About Snader

Snader · ‎09-22-2021

I am attempting to close a single incident via the XSOAR API and the Batch Close Incidents endpoint (POST /incident/batchClose). The information about my request and the response are posted below. The status of the incident was new before I sent the close request and does not appear to have changed after sending the request even though the response status code is 200. The incident was not modified at all. What am I doing wrong? POST https://xsoar.xyz.com/incident/batchClose HTTP 200 Request Headers Authorization: xxxxx Content-Type: application/json User-Agent: PostmanRuntime/7.28.0 Accept: */* Host: xsoar.xyz.com Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 109 Request Body { "closeNotes": "TEST Close Notes", "closeReason": "TEST Close Reason", "filter": {"id": ["34595"]} } Response Headers Content-Type: application/json Server-Timing: 330 Strict-Transport-Security: max-age=10886400000000000; includeSubDomains Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Date: Wed, 22 Sep 2021 21:46:32 GMT Transfer-Encoding: chunked Response Body { "total": 1, "data": [ { "id": "34595", "version": 4, "modified": "2021-09-20T15:34:44.220359105-05:00", "sortValues": null, "roles": null, "allRead": false, "allReadWrite": false, "previousRoles": null, "previousAllRead": false, "previousAllReadWrite": false, "hasRole": false, "dbotCreatedBy": "cdena", "ShardID": 0, "CustomFields": { "actionsoncampaignincidents": "Close", "csoctimer": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 0, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "csvdomain": [ {}, {}, {} ], "dbotpredictionprobability": 0, "detectionsla": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 20, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "endpoint": [ {} ], "isactive": "true", "qtemailsearchresults": [ {}, {}, {} ], "qtipsearchresults": [ {}, {}, {} ], "qturlsearchresults": [ {}, {}, {} ], "remediationsla": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 7200, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "selectaction": "", "similarincidentsdbot": [ {} ], "splunkemailresults": [ {}, {}, {} ], "timetoassignment": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 0, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "urlsslverification": [] }, "account": "", "autime": 1632170083637240196, "type": "No Playbook Developed", "rawType": "No Playbook Developed", "name": "XSOAR Integration Test", "rawName": "XSOAR Integration Test", "status": 1, "reason": "", "created": "2021-09-20T15:34:43.637240196-05:00", "occurred": "2021-09-20T15:34:43.637239603-05:00", "closed": "0001-01-01T00:00:00Z", "sla": 0, "severity": 0, "investigationId": "34595", "labels": [ { "value": "cdena", "type": "Instance" }, { "value": "Manual", "type": "Brand" } ], "attachment": null, "details": "", "openDuration": 0, "lastOpen": "0001-01-01T00:00:00Z", "closingUserId": "", "owner": "cdena", "activated": "0001-01-01T00:00:00Z", "closeReason": "", "rawCloseReason": "", "closeNotes": "", "playbookId": "1321d4de-9f5f-4150-8e3e-01bf2e7b9799", "dueDate": "2021-10-04T15:34:43.637240196-05:00", "reminder": "0001-01-01T00:00:00Z", "runStatus": "waiting", "notifyTime": "2021-09-20T15:34:44.212182182-05:00", "phase": "", "rawPhase": "", "isPlayground": false, "rawJSON": "", "parent": "", "category": "", "rawCategory": "", "linkedIncidents": null, "linkedCount": 0, "droppedCount": 0, "sourceInstance": "cdena", "sourceBrand": "Manual", "canvases": null, "lastJobRunTime": "0001-01-01T00:00:00Z", "feedBased": false, "dbotMirrorId": "", "dbotMirrorInstance": "", "dbotMirrorDirection": "", "dbotDirtyFields": null, "dbotCurrentDirtyFields": null, "dbotMirrorTags": null, "dbotMirrorLastSync": "0001-01-01T00:00:00Z", "isDebug": false, "changeStatus": "", "insights": 0 } ], "notUpdated": 0, "searchAfter": null, "searchBefore": null, "searchAfterElastic": null, "searchBeforeElastic": null }

Snader · ‎09-22-2021

This answer is insufficient. The poster asked for the API endpoint that can be used to update an incident. That information is not provided anywhere in the reply. Instead, the responder refers the poster to the Cortex XSOAR API Guide which, while being quite lengthy, lacks far more helpful information than it provides. For instance, every definition example in that guide (except for numerical and boolean values, which really don't need examples) is completely useless. A better solution reply would identify the endpoint and provide a detailed example of a typical request message body that modifies an incident's required, optional, and custom fields. Bonus points for some explanations on how to avoid common "bad request" errors for that endpoint.

Snader · ‎09-22-2021

Where is the solution? Links do not appear to work.

Member Since	‎09-22-2021 03:36 PM
Date Last Visited	‎10-15-2021 10:45 PM
Posts	3

Online Status	Offline
Date Last Visited	‎10-15-2021 10:45 PM

About Snader

Does XSOAR API Batch Close Incidents Endpoint Work?

Re: Update an incident via API XSOAR

Re: Update an incident via API in CORTEX XSOAR

Re: Update an incident via API XSOAR

Does XSOAR API Batch Close Incidents Endpoint Work?

Re: Update an incident via API XSOAR

Re: Update an incident via API in CORTEX XSOAR