IBM Security QRadar SOAR

 View Only
  • 1.  API Bug

    Posted Fri November 19, 2021 08:49 PM

    Hi Team!

    After a couple of days fighting with the SOAR API function for updating one datatable row I think I have found a bug. This wrong behavior is easy to reproduce both in SOAR v41 and v42 using the API swagger.


    The documentation indicates that in order to update a datatable row, a PUT request must be sent  to the URL:

     /orgs/{org_id}/incidents/{inc_id}/table_data/{table_id}/row_data/{row_id}

    According to the documentation, the {table_id} in these API calls is either the internal ID for that datatable or its name.
    I always provide the name I selected for that table as the ID is an internal value. This (using the name for the table_id) works for the GET request to retrieve datatable data. But when providing the name in the PUT to update a row a 500 error is returned.

    I tried many options for the uploaded data (even copying the response format from the GET although keeping just one row from the table). No way.

    Then I went back to the SOAR dashboard and realized that (using the browser debugger), when updating a row, SOAR Dashboard uses the ID for the REST call. That was it! This PUT API does not accept the name when referring to a datatable (although the documentation states it does).

    Steps to reproduce the error.

    In swagger make a PUT request using the datatable name for the table_ID:
    This results in this 500 error:

    Now replace the name and use the ID :
    The result is the expected one. RC is 200 and the updated row is returned (names has been specified for the handle_ouput format).

    Using the datatable name is accepted (as I mentioned before) when using a GET request to retrieve the datatable contents:


    Thanks for your time!



    ------------------------------
    GENARO NIETO FERNANDEZ
    ------------------------------



  • 2.  RE: API Bug

    Posted Mon November 22, 2021 09:28 AM
    I was able to update a row using the name of the table:


    Can you share a screenshot of the datatable configuration where the display name and API Name of the table is configured? Just to limit the test further, just try updating one column as I did.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: API Bug

    Posted Wed November 24, 2021 07:04 AM

    Hi Ben, 
    thanks for your time and sorry for my delayed response. I have tried as suggested with a single value and a streamlined request (no additional row_id or names). Same problem.

    I see that your request was using the id for the column instead of the name. So I tried that. Same error:

     
    Finally, I switched the datatable name by its id in the request. Worked.


    Is this the screenshot you need?

    The GET request for the table works fine using the name instead of the ID (without  handle_format:names):



    And with handle_format:names:

    Thanks!!



    ------------------------------
    GENARO NIETO FERNANDEZ
    ------------------------------



  • 4.  RE: API Bug

    Posted Wed November 24, 2021 08:34 AM
    I tried again to reproduce the issue with your settings. But no luck. 

    In the log file /usr/share/co3/logs/client.log the error and a stack trace will be there. That may give a clue as to what is going on.

    You could also a support case and they can help you through it.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------