IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

API Query Examples

  • 1.  API Query Examples

    Posted Thu March 14, 2019 05:40 PM

    Hi Folks , while using the Query End Point in API in Resilient can we use
    the multiple conditions using AND as outlined below.

    Wondering if you have examples already that can be shared to review.

    Please note that Query tested with single condition and works.

    Thanks!

    #1

    {
    "filters": [{
    "conditions": [{
    "field_name": "plan_status",
    "method": "equals",
    "value": "C" AND

    "field_name": "inc_id
    "method": "containedIn",
    "value": "(45678,47654,45694)"
    }]
    }],
    "sorts": [{
    "field_name": "name",
    "type": "asc"
    }]
    }

     #2

    {
    "filters": [{
    "conditions": [{
    "field_name": "plan_status",
    "method": "equals",
    "value": "C" AND

    "field_name": "inc_id
    "method": "equals",
    "value": "45678"
    }]
    }],
    "sorts": [{
    "field_name": "name",
    "type": "asc"
    }]
    }



    ------------------------------
    Anilkumar Kudidi
    ------------------------------


  • 2.  RE: API Query Examples
    Best Answer

    Posted Mon March 18, 2019 10:20 AM
    Hello Anilkumar,

    Thanks for posting question to this forum.

    Yes, you can put multiple conditions into the data payload of a POST. As you might notice already, the "conditions" field is a json list of dictionaries. So you can put multiple dictionaries into the list. An example like this works:
    {
    "filters":[{
    "conditions":[
    {
    "field_name":"id",
    "method":"equals",
    "value":2435
    },
    {
    "field_name":"properties.qradar_id",
    "method":"equals",
    "value":"23"
    }
    ]
    }]
    }​

    Here we have two filters, one for the incident id, and one for a custom field called qradar_id. Two points here.
    1. If it is a custom field, you need to use "properties._field_name", just like what shown above for qradar_id
    2. Make sure you use the correct data type for the "value".
    Also you can easily try this on interactive page (Help->Interactive REST API).

    Thanks,




    ------------------------------
    Yongjian Feng
    Software Developer
    Resilient IBM
    ------------------------------



  • 3.  RE: API Query Examples

    Posted Mon March 18, 2019 12:07 PM
    Also, in general it is better to use the query_paged endpoint. The query endpoint pulls all the incidents which could be huge. The query_paged endpoint gives you better control.

    ------------------------------
    Yongjian Feng
    ------------------------------



  • 4.  RE: API Query Examples

    Posted Wed March 20, 2019 10:49 AM
    What is the URL para ejecutar the query?
    POST /orgs/{org_id}/incidents/query

    I need to do something similar for a BI board.

    ------------------------------
    Juan Cruz Del Col
    ------------------------------



  • 5.  RE: API Query Examples

    Posted Wed March 20, 2019 01:04 PM
    Hello Juan,

    One easy way is to use our Interactive API (Help/Contact->Interactive REST API).
    Then go down and click IncidentREST.
    Click the query link:
    The URL is shown there. You can try the REST API directly here.

    Thanks,

    ------------------------------
    Yongjian Feng
    Software Developer
    Resilient IBM
    ------------------------------



  • 6.  RE: API Query Examples

    Posted Wed March 20, 2019 01:28 PM
    Yes, that's what I'm trying to do, but you know that I'm having an error when performing a test from the Postman:



    ------------------------------
    Juan Cruz Del Col
    ------------------------------



  • 7.  RE: API Query Examples

    Posted Wed March 20, 2019 01:52 PM
    Ah, I see.

    Look at the example I gave below. The "filters" is a list of dict, not a dict.
    ==== Example =====
    {
    "filters":[{
    "conditions":[
    {
    "field_name":"id",
    "method":"equals",
    "value":2435
    },
    {
    "field_name":"properties.qradar_id",
    "method":"equals",
    "value":"23"
    }
    ]
    }]
    }​

    ------------------------------
    Yongjian Feng
    ------------------------------



  • 8.  RE: API Query Examples

    Posted Mon April 01, 2019 02:06 PM
    I have tried it and it works well with some fields, but I generate a field of type "selection" and it is not working for me.

    Send:
    {
      "filters": [
        {
          "conditions": [
            {
              "method": "equals",
              "field_name": "properties.cola_de_atencion",
              "type": "string",
              "value": "CRMC"
            }
          ]
        }
      ],
      "sorts": [
        {
          "field_name": "plan_status",
          "type": "desc"
        }
      ],
      "start": 0,
      "length": 0,
      "recordsTotal": 0
    }​


    Response:
    {
        "success": false,
        "title": null,
        "message": "Invalid type specified in query for equals condition. Expected unknown, but received string. Value is CRMC.",
        "hints": [],
        "error_code": "generic"
    }​
    Any suggestions?

    ------------------------------
    Juan Cruz Del Col
    ------------------------------



  • 9.  RE: API Query Examples

    Posted Tue April 02, 2019 10:43 AM
    Edited by Howard Lu Tue April 02, 2019 10:49 AM
    Hi Juan,

    First off, in your "conditions", you dont' specify the "type" field.  The documentation for "type" reads:
    The type for the condition. This property is for UI side use only, useful for storing unit of time in date time filters like (minutes, hours, days)
    So go ahead and omit it.

    Unfortunately, for a select field, you will need to specify the "id" of the value and not the name. 

