IBM Security QRadar SOAR

 View Only
  • 1.  SOAR API performance issue

    Posted 26 days ago

    I have a performance issues with the current approach that the SOAR API follows to requests data tables (members and assets associated to the incident) which is not optimized for multiple requests.

    So we need to know if they provide a better way to perform this API calls without performance impact allowing to do some sort of "bulk" request to those data tables associated to an incident.

    The mentioned API link:

    "https://csim.resilientsystems.com/rest/orgs/201/incidents/{id}/table_data?handle_format=names"



    ------------------------------
    Aya Elsayed
    ------------------------------


  • 2.  RE: SOAR API performance issue

    Posted 25 days ago

    Hi Aya,

    I assume you're referring to the GET method for retrieving the contents of a datatable. This API call retrieves the entire contents of the datatable, which can be a very large result set. There is no way to limit the results returned.

    If you're looking for a solution to this issue or another change, I suggest the best way to request those changes is by submitting an enhancement in our ideas portal: https://ideas.ibm.com/.

    Hope this helps.



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: SOAR API performance issue

    Posted 25 days ago

    Hello Mark,

    We try to move to the EPM environment, we faced a critical issue here

    our mission is to fetch all the incident id from that first api link 

    "https://csim.resilientsystems.com/rest/orgs/201/incidents/query_paged?field_handle=-1&return_level=full"
    then push each id to fetch its related data from that second api link
    "https://csim.resilientsystems.com/rest/orgs/201/incidents/{id}/table_data?handle_format=names"
    the problem here is the number of ids around 10k so we will hit the second api 10k and that will take a long time and there is naturally a chance that this data can be lost or that an instability occurs to the api server
    our thoughts is there are some types of api have batch calls, in which you can pass via payload all the items you want to fetch. So for example, in a payload you can list all IDs in one single api call. In this way, one API call will be able to fetch this data in seconds
    the question is that second api has this feature or not?
    or is that applicable to be achieved by any way or not?


    ------------------------------
    Aya Elsayed
    ------------------------------



  • 4.  RE: SOAR API performance issue

    Posted 25 days ago

    You may be able to do what you want via the /search_ex API call. This API call can refer to multiple incident IDs and you can target which types of objects (ex. datatables) to return. Refer to the filters and conditions payload to specify how to restrict the data returned. Here's an example payload. I don't know if the condition for incident.id can support a 'contains' list of Ids. I suspect you would then need multiple conditions, one for each incident. The value for <search value> is what you'd search for. In this case, you really don't want to search a particular value. So, maybe try an empty string (""). This may need some playing around to get correct.

    Good luck. 

    {
    "query": "<search value>",
      "org_id": 203,
      "filters": {
        "incident": [
          {
            "conditions": [
              {
                "field_name": "id",
                "method": "equals",
                "value": 2176
              }
            ]
          }
        ]
      },
      "types": [
        "datatable"
      ]
    }



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 5.  RE: SOAR API performance issue

    Posted 25 days ago

    Thanks for your help

    do you know why this query didn't get results, however i'm sure that id have data



    ------------------------------
    Aya Elsayed
    ------------------------------



  • 6.  RE: SOAR API performance issue

    Posted 25 days ago

    This query is looking for the value 3267 within datatables. Try the query value "".



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 7.  RE: SOAR API performance issue

    Posted 25 days ago

    i just changed  "types": ["incident"] and it is working fine but now i need to fetch the data for that id from the members table data and use the "in" method in filter but i don't know the right way could you help me in that or guide me for someone do that before or have an example ?

    api link
    "https://csim.resilientsystems.com/rest/orgs/201/incidents/{id}/table_data?handle_format=names"


    ------------------------------
    Aya Elsayed
    ------------------------------