IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Update multiple incidents via REST API

    Posted Fri March 06, 2020 01:13 PM
    I'd like to update multiple incidents using the REST API.  The REST API documentation shows this can be done using a PATCH call to the /orgs/{org_id}/incidents endpoint.  I'm not seeing in the documentation where to specify what incident IDs I want to update. 

    Also, the MultiPatchDTO is a bit different from the PatchDTO that updating a single incident uses - so this is throwing me off as well.

    My initial use case is to use the API to close multiple incidents that meet certain parameters.

    ------------------------------
    David Vasil
    ------------------------------


  • 2.  RE: Update multiple incidents via REST API
    Best Answer

    Posted Mon March 09, 2020 08:52 AM
    I always find that in situations like this seeing how the UI does it is most helpful.

    curl 'https://server.com/rest/orgs/230/incidents' -X PATCH
    -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/json'
    -H 'X-sess-id: 3298fbf0f50bbfcc8373b0d3db2708ef' -H 'handle_format: ids' -H 'text_content_output_format: objects_convert'
    -H 'browser_locale: en' -H 'X-Requested-With: XMLHttpRequest'
    -H 'Origin: https://server.com' -H 'Connection: keep-alive'
    -H 'Cookie: _ga=GA1.2.1382814266.1575940211; JSESSIONID=E3E2557A199D6C374F60A263F97AB64B; CSRF_TOKEN=7b2276616c7565223a226362313836626237613331343963346264386463316636303162613130663231227d'
    --data '{"patches":{"6063":{"version":6,"changes":[{"old_value":{"object":"A"},"new_value":{"object":"C"},"field":{"name":"plan_status","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":1583193600000},"field":{"name":"actual_release_date","id":null,"null":false}},{"old_value":{},"new_value":{"object":"dfdfd"},"field":{"name":"ga_release_number","id":null,"null":false}},{"old_value":{},"new_value":{"object":"ddfdf"},"field":{"name":"integration_test_time","id":null,"null":false}},{"old_value":{},"new_value":{"object":"fdfd"},"field":{"name":"required","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":14903},"field":{"name":"resolution_id","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":"<div class=\"rte\"><div>dff</div></div>"},"field":{"name":"resolution_summary","id":null,"null":false}}]},"7137":{"version":8,"changes":[{"old_value":{"object":"A"},"new_value":{"object":"C"},"field":{"name":"plan_status","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":1583193600000},"field":{"name":"actual_release_date","id":null,"null":false}},{"old_value":{},"new_value":{"object":"dfdfd"},"field":{"name":"ga_release_number","id":null,"null":false}},{"old_value":{},"new_value":{"object":"ddfdf"},"field":{"name":"integration_test_time","id":null,"null":false}},{"old_value":{},"new_value":{"object":"fdfd"},"field":{"name":"required","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":14903},"field":{"name":"resolution_id","id":null,"null":false}},{"old_value":{"object":null},"new_value":{"object":"<div class=\"rte\"><div>dff</div></div>"},"field":{"name":"resolution_summary","id":null,"null":false}}]}}}'

    Here I selected two incidents from the incident list and closed them. I received a prompt for required fields and then the UI called the patch command to the server.

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 3.  RE: Update multiple incidents via REST API

    Posted Tue October 19, 2021 04:28 AM
    Edited by Lucian Sipos Tue October 19, 2021 05:38 AM
    Hi Ben

    I am trying to do this in a Python script but it doesn't work for me.

    def patch_incident_multiple_properties_dicts(self, patches_json):
    uri = '/incidents?handle_format=names'
    patch_response = resilient_client.patch(uri, patches_json, overwrite_conflict=True)

    return patch_response


patches_dict = {
    "patches": {
        "24792": {
            "changes": [
                {
                    "field": {"name": "priority"},
                    "old_value": {"object": "Average"},
                    "new_value": {"object": "Low"}
                }],
            "version": 12345
        }
    }
}

RU.patch_incident_multiple_properties_dicts(patches_dict)​

    It ends up with KeyError "success" error.

    Traceback (most recent call last):
  File "C:\Users\l.sipos\Desktop\Utils Scripts\Offline\utils.py", line 562, in <module>
    RU.patch_incident_multiple_properties_dicts(patches_dict)
  File "C:\Users\l.sipos\Desktop\Utils Scripts\Offline\utils.py", line 156, in patch_incident_multiple_properties_dicts
    patch_response = resilient_client.patch(uri, patches_json, overwrite_conflict=True)
  File "C:\Program Files\Python39\lib\site-packages\resilient\co3.py", line 462, in patch
    return self.patch_with_callback(uri, patch, callback, co3_context_token, timeout)
  File "C:\Program Files\Python39\lib\site-packages\resilient\co3.py", line 480, in patch_with_callback
    while self._handle_patch_response(response, patch, callback):
  File "C:\Program Files\Python39\lib\site-packages\resilient\co3.py", line 388, in _handle_patch_response
    if not patch_status.is_success() and patch_status.has_field_failures():
  File "C:\Program Files\Python39\lib\site-packages\resilient\patch.py", line 210, in is_success
    return self.patch_status_dict["success"]
KeyError: 'success'
​


    I noticed that, if I change the object from literal "Average" to it's ID value, the fields are updated on Resilient (but still with KeyError in script).

    Any help on this ?

    ------------------------------
    Lucian Sipos
    ------------------------------

    Original Message


  • 4.  RE: Update multiple incidents via REST API

    Posted Tue October 19, 2021 08:25 AM
    The response from the PATCH command is supposed to be either a failure:

    {"success":false,"title":"Patch Failure","message":"One or more edits to an object (Type=Incident, ID 7,251) could not be applied due to a conflicting edit by another user. The following fields were in conflict:  benselect1","hints":["patch_conflict_detected"],"error_code":"generic","field_failures":[{"field":"benselect1","your_original_value":null,"actual_current_value":18374}]}​

    Or a success:

    {"success":true,"title":null,"message":null,"hints":[]}

    In both cases the response has a success field.

    The python error seems to indicate that the response from the server did not contain a success key as shown above. 

    Looking at the library I can see that

    resilient_client.patch(uri, patches_json, overwrite_conflict=True)​

    only supports patching a single incident. It does not support patching multiple incidents at the same time.

    When multiple incidents are patched at the same time the following is an example of a failure message:

    {"failures":{"7252":{"success":false,"title":"Patch Failure","message":"One or more edits to an object (Type=Incident, ID 7,252) could not be applied due to a conflicting edit by another user. The following fields were in conflict:  owner_id","hints":["patch_conflict_detected"],"error_code":"generic","field_failures":[{"field":6253,"your_original_value":27,"actual_current_value":650}]}}}​

    Notice there is no top-level success key. That exists further down in the json hierarchy.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 5.  RE: Update multiple incidents via REST API

    Posted Tue October 19, 2021 10:04 AM
    Edited by System Admin Thu November 11, 2021 11:15 AM
    Hi @Ben Lurie

    So, as of today, we can't do a multiple patch using directly resilient.patch method ?

    patches_dict = {
    "patches": {
        "24792": {
            "changes": [
                {
                    "field": {"name": "priority"},
                    "old_value": {"object": 102},
                    "new_value": {"object": 104}
                }],
            "version": 12345
        }
    }
}​


    Using it like this seems to work, but as said, still with error. It looks like there is some non-implemented error management in resilient.co3._handle_patch_response() method.

    Am I right ?



    ------------------------------
    Lucian Sipos
    ------------------------------

    Original Message


  • 6.  RE: Update multiple incidents via REST API

    Posted Tue October 19, 2021 11:05 AM
    You are correct.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message