topic Update an incident via API XSOAR in Cortex XSOAR Discussions

Update an incident via API XSOAR

sanaya — Mon, 19 Jul 2021 17:39:34 GMT

Hi,

I need help about How get via API an incident update. I don't see this option (sorry), I can set a new incident but I don't update an incident. This way must be API, I use this route "/incident".

Can you help me, plase?

Regards

Re: Update an incident via API XSOAR

atullo — Fri, 30 Jul 2021 21:32:30 GMT

Sanaya,

To learn more about XSOAR's API endpoints, you can download the Cortex XSOAR API Guide right from XSOAR itself: Settings > Integrations > API Keys > Download Cortex XSOAR API Guide (also see the screenshot below).

An alternative method for determining the API endpoint and POST body syntax would be to make the desired request in a browser and use its 'Developer Tools' to view the request (see screenshot below for an example)

Please let me know if this answers your question.

Re: Update an incident via API XSOAR

Snader — Wed, 22 Sep 2021 23:32:48 GMT

This answer is insufficient. The poster asked for the API endpoint that can be used to update an incident. That information is not provided anywhere in the reply. Instead, the responder refers the poster to the Cortex XSOAR API Guide which, while being quite lengthy, lacks far more helpful information than it provides. For instance, every definition example in that guide (except for numerical and boolean values, which really don't need examples) is completely useless.

A better solution reply would identify the endpoint and provide a detailed example of a typical request message body that modifies an incident's required, optional, and custom fields. Bonus points for some explanations on how to avoid common "bad request" errors for that endpoint.

Re: Update an incident via API XSOAR

ABurt — Thu, 23 Sep 2021 12:11:56 GMT

Use the endpoint "/incident" with POST data. There are some details that are worth going through though:

The POST data must contain all the investigation data. If you do not provide the field data for a specific field, it will be wiped from the investigation.
You must match up the "version" at which the current incident is at.

To satisfy the above, the easiest method would be:

Use the "/investigation/<incident-id>" in a POST request to obtain the latest information of the investigation
1. This requires the headers to include the API token in the "Authorization" key and "Content-Type" to be "application/json"
2. This will return a JSON of the current state of the investigation. You make changes to this JSON data.
Send the changed JSON data back using the POST method to the "/incident" endpoint
1. Use the modified JSON in the payload
2. Headers are the same as the previous POST request

The result should be instant.

The reasoning behind the "version" match is that changes should be made to latest version of the incident to prevent race-conditions. If you specify a version number that is not the latest (i.e. someone else made a change just before you did) then the call will fail with the error:

{ "id": "errOptimisticLock", "status": 400, "title": "Optimistic lock error", "detail": "Optimistic lock error", "error": "DB Version '4' and Insert version '10' do not match for id: 97 on bucket [] [incidents] (15)", "encrypted": false, "multires": null }

The DB version will show which version you sent the change for and the version that the incident is currently at.

I hope this helps.

Re: Update an incident via API XSOAR

ABurt — Fri, 24 Sep 2021 09:44:24 GMT

@sanaya Please let me know if this helps in your situation.