IBM Security QRadar SOAR

It seem like the resilient incident is unable to close automatically due to "Incident Status" or "plan_status" is read-only.

I tried to write the REST API to close the incident,
under /docs/rest-api/ui/index.html, it only have following but no "close"
PUT /orgs/{org_id}/incidents/delete
GET /orgs/{org_id}/incidents/open
PUT /orgs/{org_id}/incidents/patch
POST /orgs/{org_id}/incidents/query

I tried with patch with resolution_id, resolution_summary and plan_status.
It doesn't work as expected.

Under the API key permission it does not have close permission too

May I propose developer to grant the feature for us to close?

EDIT: Closing of incident will be using PUT /orgs/{org_id}/incidents/patch

------------------------------
AXE LAW
------------------------------

Hi AXE

The following is just my case:

I tried the following curl command to an active incident and could close it with my environment .

curl -sik -u <apikey>:<apikey-secret> -X PATCH https://<resilient-host>/rest/orgs/<org_id>/incidents/<incident_id> -H 'Content-Type: application/json' -d @/tmp/close.json

<apikey> <api-secret> : api key and its secret which has the all incident permissions
/tmp/close.json :
{ "changes": [ { "field": { "name": "resolution_id" }, "old_value": {"object": null}, "new_value": {"object": 10} }, { "field": { "name": "resolution_summary" }, "old_value": {"object": null}, "new_value": {"object": "resolved"} }, { "field": { "name": "plan_status" }, "old_value": {"object":"A"}, "new_value": {"object":"C"} } ], "version": 0 }​

10 is for resolved. (from TypeREST)
old_value may not be null if you once close it.

------------------------------
Yohji Amano
------------------------------

Original Message:
Sent: Mon November 02, 2020 05:20 AM
From: AXE LAW
Subject: Auto closing of resilient incident

It seem like the resilient incident is unable to close automatically due to "Incident Status" or "plan_status" is read-only.

I tried to write the REST API to close the incident,
under /docs/rest-api/ui/index.html, it only have following but no "close"
PUT /orgs/{org_id}/incidents/delete
GET /orgs/{org_id}/incidents/open
PUT /orgs/{org_id}/incidents/patch
POST /orgs/{org_id}/incidents/query

I tried with patch with resolution_id, resolution_summary and plan_status.
It doesn't work as expected.

Under the API key permission it does not have close permission too

May I propose developer to grant the feature for us to close?

------------------------------
AXE LAW
------------------------------

Hi Yohji

your API put is working perfectly. Thanks for helping

Regards,
Axe

------------------------------
AXE LAW
------------------------------

Original Message:
Sent: Tue November 03, 2020 07:11 AM
From: Yohji Amano
Subject: Auto closing of resilient incident

Hi AXE

The following is just my case:

I tried the following curl command to an active incident and could close it with my environment .

curl -sik -u <apikey>:<apikey-secret> -X PATCH https://<resilient-host>/rest/orgs/<org_id>/incidents/<incident_id> -H 'Content-Type: application/json' -d @/tmp/close.json

<apikey> <api-secret> : api key and its secret which has the all incident permissions
/tmp/close.json :
{ "changes": [ { "field": { "name": "resolution_id" }, "old_value": {"object": null}, "new_value": {"object": 10} }, { "field": { "name": "resolution_summary" }, "old_value": {"object": null}, "new_value": {"object": "resolved"} }, { "field": { "name": "plan_status" }, "old_value": {"object":"A"}, "new_value": {"object":"C"} } ], "version": 0}​

10 is for resolved. (from TypeREST)
old_value may not be null if you once close it.

------------------------------
Yohji Amano

Original Message:
Sent: Mon November 02, 2020 05:20 AM
From: AXE LAW
Subject: Auto closing of resilient incident

It seem like the resilient incident is unable to close automatically due to "Incident Status" or "plan_status" is read-only.

I tried to write the REST API to close the incident,
under /docs/rest-api/ui/index.html, it only have following but no "close"
PUT /orgs/{org_id}/incidents/delete
GET /orgs/{org_id}/incidents/open
PUT /orgs/{org_id}/incidents/patch
POST /orgs/{org_id}/incidents/query

I tried with patch with resolution_id, resolution_summary and plan_status.
It doesn't work as expected.

Under the API key permission it does not have close permission too

May I propose developer to grant the feature for us to close?

------------------------------
AXE LAW
------------------------------

If you can post the error message you receive it may be possible to identify more precisely why you are having trouble. As Yohji pointed out it definitely is possible to close an incident using the API.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Mon November 02, 2020 05:20 AM
From: AXE LAW
Subject: Auto closing of resilient incident

It seem like the resilient incident is unable to close automatically due to "Incident Status" or "plan_status" is read-only.

I tried to write the REST API to close the incident,
under /docs/rest-api/ui/index.html, it only have following but no "close"
PUT /orgs/{org_id}/incidents/delete
GET /orgs/{org_id}/incidents/open
PUT /orgs/{org_id}/incidents/patch
POST /orgs/{org_id}/incidents/query

I tried with patch with resolution_id, resolution_summary and plan_status.
It doesn't work as expected.

Under the API key permission it does not have close permission too

May I propose developer to grant the feature for us to close?

------------------------------
AXE LAW
------------------------------