IBM Security QRadar SOAR

One of our project requires monitoring the case submitting activity. The most important data point is "When the last incident submitted to the SOAR server?", we have to get this data point via SOAR REST API. I went through the API online documentation, one REST API data point (/orgs/{org_id}/incidents/query) may be a good candidate for extract the last incident timestamp. 

Can some one tell me whether it is possible to extract the last incident timestamp from: /orgs/{org_id}/incidents/query ?

if yes, can you provide the query example or instructions on how?

If not, please point me to the right way. 

Hi Leon,

You should use the incidents/query_paged API call. You can better control the resultset returned. In your case, you just need the latest incident created. This can be done with the following POST payload:

{
    "start": 0,
    "length": 1,
    "sorts": [
        {
            "field_name": "create_date",
            "type": "desc"
        }
    ]
}

Cheers,

One of our project requires monitoring the case submitting activity. The most important data point is "When the last incident submitted to the SOAR server?", we have to get this data point via SOAR REST API. I went through the API online documentation, one REST API data point (/orgs/{org_id}/incidents/query) may be a good candidate for extract the last incident timestamp. 

Can some one tell me whether it is possible to extract the last incident timestamp from: /orgs/{org_id}/incidents/query ?

if yes, can you provide the query example or instructions on how?

If not, please point me to the right way.