soar_base_url='https://soar.company.com/rest/orgs/<ORG_ID>'
soar_auth= HTTPBasicAuth('api_key', 'api_secret')

def soar_update_incident(incident_id, json_body):
    headers = {"Content-Type": "application/json"}
    url = f"{soar_base_url}/incidents/{incident_id}"
    params = { "return_dto": "false" }
    res = requests.patch(url, headers=headers, json=json_body, params=params, auth=soar_auth, verify=False)
    if res.status_code == 200:
        return res.json()
    else:
        print(f"Failed to update incident: {res.status_code} - {res.text}")
        return None

soar_id = 23567
payload = { "changes": [{
  "field": "virus_investigation_result", "old_value": {}, "new_value": {"text": f"{valor_destino01}"}} 
  ]}

result = soar_update_incident(soar_id, payload)

Sample payload:

payload = {
    "changes": [
        { "field": "field_name1","old_value": {}, "new_value": {"text": "My new value"} },
        { "field": "virus_investigation_result","old_value": {}, "new_value": {"text": f"{valor_destino01}"} }
    ]
}

Update Text fields

• old_value is empty

{ "field": "virus_investigation_result", "old_value": {}, "new_value": {"text": "My new value"} }

• old_value is empty and using a function

{ "field": "virus_investigation_result", "old_value": {}, "new_value": {"text": f"{valor_destino01}"} }

Update Select fields

• old_value is empty

{ "field": "investigation_status", "old_value": {}, "new_value": 96608 }

Where 96608 is the value to Under Investigation on my select.

Update Text Area fields

• old_value is empty

{ 
 "field": "incident_type_link", 
 "old_value": {}, 
 "new_value": { "textarea": { "format": "html", "content": '<a href="https://site.company.com/index.html">Index</a>' } }

}

Ver também

• IBM QRadar SOAR: Working with Incidents with REST API
• IBM QRadar SOAR: Working with Incidents Properties with REST API

• Artigos sobre IBM QRadar
• Artigos sobre Cloud
• Mais Artigos sobre Cloud / WebDev / Tecnologias