IBM QRadar SOAR

Hi Everyone,

First off, apologies if I'm posting in the wrong group/area first "timer" (no pun intended) here!

I'm looking for some guidance on how to access timer data for a custom boolean field I created that I'm tracking time changes on and is manipulated via two Menu Item rules that essentially set the field state to on/off (true/false).

While trying to enumerate a sample incident object's dictionary keys I came across the property incident.timer_field_summarized_incident_data - seems like what I'm looking for but it doesn't contain any data. I tried closing out the incident to see if the data wouldn't be populated until incident closure, but this doesn't seem to be the case.

When looking into the boolean field under incident.properties it only appears to contain the boolean result (True or False - also Unknown since it's optional currently) and doesn't seem to contain the timer data.

I'm trying to access the timer data for the total time spent while the field is set to true - any help is greatly appreciated!

------------------------------
Jason Jemmott
Cyber Security Analyst
Fannie Mae
------------------------------

Hi Jason

------------------------------
Ryan Gordon
Security Software Engineer
IBM
------------------------------

Original Message:
Sent: Fri May 15, 2020 11:35 AM
From: Jason Jemmott
Subject: How to access timer data from script/API

Hi Everyone,

First off, apologies if I'm posting in the wrong group/area first "timer" (no pun intended) here!

I'm looking for some guidance on how to access timer data for a custom boolean field I created that I'm tracking time changes on and is manipulated via two Menu Item rules that essentially set the field state to on/off (true/false).

While trying to enumerate a sample incident object's dictionary keys I came across the property incident.timer_field_summarized_incident_data - seems like what I'm looking for but it doesn't contain any data. I tried closing out the incident to see if the data wouldn't be populated until incident closure, but this doesn't seem to be the case.

When looking into the boolean field under incident.properties it only appears to contain the boolean result (True or False - also Unknown since it's optional currently) and doesn't seem to contain the timer data.

I'm trying to access the timer data for the total time spent while the field is set to true - any help is greatly appreciated!

------------------------------
Jason Jemmott
Cyber Security Analyst
Fannie Mae
------------------------------

Hi Ryan,

I was able to get back the data I was looking for on a sample incident using the Interactive REST API - but I'm running into some issues trying to get that same data from the integration server since that Org that is tracking the timer data I'm interested in doesn't have its own vent set up yet (different can of worms) so I'm trying to create a script from within the UI that retrieves this data but I'm not getting anything back likely due to an incorrect call.  Is there a way to retrieve this data from a script created from within the UI via some incident property?

I've attached snips of the console and Interactive REST API output for comparison.

------------------------------
Jason Jemmott
Cyber Security Analyst
Fannie Mae
------------------------------

Original Message:
Sent: Mon May 18, 2020 04:50 AM
From: Ryan Gordon
Subject: How to access timer data from script/API

Hi Jason

Thank you for raising this in the community forum.

Accessing the timer data of fields can be done using a specific REST call. The route is 
/orgs/{org_id}/timers

This API call takes a list of incident IDs in its body and will return timer information for the queried incident IDs. When you make the call there is an entities attribute which should have the information you are looking for. 
If you have access to the Interactive REST API the below route will bring you to the call and allow you to experiment with it. Replace 'server' with your Resilient instance IP or DNS. 
https://server/docs/rest-api/ui/index.html#!/TimerFieldREST/resource_TimerFieldREST_getTimerFieldDataByIncidentIDs_POST

If this is what you're looking for could you 'Recommend' the answer or mark it as best answer so others can find this info in future. 

Hope this helps,
Ryan 

------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Fri May 15, 2020 11:35 AM
From: Jason Jemmott
Subject: How to access timer data from script/API

Hi Everyone,

First off, apologies if I'm posting in the wrong group/area first "timer" (no pun intended) here!

I'm looking for some guidance on how to access timer data for a custom boolean field I created that I'm tracking time changes on and is manipulated via two Menu Item rules that essentially set the field state to on/off (true/false).

While trying to enumerate a sample incident object's dictionary keys I came across the property incident.timer_field_summarized_incident_data - seems like what I'm looking for but it doesn't contain any data. I tried closing out the incident to see if the data wouldn't be populated until incident closure, but this doesn't seem to be the case.

When looking into the boolean field under incident.properties it only appears to contain the boolean result (True or False - also Unknown since it's optional currently) and doesn't seem to contain the timer data.

I'm trying to access the timer data for the total time spent while the field is set to true - any help is greatly appreciated!

------------------------------
Jason Jemmott
Cyber Security Analyst
Fannie Mae
------------------------------

Hi Jason,
Good to hear the provided info is working for you. 
I checked on your query here and can confirm that Timer data is only available via a REST call on the provided endpoint. It is not available via in-product scripting. I would suggest keeping the interaction with timer data within the integration server. 
Let me know if you have more questions.

Ryan.

------------------------------
Ryan Gordon
Security Software Engineer
IBM
------------------------------

Original Message:
Sent: Mon May 18, 2020 10:59 AM
From: Jason Jemmott
Subject: How to access timer data from script/API

Hi Ryan,

I was able to get back the data I was looking for on a sample incident using the Interactive REST API - but I'm running into some issues trying to get that same data from the integration server since that Org that is tracking the timer data I'm interested in doesn't have its own vent set up yet (different can of worms) so I'm trying to create a script from within the UI that retrieves this data but I'm not getting anything back likely due to an incorrect call.  Is there a way to retrieve this data from a script created from within the UI via some incident property?

I've attached snips of the console and Interactive REST API output for comparison.

------------------------------
Jason Jemmott
Cyber Security Analyst
Fannie Mae

Original Message:
Sent: Mon May 18, 2020 04:50 AM
From: Ryan Gordon
Subject: How to access timer data from script/API

Hi Jason

Thank you for raising this in the community forum.

Accessing the timer data of fields can be done using a specific REST call. The route is 
/orgs/{org_id}/timers

This API call takes a list of incident IDs in its body and will return timer information for the queried incident IDs. When you make the call there is an entities attribute which should have the information you are looking for. 
If you have access to the Interactive REST API the below route will bring you to the call and allow you to experiment with it. Replace 'server' with your Resilient instance IP or DNS. 
https://server/docs/rest-api/ui/index.html#!/TimerFieldREST/resource_TimerFieldREST_getTimerFieldDataByIncidentIDs_POST

If this is what you're looking for could you 'Recommend' the answer or mark it as best answer so others can find this info in future. 

Hope this helps,
Ryan 

------------------------------
Ryan Gordon
Security Software Engineer
IBM

Original Message:
Sent: Fri May 15, 2020 11:35 AM
From: Jason Jemmott
Subject: How to access timer data from script/API

Hi Everyone,

First off, apologies if I'm posting in the wrong group/area first "timer" (no pun intended) here!

I'm looking for some guidance on how to access timer data for a custom boolean field I created that I'm tracking time changes on and is manipulated via two Menu Item rules that essentially set the field state to on/off (true/false).

While trying to enumerate a sample incident object's dictionary keys I came across the property incident.timer_field_summarized_incident_data - seems like what I'm looking for but it doesn't contain any data. I tried closing out the incident to see if the data wouldn't be populated until incident closure, but this doesn't seem to be the case.

When looking into the boolean field under incident.properties it only appears to contain the boolean result (True or False - also Unknown since it's optional currently) and doesn't seem to contain the timer data.

I'm trying to access the timer data for the total time spent while the field is set to true - any help is greatly appreciated!

------------------------------
Jason Jemmott
Cyber Security Analyst
Fannie Mae
------------------------------