Global Security Forum

Security Global Forum

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Security solutions.

 View Only
Back to discussions
Expand all | Collapse all

QRadar - Retrieving multiple artifacts by incidents ids

  • 1.  QRadar - Retrieving multiple artifacts by incidents ids

    Posted Fri November 03, 2023 04:06 PM

    I am trying to retrieving multiple artifacts by incidents ids.
    For example: I make a call to get the incident for the last lets say 7 days.
    And now, if a have 500 incidents, i need to make additional 500 calls to

    orgs/{org_id}/incidents/{inc_id}/artifacts/query_paged

    to get all the related artifacts for the incidents.

    If i try the endpoint - orgs/org_id/artifacts/query_paged

    in the result there are missing properties like inc_id and Ip.Source and Ip.Destination

    so my only option to get artifacts for incident is to make 500 additional calls to orgs/{org_id}/incidents/{inc_id}/artifacts/query_paged where i have the full artifact information.

    My question is: Is there a way to (after i get the incidents) to get all artifacts related to incidents with one call with full artifact information (inc_id,Ip.Source, Ip.Destination).
    Something like - Get all incidents -> Get all artifacts for those incident ids



    ------------------------------
    AN K
    ------------------------------


Related Content