Update an incident via API XSOAR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Update an incident via API XSOAR

L0 Member

Hi,

 

I need help about How get via API an incident update. I don't see this option (sorry), I can set a new incident but I don't update an incident. This way must be API, I use this route "/incident".

 

Can you help me, plase?

 

 

Regards

4 REPLIES 4

L2 Linker

Sanaya,

 To learn more about XSOAR's API endpoints, you can download the Cortex XSOAR API Guide right from XSOAR itself: Settings > Integrations > API Keys > Download Cortex XSOAR API Guide (also see the screenshot below).

 

An alternative method for determining the API endpoint and POST body syntax would be to make the desired request in a browser and use its 'Developer Tools' to view the request (see screenshot below for an example)

 

Please let me know if this answers your question. 

 

atullo_0-1627678715044.png

 

 

 

atullo_1-1627680612200.png

 

This answer is insufficient. The poster asked for the API endpoint that can be used to update an incident. That information is not provided anywhere in the reply. Instead, the responder refers the poster to the Cortex XSOAR API Guide which, while being quite lengthy, lacks far more helpful information than it provides. For instance, every definition example in that guide (except for numerical and boolean values, which really don't need examples) is completely useless.

A better solution reply would identify the endpoint and provide a detailed example of a typical request message body that modifies an incident's required, optional, and custom fields. Bonus points for some explanations on how to avoid common "bad request" errors for that endpoint.

Use the endpoint "/incident" with POST data. There are some details that are worth going through though:


  1. The POST data must contain all the investigation data. If you do not provide the field data for a specific field, it will be wiped from the investigation.
  2. You must match up the "version" at which the current incident is at.

 

To satisfy the above, the easiest method would be:

 

  1. Use the "/investigation/<incident-id>" in a POST request to obtain the latest information of the investigation
    1. This requires the headers to include the API token in the "Authorization" key and "Content-Type" to be "application/json"
    2. This will return a JSON of the current state of the investigation. You make changes to this JSON data.
  2. Send the changed JSON data back using the POST method to the "/incident" endpoint
    1. Use the modified JSON in the payload
    2. Headers are the same as the previous POST request

 

The result should be instant.

 

The reasoning behind the "version" match is that changes should be made to latest version of the incident to prevent race-conditions. If you specify a version number that is not the latest (i.e. someone else made a change just before you did) then the call will fail with the error:


 

 

{
    "id": "errOptimisticLock",
    "status": 400,
    "title": "Optimistic lock error",
    "detail": "Optimistic lock error",
    "error": "DB Version '4' and Insert version '10' do not match for id: 97 on bucket [] [incidents] (15)",
    "encrypted": false,
    "multires": null
}

 

 
The DB version will show which version you sent the change for and the version that the incident is currently at.
 
I hope this helps.

L3 Networker

@sanaya Please let me know if this helps in your situation.

  • 4322 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!