IBM QRadar SOAR: Working with Incidents with REST API

From Wiki
Revision as of 21:56, 10 December 2025 by Ebasso (talk | contribs) (Created page with " <nowiki> soar_base_url='https://soar.company.com/rest/orgs/<ORG_ID>' soar_auth= HTTPBasicAuth('api_key', 'api_secret'), def soar_get_incidents(): headers = { "Accept": "application/json", "Content-Type": "application/json" } url = f"{base_url}/incidents/query_paged" params = { "return_level": "full", "field_handle": ["virus_investigation_result", "virus_score"], "include_records_total": "false" } json_body = {"filters": [{"c...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
soar_base_url='https://soar.company.com/rest/orgs/<ORG_ID>'
soar_auth= HTTPBasicAuth('api_key', 'api_secret'),

def soar_get_incidents():
    headers = { "Accept": "application/json", "Content-Type": "application/json" }
    url = f"{base_url}/incidents/query_paged"
    params = {
        "return_level": "full",
        "field_handle": ["virus_investigation_result", "virus_score"],
        "include_records_total": "false"
    }
    json_body = {"filters": [{"conditions": [
        { "field_name": "plan_status", "method": "in","value": ["A","C"]},
        { "field_name": "properties.virus_investigation_result","method": "has_a_value"},
        { "field_name": "properties.virus_score","method": "not_has_a_value"}
        ]}]
    }

    res = requests.post(url=url, headers=headers, json=json_body,
                                params=params, auth=soar_auth, verify=False)
    if res.status_code == 200:
        #print(res.json())
        return res.json()
    else:
        raise Exception(
            f"Failed to fetch incidents: {res.status_code} - {res.text}")


Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar_SOAR:_Working_with_Incidents_with_REST_API&oldid=9703"