IBM Security SOAR

Expand all | Collapse all

query builder with time limit in Resilient Script

  • 1.  query builder with time limit in Resilient Script

    Posted 9 days ago
    Hi,
    I am trying to build a query which get all the incidents closed in last 48 hours, I can use status but how can I also use time in this query to lookup only last 48 hours incidents instead of searching all closed incidents.

    query_builder.equals(fields.incident.plan_status, "C")

    Please help if anyone has done this before

    Regards
    Dastagir

    ------------------------------
    Dastagirsab Mulla
    ------------------------------


  • 2.  RE: query builder with time limit in Resilient Script

    Posted 8 days ago
    Hello Dastagir,

    You could use below lines.

    import time
    
    reference_time = int(time.time() - 48 * 60 * 60 ) * 1000 # milliseconds
    
    query_builder.equals(fields.incident.plan_status, "C") # closed incidents
    query_builder.isGreaterThan(fields.incident.end_date, reference_time) # in last 48 hours
    
    query = query_builder.build()
    closed_incidents = helper.findIncidents(query)
    ​


    ------------------------------
    Burak Karaduman
    ------------------------------



  • 3.  RE: query builder with time limit in Resilient Script

    Posted 8 days ago
      |   view attached
    Thank you Burak,

    It worked after small change in time import, I used below code to get time
    from java.util import Date
    dt_now = Date()
    time = dt_now.getTime()

    But my code is working well in Pre Production where we have less number of incidents, but it getting failed on production may be due to large number of incidents, I am attaching error here.

    ------------------------------
    Dastagirsab Mulla
    ------------------------------



  • 4.  RE: query builder with time limit in Resilient Script

    Posted 8 days ago
      |   view attached
    Here is detailed attachment

    ------------------------------
    Dastagirsab Mulla
    ------------------------------



  • 5.  RE: query builder with time limit in Resilient Script

    Posted 8 days ago
    Edited by Burak Karaduman 8 days ago
    Hello,

    Which version of resilient do you use? "import time" works with python3 in Resilient.

    For more detail: https://community.ibm.com/community/user/security/blogs/ryan-gordon1/2020/12/18/python3-scripting-engine

    ---

    There are some limits like 5 seconds execution or max 50000 line count. If you have too much closed incidents in last 48 hours, yes it takes time. You can check /var/log/resilient-scripting/resilient-scripting.log file to find execution time of your script.

    If you cannot solve script execution time issue, you can do it with a function in circuits.

    ------------------------------
    Burak Karaduman
    ------------------------------



  • 6.  RE: query builder with time limit in Resilient Script

    Posted 8 days ago
    Thank you very much for your response, I will try this with function in circuits.

    ------------------------------
    Dastagirsab Mulla
    ------------------------------



  • 7.  RE: query builder with time limit in Resilient Script

    Posted 7 days ago
    Hi,

    The code provided by Burak should help with your use case, but like he said you are most likely experiencing a timeout because your script takes longer than 5 seconds to complete. If you don't mind, could you send me a private message with details of roughly how many incidents you have on your production system, is it 100, 1,000, 5,000, or 10,000+? It's possible there are some performance problems we could investigate.

    Thank you,

    ------------------------------
    Sean Mc Cann
    ------------------------------



  • 8.  RE: query builder with time limit in Resilient Script

    Posted 3 days ago
    Thank you 'Sean Mc Cann' and 'Burak' for your valuable feedback.
    I finally achieved my objective using circuit function, below is the summary of query I used in function.
    ref_time = int(time.time() - 48 * 60 * 60) * 1000  # milliseconds
    queryDTO = {'filters': [
    {'conditions': [
    {'field_name': 'name',
    'method': 'contains',
    'value': inc_name_input # input received from workflow
    },
    {'field_name': 'end_date',
    'method': 'gte',
    'value': ref_time
    },
    {'field_name': 'plan_status',
    'method': 'equals',
    'value': 'C'
    }
    ]}]}
    incidents = client.post("/incidents/query", queryDTO)
    ​Thanks again for all your feedback.

    ------------------------------
    Dastagirsab Mulla
    ------------------------------



  • 9.  RE: query builder with time limit in Resilient Script

    Posted 3 days ago
    Hi,

    Nice to hear that.

    For your attention, if you use "/incidents/query" endpoint, Resilient returns max 1000 incidents. If you have closed incident more than 1000 in last 48 hours, you should use "/incidents/query_paged" resource to prevent potentially gaps.

    ------------------------------
    Burak Karaduman
    ------------------------------



  • 10.  RE: query builder with time limit in Resilient Script

    Posted 3 days ago
    Hi,

    Thanks for this information, I will consider it.

    ------------------------------
    Dastagirsab Mulla
    ------------------------------