GMT'}, 'json': None, 'status_code': 401}
2019-08-13 11:08:45,607 DEBUG [stomp_component] ack_frame()
2019-08-13 11:08:45,608 DEBUG [client] Sending ACK frame [headers={'id': u'ID:xelres.xelerelocal.com-36623-1564572530524-24:3'}, version=1.2]
2019-08-13 11:08:45,608 DEBUG [stomp_component] Ack Sent
2019-08-13 11:08:45,610 DEBUG [stomp_component] send()
2019-08-13 11:08:45,610 DEBUG [client] Sending SEND frame [headers={'destination': u'/queue/acks.201.fn_utilities', 'correlation-id': u'invid:12326'}, body='{\n  "message": "Comp...', version=1.2]
2019-08-13 11:08:45,611 DEBUG [stomp_component] Message sent
​


    Nothing appears in the Note



    ------------------------------
    Juan Cruz Del Col
    ------------------------------

    Original Message


  • 4.  RE: Attached incidents?

    Posted Tue August 13, 2019 09:27 PM
    Hi Juan,

    You can not call the API using "utilities_call_rest_api" function directly. Refer to article https://success.resilientsystems.com/hc/en-us/articles/360000791725-Creating-an-incident-using-the-API you can see to access Resilient rest api, you need login and add csrf token in your request.
    To get the attachment from function script, I suggest you use:
    attachments = self.rest_client.post("/incidents/{}/attachments/query".format(incident_id), {"conditions":[]})



    ------------------------------
    LILY WANG
    ------------------------------

    Original Message


  • 5.  RE: Attached incidents?

    Posted Wed August 14, 2019 01:18 PM
    Lily, it will be possible to use "Utilities: Resilient Search"?

    Sorry, but I don't know how to use "attachments = self.rest_client.post (" / incidents / {} / attachments / query ".format (incident_id), {" conditions ": []})"

    ------------------------------
    Juan Cruz Del Col
    ------------------------------

    Original Message


  • 6.  RE: Attached incidents?

    Posted Fri August 16, 2019 02:49 AM
    Hi Juan,

    "Utilities: Resilient Search" is same as the searching function from Resilient webui. If you know the attachment name and would like to search the incidents which contain the attachment name, you can use this function.
    If you need to get attachments of an incident, I still suggest you use the API below:
    attachments = self.rest_client.post (" / incidents / {} / attachments / query ".format (incident_id), {})
    You can add this script in a python function script, and try to use "log.debug" to print out what it returns for testing purpose. You can also try from interactive rest api via web console.


    ------------------------------
    LILY WANG
    ------------------------------

    Original Message