IBM Security QRadar SOAR

 View Only

  • 1.  Making API Request to get Incidents Statistic?

    Posted Wed January 13, 2021 05:29 PM
    Hello, I'm trying to make a small script to get incident statistic automatically everyday, but getting confused when searching through Resilient's API Reference since it's not clear enough. There are some fields which makes me couldn't understand, and how to get it right to getting correct output (e.g the number of incident created/resolved for each day, for specific period of time). The Image below is self-explained:

    Captured from API:
    rest/orgs/[org_id]/stats/counts?end_date=1610301661000&simulations=false&start_date=1610301661000
    No matter what i changed the end_date and start_date field, it always return the same result (Tried in Resileint Interactive Rest API page):

    {
  "status_counts": {
    "A": 1,
    "C": 384 <-- This is the total number of incidents
  },
  "active_users": 32
}

    Expected output should be a correct number of incidents for each day, not the total incidents (displayed in C field of the respone).
    Platform: Resilient v39.1.43
    Any helps would be appreciated.
    Regards



  • 2.  RE: Making API Request to get Incidents Statistic?

    Posted Thu January 14, 2021 02:16 AM
    Edited by Richard Giesige Thu January 14, 2021 02:16 AM
    I had the exact same experience running this stats query. 

    For my group we ended up writing a filter in the api endpoint of 
    POST /orgs/{org_id}/incidents/query_paged
    It wasn't easy but it got the data from this one. Here is an example filter just returns all where they are active: 
    {
	"filters": [{
		"conditions": [{
			"method": "equals",
			"field_name": "plan_status",
			"value": "A"
		}],
		"logic_type": "all",
		"type_handle": {
			"name": "string"
		}
	}]
}
    What you can do is build off this and add more conditions like incident open field time is greater than a certain milliseconds timestamp. And that would get you what you wanted For the "method" one you should reference this page in your resilient server: docs/rest-api/json_MethodName.html


    Feel free to reach out to me if you want more help on this.

    ------------------------------
    Richard Giesige
    Security Engineer
    Oshkosh Corporation
    Oshkosh
    ------------------------------

    Original Message


  • 3.  RE: Making API Request to get Incidents Statistic?

    Posted Thu January 14, 2021 09:15 AM
    It looks like the API documentation is incorrect for that API (and maybe others in that OrgStatisticsREST). That API only uses the simulations query parameter.

    There is a POST version of that endpoint that takes the same POST body as
    /orgs/{org_id}/incidents/query_paged
     Richard mentioned. I can see it is not documented for some reason, but the UI uses it.

    Here I have asked for incident status data for a given range of when incidents were created:



    This looks like this API call:

    curl -k 'https://server/rest/orgs/317/incidents/pivot' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/json' -H 'X-sess-id: 0dc2c272918156c876a48aa2a0e9f3d2' -H 'handle_format: ids' -H 'text_content_output_format: objects_convert' -H 'browser_locale: en' -H 'X-Requested-With: XMLHttpRequest' --H 'Connection: keep-alive'  -H 'Cookie: _ga=GA1.2.1382814266.1575940211; JSESSIONID=CCF86C8B3202D705FD3F22C22BC54D13; CSRF_TOKEN=7b2276616c7565223a223734313265353438366262616230663161623162313663326336623938636230227d' --data-raw '{"filters":[{"conditions":[{"field_name":"plan_status","method":"in","value":["A"]},{"field_name":"create_date","method":"gte","value":1577854800000},{"field_name":"create_date","method":"lte","value":1639458000000}]}],"row_fields":[{"arguments":{"field_name":"plan_status"}}],"function":{"type":"count"}}'

    This returns the data grouped in the way asked for.

    If you play around with custom widgets on the UI you can see lots of options to use with the API.

    If you don't need grouping and just need counts you can use the query_paged API and ask for 1 record to be returned (just makes it faster if the server does not have to return the actual data). It will return the count matched.

    Ben

    Ben



    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 4.  RE: Making API Request to get Incidents Statistic?

    Posted Thu January 14, 2021 09:27 PM
    Edited by TCB SIRT Thu January 14, 2021 09:34 PM
    Thanks so much for pointing me out. Tried to use 
    POST /orgs/{org_id}/incidents/query_paged
    and it worked likes a charm!
    Btw, I found a working example and with some slightly modifications to make it fulfill my requirement, so i leave it here as a reference:
    https://github.com/ibmresilient/resilient-python-examples/blob/master/export-to-json/export_to_json/bin/export_to_json.py
    ------------------------------
    TCB SIRT
    ------------------------------

    Original Message