IBM QRadar SOAR

 View Only
  • 1.  Fetch incident via API with a limit

    Posted Tue June 18, 2024 06:07 AM

    Hello,

    I'm querying IBM SOAR incident using this parameters but it doesn't work because of the key "length" : 

    data = { "filters": [myfilter], "length": 10 }

    How to query incidents via API with a limit of  10 incidents returned ?

    Regards



    ------------------------------
    Ekham Ramdul
    ------------------------------


  • 2.  RE: Fetch incident via API with a limit

    Posted Tue June 18, 2024 10:23 AM

    Hi Ekham

    Here is an example from the fn_machine_learning integration that uses "length" in query.  I think you also need to specify "start" and maybe "recordsTotal"...

    def query_incidents(res_client, max_count=None, page_size=1000, in_log=None):
        """
        Use the query endpoint since we are going to down load
        large number of incidents.
    
        :param res_client:  Resilient client used to download incidents
        :param max_count:   Max count for incidents to handle
        :param page_size:   Number of incident to download for each call
        :return:            All downloaded incidents in json
        """
        log = in_log if in_log else logging.getLogger(__name__)
        incidents = []
        url = "/incidents/query_paged?field_handle=-1&return_level=full"
        num_incidents = 0
        ret_num = 0
        done = False
        while not done:
            body = {
                "start": num_incidents,
                "length": page_size,
                "recordsTotal": page_size
            }
            ret = res_client.post(uri=url,
                                  payload=body)
    
            data = ret.get("data", [])
            ret_num = len(data)
            if ret_num > 0:
                log.debug("Downloaded {} incidents, total now {} ...".format(ret_num, ret_num + num_incidents))
                incidents.extend(data)
            else:
                #
                # No more to read.
                #
                done = True
    
            num_incidents = num_incidents + ret_num
    
            if max_count:
                if num_incidents >= max_count:
                    #
                    # Reach max_count set by user, stop now
                    #
                    done = True
    
        return incidents


    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 3.  RE: Fetch incident via API with a limit

    Posted Tue June 18, 2024 11:17 AM

    Hello AnnMarie,

    Thank you for your quick answer !

    In my case it was not working because I used the endpoind "query" instead of "query_paged". It seems that I don't have to use the parameter "recordTotal" to do what I want to achieve.

    Regards



    ------------------------------
    Ekham Ramdul
    ------------------------------



  • 4.  RE: Fetch incident via API with a limit

    Posted Tue June 18, 2024 12:00 PM

    Hi Ekham,

    Glad you could figure it out.  It's recommended to use query_paged if you want to query all incidents.  This text is from "query" the interactive REST API doc:

    Note: The result list is limited to the server-configured maximum limit (default: 1000). It is recommended to use query_paged which can iterate through all incidents that match the query.



    ------------------------------
    AnnMarie Norcross
    ------------------------------