IBM Security QRadar SOAR

Hello,

I'm querying IBM SOAR incident using this parameters but it doesn't work because of the key "length" : 

data = { "filters": [myfilter], "length": 10 }

How to query incidents via API with a limit of  10 incidents returned ?

Regards

Hi Ekham

Here is an example from the fn_machine_learning integration that uses "length" in query.  I think you also need to specify "start" and maybe "recordsTotal"...

def query_incidents(res_client, max_count=None, page_size=1000, in_log=None):    """    Use the query endpoint since we are going to down load    large number of incidents.    :param res_client:  Resilient client used to download incidents    :param max_count:   Max count for incidents to handle    :param page_size:   Number of incident to download for each call    :return:            All downloaded incidents in json    """    log = in_log if in_log else logging.getLogger(__name__)    incidents = []    url = "/incidents/query_paged?field_handle=-1&return_level=full"    num_incidents = 0    ret_num = 0    done = False    while not done:        body = {            "start": num_incidents,            "length": page_size,            "recordsTotal": page_size        }        ret = res_client.post(uri=url,                              payload=body)        data = ret.get("data", [])        ret_num = len(data)        if ret_num > 0:            log.debug("Downloaded {} incidents, total now {} ...".format(ret_num, ret_num + num_incidents))            incidents.extend(data)        else:            #            # No more to read.            #            done = True        num_incidents = num_incidents + ret_num        if max_count:            if num_incidents >= max_count:                #                # Reach max_count set by user, stop now                #                done = True    return incidents

Hello,

I'm querying IBM SOAR incident using this parameters but it doesn't work because of the key "length" : 

data = { "filters": [myfilter], "length": 10 }

How to query incidents via API with a limit of  10 incidents returned ?

Regards

Hello AnnMarie,

Thank you for your quick answer !

In my case it was not working because I used the endpoind "query" instead of "query_paged". It seems that I don't have to use the parameter "recordTotal" to do what I want to achieve.

Regards

Hi Ekham

Here is an example from the fn_machine_learning integration that uses "length" in query.  I think you also need to specify "start" and maybe "recordsTotal"...

def query_incidents(res_client, max_count=None, page_size=1000, in_log=None):    """    Use the query endpoint since we are going to down load    large number of incidents.    :param res_client:  Resilient client used to download incidents    :param max_count:   Max count for incidents to handle    :param page_size:   Number of incident to download for each call    :return:            All downloaded incidents in json    """    log = in_log if in_log else logging.getLogger(__name__)    incidents = []    url = "/incidents/query_paged?field_handle=-1&return_level=full"    num_incidents = 0    ret_num = 0    done = False    while not done:        body = {            "start": num_incidents,            "length": page_size,            "recordsTotal": page_size        }        ret = res_client.post(uri=url,                              payload=body)        data = ret.get("data", [])        ret_num = len(data)        if ret_num > 0:            log.debug("Downloaded {} incidents, total now {} ...".format(ret_num, ret_num + num_incidents))            incidents.extend(data)        else:            #            # No more to read.            #            done = True        num_incidents = num_incidents + ret_num        if max_count:            if num_incidents >= max_count:                #                # Reach max_count set by user, stop now                #                done = True    return incidents

Hello,

I'm querying IBM SOAR incident using this parameters but it doesn't work because of the key "length" : 

data = { "filters": [myfilter], "length": 10 }

How to query incidents via API with a limit of  10 incidents returned ?

Regards