    {
      "filters": [
        {
          "conditions": [
            {
              "method": "equals",
              "field_name": "properties.cola_de_atencion",
              "value": <ID>
            }
          ]
        }
      ],
      "sorts": [
        {
          "field_name": "plan_status",
          "type": "desc"
        }
      ],
      "start": 0,
      "length": 0,
      "recordsTotal": 0
    }



    You can lookup the "id" of your custom field value by accessing the Types REST endpoint. 
    https://<serverURL>/rest/orgs/<org_id>/types/incident/fields/cola_de_atencion

    and look at the "values" list.

    Hope this helps!

    ------------------------------
    Howard Lu
    ------------------------------



  • 10.  RE: API Query Examples

    Posted Wed April 03, 2019 10:07 AM
    Edited by Juan Cruz Del Col Wed April 03, 2019 10:29 AM
    Excellent, it worked perfectly. I had not noticed that the ID should be used as it is a selection field.

    Is it possible to make a condition by "between" dates?
    How would the date format be?

    For example, I need to obtain the same information that is shown in the report (image), but using a query via REST to send the data to a BI


    ------------------------------
    Juan Cruz Del Col
    ------------------------------



  • 11.  RE: API Query Examples

    Posted Wed April 03, 2019 10:46 AM
    Hi Juan,

    Yes you can. The Resilient UI uses the same Resilient REST API.  So any conditions you see in the UI you can achieve using the REST API as well.

    In this case,

    {
      "filters": [
        {
          "conditions": [
            {
              "field_name": "create_date",
              "method": "gte",
              "value": 1546318800000
            },
            {
              "field_name": "create_date",
              "method": "lte",
              "value": 1554091200000
            }
          ]
        }
      ]
    }​


    you could put multiple conditions that the "create_date" is before a certain time, and after a certain time.  The time value here is the "epoch time" measured in milliseconds.  There are plenty of converters which will convert a human readable date into an epoch time.  e.g. https://www.epochconverter.com/


    Again, these values are in milliseconds, so make sure you use that.  In the code sample I pasted above, those times translate to Jan 1 and Apr 1 of 2019.

    Hope this is helpful!  Good luck.



    ------------------------------
    Howard Lu
    ------------------------------



  • 12.  RE: API Query Examples

    Posted Wed October 16, 2019 09:06 AM
    The listed conditions in the "filters" section is AND condition. May I know if there is any option if I need an API query with OR condition?

    ------------------------------
    MSS Engineer
    ------------------------------



  • 13.  RE: API Query Examples

    Posted Wed October 16, 2019 09:40 AM
    Edited by Howard Lu Wed October 16, 2019 09:40 AM
    Yes you can.  In the "filters" section, there is a "logic_type" field you can specify.  It defaults to ALL (meaning a logical AND).  you can specify it to be "any" which is a logical OR.


    {
       "filters": [
         {
           "conditions": [
             {
               "field_name": "create_date",
               "method": "gte",
               "value": 1546318800000
             },
             {   
               "field_name": "create_date",
               "method": "lte",
               "value": 1554091200000
             }
           ],
           "logic_type" : "any"
         }
       ]
    }

    Hope that helps!
    ------------------------------
    Howard Lu
    ------------------------------



  • 14.  RE: API Query Examples

    IBM Champion
    Posted Wed October 16, 2019 03:10 PM
    Hey @Howard Lu where did you find documentation on that?​

    ------------------------------
    Jared Fagel
    Cyber Security Analyst Intern
    Public Utility
    ------------------------------



  • 15.  RE: API Query Examples

    Posted Wed October 16, 2019 04:10 PM
    Looks like the documentation is sparse.  It's in the QueryFilterDTO section of the REST API reference

    ------------------------------
    Howard Lu
    ------------------------------



  • 16.  RE: API Query Examples

    Posted Thu April 02, 2020 09:37 AM
    @Howard Lu ​i tried your solution and in the version i'm using (35.2.32) it seems that the logic type remains "AND" regardless of the "logic_type" i specify. 
     
    By the way, for another use-case, i'm having trouble performing a query that should search for incidents with:

    1- create_date after a date (1585148292000)
    2- a custom field with value "example_value"
    3- an artifact of type "email sender" with value "name.sname@domain.tld"
    4- an artifact of type "email subject" with value "Example subject"

    for this search i tried this query:
    {
    	"types": ["artifact"],
    	"filters": {
    		"artifact": [{
    				"conditions": [{
    						"field_name": "value",
    						"method": "equals",
    						"value": "name.sname@domain.tld"
    					}, {
    						"field_name": "type",
    						"method": "equals",
    						"value": "Email Sender"
    					}
    				], 
    				"conditions": [
    				{
    						"field_name": "value",
    						"method": "equals",
    						"value": "Example subject"
    					}, {
    						"field_name": "type",
    						"method": "equals",
    						"value": "Email Subject"
    					}
    				]
    			}
    		],
    		"incident": [{
    				"conditions": [{
    						"field_name": "create_date",
    						"method": "gt",
    						"value": 1585148292000
    					}, {
    						"field_name": "properties.custom_field",
    						"method": "equals",
    						"value": "example_value"
    					}
    				]
    			}
    		]
    	}
    }


    It works, except for the artifact part , because is matching only the second "conditions: []" statement (it overwrites the first).
    I cannot manage to write a condition with two artifacts in logic "AND" , and i was wondering if it's possible to do it...

    ps.
    switching the object type to "incident" instead of "artifacts" seems causing to ignore the artifacts filters, because it returns only the matches for the incident filters.

    Any suggestion?
    thanks.



    ------------------------------
    ___________________
    Manuel Marchese
    ------------------------------