IBM Security QRadar SOAR

 View Only

  • 1.  Update multiple incidents via REST API

    Posted Fri March 06, 2020 01:13 PM
    I'd like to update multiple incidents using the REST API.  The REST API documentation shows this can be done using a PATCH call to the /orgs/{org_id}/incidents endpoint.  I'm not seeing in the documentation where to specify what incident IDs I want to update. 

    Also, the MultiPatchDTO is a bit different from the PatchDTO that updating a single incident uses - so this is throwing me off as well.

    My initial use case is to use the API to close multiple incidents that meet certain parameters.

    ------------------------------
    David Vasil
    ------------------------------


  • 2.  RE: Update multiple incidents via REST API
    Best Answer

    Posted Mon March 09, 2020 08:52 AM
    I always find that in situations like this seeing how the UI does it is most helpful.

    curl 'https://server.com/rest/orgs/230/incidents' -X PATCH
    -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/json'
    -H 'X-sess-id: 3298fbf0f50bbfcc8373b0d3db2708ef' -H 'handle_format: ids' -H 'text_content_output_format: objects_convert'
    -H 'browser_locale: en' -H 'X-Requested-With: XMLHttpRequest'
    -H 'Origin: https://server.com' -H 'Connection: keep-alive'
    -H 'Cookie: _ga=GA1.2.1382814266.1575940211; JSESSIONID=E3E2557A199D6C374F60A263F97AB64B; CSRF_TOKEN=7b2276616c7565223a226362313836626237613331343963346264386463316636303162613130663231227d'
    --data '{"patches":{"6063":{"version":6,"changes":[{"old_value":{"object":"A"},"new_value":{"object":"C"},"field":{"name":"plan_status","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":1583193600000},"field":{"name":"actual_release_date","id":null,"null":false}},{"old_value":{},"new_value":{"object":"dfdfd"},"field":{"name":"ga_release_number","id":null,"null":false}},{"old_value":{},"new_value":{"object":"ddfdf"},"field":{"name":"integration_test_time","id":null,"null":false}},{"old_value":{},"new_value":{"object":"fdfd"},"field":{"name":"required","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":14903},"field":{"name":"resolution_id","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":"<div class=\"rte\"><div>dff</div></div>"},"field":{"name":"resolution_summary","id":null,"null":false}}]},"7137":{"version":8,"changes":[{"old_value":{"object":"A"},"new_value":{"object":"C"},"field":{"name":"plan_status","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":1583193600000},"field":{"name":"actual_release_date","id":null,"null":false}},{"old_value":{},"new_value":{"object":"dfdfd"},"field":{"name":"ga_release_number","id":null,"null":false}},{"old_value":{},"new_value":{"object":"ddfdf"},"field":{"name":"integration_test_time","id":null,"null":false}},{"old_value":{},"new_value":{"object":"fdfd"},"field":{"name":"required","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":14903},"field":{"name":"resolution_id","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":"<div class=\"rte\"><div>dff</div></div>"},"field":{"name":"resolution_summary","id":null,"null":false}}]}}}'

    Here I selected two incidents from the incident list and closed them. I received a prompt for required fields and then the UI called the patch command to the server.

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 3.  RE: Update multiple incidents via REST API

    Posted Tue October 19, 2021 04:28 AM
    Edited by Lucian Sipos Tue October 19, 2021 05:38 AM
    Hi Ben

    I am trying to do this in a Python script but it doesn't work for me.

    def patch_incident_multiple_properties_dicts(self, patches_json):
    uri = '/incidents?handle_format=names'
    patch_response = resilient_client.patch(uri, patches_json, overwrite_conflict=True)

    return patch_response


patches_dict = {
    "patches": {
        "24792": {
            "changes": [
                {
                    "field": {"name": "priority"},
                    "old_value": {"object": "Average"},
                    "new_value": {"object": "Low"}
                }],
            "version": 12345
        }
    }
}

RU.patch_incident_multiple_properties_dicts(patches_dict)​

    It ends up with KeyError "success" error.

    Traceback (most recent call last):
  File "C:\Users\l.sipos\Desktop\Utils Scripts\Offline\utils.py", line 562, in <module>
    RU.patch_incident_multiple_properties_dicts(patches_dict)
  File "C:\Users\l.sipos\Desktop\Utils Scripts\Offline\utils.py", line 156, in patch_incident_multiple_properties_dicts
    patch_response = resilient_client.patch(uri, patches_json, overwrite_conflict=True)
  File "C:\Program Files\Python39\lib\site-packages\resilient\co3.py", line 462, in patch
    return self.patch_with_callback(uri, patch, callback, co3_context_token, timeout)
  File "C:\Program Files\Python39\lib\site-packages\resilient\co3.py", line 480, in patch_with_callback
    while self._handle_patch_response(response, patch, callback):
  File "C:\Program Files\Python39\lib\site-packages\resilient\co3.py", line 388, in _handle_patch_response
    if not patch_status.is_success() and patch_status.has_field_failures():
  File "C:\Program Files\Python39\lib\site-packages\resilient\patch.py", line 210, in is_success
    return self.patch_status_dict["success"]
KeyError: 'success'
​


    I noticed that, if I change the object from literal "Average" to it's ID value, the fields are updated on Resilient (but still with KeyError in script).

    Any help on this ?

    ------------------------------
    Lucian Sipos
    ------------------------------

    Original Message


  • 4.  RE: Update multiple incidents via REST API

    Posted Tue October 19, 2021 08:25 AM
    The response from the PATCH command is supposed to be either a failure:

    {"success":false,"title":"Patch Failure","message":"One or more edits to an object (Type=Incident, ID 7,251) could not be applied due to a conflicting edit by another user. The following fields were in conflict:  benselect1","hints":["patch_conflict_detected"],"error_code":"generic","field_failures":[{"field":"benselect1","your_original_value":null,"actual_current_value":18374}]}​

    Or a success:

    {"success":true,"title":null,"message":null,"hints":[]}

    In both cases the response has a success field.

    The python error seems to indicate that the response from the server did not contain a success key as shown above. 

    Looking at the library I can see that

    resilient_client.patch(uri, patches_json, overwrite_conflict=True)​

    only supports patching a single incident. It does not support patching multiple incidents at the same time.

    When multiple incidents are patched at the same time the following is an example of a failure message:

    {"failures":{"7252":{"success":false,"title":"Patch Failure","message":"One or more edits to an object (Type=Incident, ID 7,252) could not be applied due to a conflicting edit by another user. The following fields were in conflict:  owner_id","hints":["patch_conflict_detected"],"error_code":"generic","field_failures":[{"field":6253,"your_original_value":27,"actual_current_value":650}]}}}​

    Notice there is no top-level success key. That exists further down in the json hierarchy.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 5.  RE: Update multiple incidents via REST API

    Posted Tue October 19, 2021 10:04 AM
    Edited by System Thu November 11, 2021 11:15 AM
    Hi @Ben Lurie

    So, as of today, we can't do a multiple patch using directly resilient.patch method ?

    patches_dict = {
    "patches": {
        "24792": {
            "changes": [
                {
                    "field": {"name": "priority"},
                    "old_value": {"object": 102},
                    "new_value": {"object": 104}
                }],
            "version": 12345
        }
    }
}​


    Using it like this seems to work, but as said, still with error. It looks like there is some non-implemented error management in resilient.co3._handle_patch_response() method.

    Am I right ?



    ------------------------------
    Lucian Sipos
    ------------------------------

    Original Message


  • 6.  RE: Update multiple incidents via REST API

    Posted Tue October 19, 2021 11:05 AM
    You are correct.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message