IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Need help on payload for Incident API

    Posted Wed May 13, 2020 03:22 PM
    Hello  Everyone,

    I need help on updating incident parameters and I am not getting proper payload for the same. Can you please share sample payload?

    How can I patch an incident? As of now, I need to first call GET method and get incident details and then call PUT method and pass all incident attributes. In this case, I have to make 2 calls just to update few attributes. Ideally there should be 1 call. pls suggest.
    For example: I have following attributes in dictionary which I need to update.. Can you help me with payload and method to call ==> {'properties': {'parent_incident_id': 123456,  'criticality': 'Criticality 4', 'merged_incident_id': 123456}, 'plan_status': 'C', 'resolution_id': 'Duplicate', 'resolution_summary': 'Merging the incidents'}

    Also, I noticed one API call which accepts multiple incidents to patch. Can you share the example to use that API?
    API => PUT /orgs/{org_id}/incidents/patch

    I am looking to update 10 incidents at a time. Any suggestion on this please.

    Thanks

    ------------------------------
    Priyank Saluja
    ------------------------------


  • 2.  RE: Need help on payload for Incident API

    Posted Thu May 14, 2020 08:33 AM
    I have found the best way to find out how to use the API is by using the Resilient UI. Here is an example where I'm reassigning multiple incidents to a new workspace:


    curl 'https://server/rest/orgs/230/incidents' -X PATCH -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/json' -H 'X-sess-id: 0be97c6663be62d2282b693990d5e9fc' -H 'handle_format: ids' -H 'text_content_output_format: objects_convert' -H 'browser_locale: en' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: _ga=GA1.2.1382814266.1575940211; JSESSIONID=57D84D593D7B19A0A97C7DEB9B40964C; CSRF_TOKEN=7b2276616c7565223a223935656236313738653636633432373564373234356430373362333632656431227d' --data-raw '{"patches":{"26044":{"version":7,"changes":[{"old_value":{"object":{"id":66,"name":"Default workspace"}},"new_value":{"object":"228"},"field":{"name":"workspace","id":null,"null":false}}]},"26045":{"version":32,"changes":[{"old_value":{"object":{"id":66,"name":"Default workspace"}},"new_value":{"object":"228"},"field":{"name":"workspace","id":null,"null":false}}]}}}'

    Here is the actual POST data:
    {
    "patches": {
    "26044": {
    "version": 7,
    "changes": [
    {
    "old_value": {
    "object": {
    "id": 66,
    "name": "Default workspace"
    }
    },
    "new_value": {
    "object": "228"
    },
    "field": {
    "name": "workspace",
    "id": null,
    "null": false
    }
    }
    ]
    },
    "26045": {
    "version": 32,
    "changes": [
    {
    "old_value": {
    "object": {
    "id": 66,
    "name": "Default workspace"
    }
    },
    "new_value": {
    "object": "228"
    },
    "field": {
    "name": "workspace",
    "id": null,
    "null": false
    }
    }
    ]
    }
    }
    }


    Notice that you need the old data and the current version number of the incident. This is necessary so that the system can determine if the data has changed since you last saw it. This is to prevent the "last writer" wins scenario. I supposed you could claim there should be a way to "force" PATCH. If you want to force update you have to use the PUT operation on an incident which as you pointed out requires all the incident details.

    So pretty much either way you'll need the current incident data to use either PATCH or PUT.

    The changes is an array so you can send updates for multiple fields at the same time.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Need help on payload for Incident API

    Posted Fri May 15, 2020 12:16 PM
    Hi Priyank,
    Is using our resilient python package a possibility for you ? Within it we have a function called get_put which will perform a GET on an Incident for the needed attributes followed by a put with your needed changes; all encapsulated within 1 function call. If this is suitable for you and you have a list of incident IDs as well as a list of changes you could then use this call within a for loop to handle multiple updates. 

    Link:https://github.com/ibmresilient/resilient-python-api/blob/master/resilient/resilient/co3.py#L494

    Heres a bit of pseudocode that I can't guarantee will work straight away: 
    ids_to_update = [2095,2095,2097,2098,2099]
    
    def update_inc(incident, data_to_update):
       //logic to update the incident object
       incident['field_to_update'] = 'foo'
    
    for inc_id in ids_to_update:
        result = self.client.get_put("/incidents/{}".format(incident_id),
                                         lambda incident: update_with_result(incident, data_to_update)
    For some more examples have a look at the task_utils integration, we use get_put heavily there to update or close a task. 
    If this helps you could you 'Recommend' the answer so others can find it in future. 

    Ryan

    ------------------------------
    Ryan Gordon
    Security Software Engineer
    IBM
    ------------------------------



  • 4.  RE: Need help on payload for Incident API

    Posted Fri May 22, 2020 09:57 AM
    I have this function for patching an incident. 
    You need to import resilient
        def _update_incident(self, incident_id, incident_payload):
            """ _update_incident will update an incident with the specified json payload.
            :param incident_id: incident ID of incident to be updated.
            ;param incident_payload: incident fields to be updated.
            :return:
            """
            try:
                # Update incident
                incident_url = "/incidents/{0}".format(incident_id)
                incident = self.rest_client().get(incident_url)
                patch = resilient.Patch(incident)
    
                # Iterate over payload dict.
                for name, value in incident_payload.items():
                    if name == 'properties':
                        for field_name, field_value in incident_payload['properties'].items():
                            patch.add_value(field_name, field_value)
                    else:
                        payload_value = incident_payload.get(name)
                        patch.add_value(name, payload_value)
    
                patch_result = self.rest_client().patch(incident_url, patch)
                result = self._chk_status(patch_result)
                return result if result else {}
    
            except Exception as err:
                raise IntegrationError(err)


    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 5.  RE: Need help on payload for Incident API

    Posted Fri March 18, 2022 04:43 PM
    Please find below an example to update incident to be closed using Patch method - Python3

    import resilient
    import json

    parser=resilient.ArgumentParser(config_file=resilient.get_config_file())
    opts=parser.parse_args()
    client=resilient.get_client(opts)

    resolution_id=10
    plan_status=u'C'
    uri='/incidents/2099'
    res_sum="testing Purposes"

    incident=client.get(uri)
    patch=resilient.Patch(incident)
    patch.add_value("resolution_id", resolution_id)
    patch.add_value("resolution_summary", res_sum)
    patch.add_value("plan_status", plan_status)
    client.patch(uri, patch, overwrite_conflict=True)

    ------------------------------
    Ahmed Elsayed
    ------------------------------