IBM Security Resilient

Back to discussions
Expand all | Collapse all

Need help on payload for Incident API

  • 1.  Need help on payload for Incident API

    Posted 16 days ago
    Hello  Everyone,

    I need help on updating incident parameters and I am not getting proper payload for the same. Can you please share sample payload?

    How can I patch an incident? As of now, I need to first call GET method and get incident details and then call PUT method and pass all incident attributes. In this case, I have to make 2 calls just to update few attributes. Ideally there should be 1 call. pls suggest.
    For example: I have following attributes in dictionary which I need to update.. Can you help me with payload and method to call ==> {'properties': {'parent_incident_id': 123456,  'criticality': 'Criticality 4', 'merged_incident_id': 123456}, 'plan_status': 'C', 'resolution_id': 'Duplicate', 'resolution_summary': 'Merging the incidents'}

    Also, I noticed one API call which accepts multiple incidents to patch. Can you share the example to use that API?
    API => PUT /orgs/{org_id}/incidents/patch

    I am looking to update 10 incidents at a time. Any suggestion on this please.

    Thanks

    ------------------------------
    Priyank Saluja
    ------------------------------


  • 2.  RE: Need help on payload for Incident API

    Posted 15 days ago
    I have found the best way to find out how to use the API is by using the Resilient UI. Here is an example where I'm reassigning multiple incidents to a new workspace:


    curl 'https://server/rest/orgs/230/incidents' -X PATCH -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/json' -H 'X-sess-id: 0be97c6663be62d2282b693990d5e9fc' -H 'handle_format: ids' -H 'text_content_output_format: objects_convert' -H 'browser_locale: en' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: _ga=GA1.2.1382814266.1575940211; JSESSIONID=57D84D593D7B19A0A97C7DEB9B40964C; CSRF_TOKEN=7b2276616c7565223a223935656236313738653636633432373564373234356430373362333632656431227d' --data-raw '{"patches":{"26044":{"version":7,"changes":[{"old_value":{"object":{"id":66,"name":"Default workspace"}},"new_value":{"object":"228"},"field":{"name":"workspace","id":null,"null":false}}]},"26045":{"version":32,"changes":[{"old_value":{"object":{"id":66,"name":"Default workspace"}},"new_value":{"object":"228"},"field":{"name":"workspace","id":null,"null":false}}]}}}'

    Here is the actual POST data:
    {
      "patches": {
        "26044": {
          "version": 7,
          "changes": [
            {
              "old_value": {
                "object": {
                  "id": 66,
                  "name": "Default workspace"
                }
              },
              "new_value": {
                "object": "228"
              },
              "field": {
                "name": "workspace",
                "id": null,
                "null": false
              }
            }
          ]
        },
        "26045": {
          "version": 32,
          "changes": [
            {
              "old_value": {
                "object": {
                  "id": 66,
                  "name": "Default workspace"
                }
              },
              "new_value": {
                "object": "228"
              },
              "field": {
                "name": "workspace",
                "id": null,
                "null": false
              }
            }
          ]
        }
      }
    }


    Notice that you need the old data and the current version number of the incident. This is necessary so that the system can determine if the data has changed since you last saw it. This is to prevent the "last writer" wins scenario. I supposed you could claim there should be a way to "force" PATCH. If you want to force update you have to use the PUT operation on an incident which as you pointed out requires all the incident details.

    So pretty much either way you'll need the current incident data to use either PATCH or PUT.

    The changes is an array so you can send updates for multiple fields at the same time.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message


  • 3.  RE: Need help on payload for Incident API

    Posted 14 days ago
    Hi Priyank,
    Is using our resilient python package a possibility for you ? Within it we have a function called get_put which will perform a GET on an Incident for the needed attributes followed by a put with your needed changes; all encapsulated within 1 function call. If this is suitable for you and you have a list of incident IDs as well as a list of changes you could then use this call within a for loop to handle multiple updates. 

    Link:https://github.com/ibmresilient/resilient-python-api/blob/master/resilient/resilient/co3.py#L494

    Heres a bit of pseudocode that I can't guarantee will work straight away: 
    ids_to_update = [2095,2095,2097,2098,2099]

def update_inc(incident, data_to_update):
   //logic to update the incident object
   incident['field_to_update'] = 'foo'

for inc_id in ids_to_update:
    result = self.client.get_put("/incidents/{}".format(incident_id),
                                     lambda incident: update_with_result(incident, data_to_update)
    For some more examples have a look at the task_utils integration, we use get_put heavily there to update or close a task. 
    If this helps you could you 'Recommend' the answer so others can find it in future. 

    Ryan

    ------------------------------
    Ryan Gordon
    Security Software Engineer
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Need help on payload for Incident API

    Posted 7 days ago
    I have this function for patching an incident. 
    You need to import resilient 
        def _update_incident(self, incident_id, incident_payload):
        """ _update_incident will update an incident with the specified json payload.
        :param incident_id: incident ID of incident to be updated.
        ;param incident_payload: incident fields to be updated.
        :return:
        """
        try:
            # Update incident
            incident_url = "/incidents/{0}".format(incident_id)
            incident = self.rest_client().get(incident_url)
            patch = resilient.Patch(incident)

            # Iterate over payload dict.
            for name, value in incident_payload.items():
                if name == 'properties':
                    for field_name, field_value in incident_payload['properties'].items():
                        patch.add_value(field_name, field_value)
                else:
                    payload_value = incident_payload.get(name)
                    patch.add_value(name, payload_value)

            patch_result = self.rest_client().patch(incident_url, patch)
            result = self._chk_status(patch_result)
            return result if result else {}

        except Exception as err:
            raise IntegrationError(err)


    ------------------------------
    AnnMarie Norcross
    ------------------------------

    Original Message