soar_base_url='https://soar.company.com/rest/orgs/<ORG_ID>'
soar_auth= HTTPBasicAuth('api_key', 'api_secret')

def soar_get_incidents():
    headers = { "Accept": "application/json", "Content-Type": "application/json" }
    url = f"{soar_base_url}/incidents/query_paged"
    params = {
        "return_level": "full",
        "field_handle": ["virus_investigation_result", "virus_score"],
        "include_records_total": "false"
    }
    json_body = {"filters": [{"conditions": [
        { "field_name": "plan_status", "method": "in","value": ["A","C"]},
        { "field_name": "properties.virus_investigation_result","method": "has_a_value"},
        { "field_name": "properties.virus_score","method": "not_has_a_value"}
        ]}]
    }

    res = requests.post(url=url, headers=headers, json=json_body,
                                params=params, auth=soar_auth, verify=False)
    if res.status_code == 200:
        #print(res.json())
        return res.json()
    else:
        raise Exception(
            f"Failed to fetch incidents: {res.status_code} - {res.text}")

json_data = soar_get_incidents()
incidents = json_data.get("data", [])

Conditions

Has one or more values

{ "field_name": "plan_status", "method": "in","value": ["A","C"] }

Not has one or more values

{ "field_name": "plan_status", "method": "not_in","value": ["A","C"] }

Is Not Empty

{ "field_name": "properties.virus_investigation_result","method": "has_a_value" }

Is Empty

{ "field_name": "properties.virus_score","method": "not_has_a_value" }

Ver também

• IBM QRadar SOAR: Working with Incidents with REST API
• IBM QRadar SOAR: Working with Incidents Properties with REST API

• Artigos sobre IBM QRadar
• Artigos sobre Cloud
• Mais Artigos sobre Cloud / WebDev / Tecnologias