Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
About Snader
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About Snader
10-15-2021
3Posts
0Likes
0Solutions
Oct 15, 2021Last Visited
User
Activity
User
Profile
Latest posts by Snader
| Subject | Views | Posted |
|---|---|---|
| 372 | 09-22-2021 05:27 PM | |
| 502 | 09-22-2021 04:32 PM | |
| 362 | 09-22-2021 03:38 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 09-22-2021 03:36 PM |
| Date Last Visited | 10-15-2021 10:45 PM |
| Posts | 3 |
09-22-2021
05:27 PM
I am attempting to close a single incident via the XSOAR API and the Batch Close Incidents endpoint (POST /incident/batchClose). The information about my request and the response are posted below. The status of the incident was new before I sent the close request and does not appear to have changed after sending the request even though the response status code is 200. The incident was not modified at all. What am I doing wrong? POST https://xsoar.xyz.com/incident/batchClose HTTP 200 Request Headers Authorization: xxxxx Content-Type: application/json User-Agent: PostmanRuntime/7.28.0 Accept: */* Host: xsoar.xyz.com Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 109 Request Body { "closeNotes": "TEST Close Notes", "closeReason": "TEST Close Reason", "filter": {"id": ["34595"]} } Response Headers Content-Type: application/json Server-Timing: 330 Strict-Transport-Security: max-age=10886400000000000; includeSubDomains Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Date: Wed, 22 Sep 2021 21:46:32 GMT Transfer-Encoding: chunked Response Body { "total": 1, "data": [ { "id": "34595", "version": 4, "modified": "2021-09-20T15:34:44.220359105-05:00", "sortValues": null, "roles": null, "allRead": false, "allReadWrite": false, "previousRoles": null, "previousAllRead": false, "previousAllReadWrite": false, "hasRole": false, "dbotCreatedBy": "cdena", "ShardID": 0, "CustomFields": { "actionsoncampaignincidents": "Close", "csoctimer": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 0, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "csvdomain": [ {}, {}, {} ], "dbotpredictionprobability": 0, "detectionsla": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 20, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "endpoint": [ {} ], "isactive": "true", "qtemailsearchresults": [ {}, {}, {} ], "qtipsearchresults": [ {}, {}, {} ], "qturlsearchresults": [ {}, {}, {} ], "remediationsla": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 7200, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "selectaction": "", "similarincidentsdbot": [ {} ], "splunkemailresults": [ {}, {}, {} ], "timetoassignment": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 0, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "urlsslverification": [] }, "account": "", "autime": 1632170083637240196, "type": "No Playbook Developed", "rawType": "No Playbook Developed", "name": "XSOAR Integration Test", "rawName": "XSOAR Integration Test", "status": 1, "reason": "", "created": "2021-09-20T15:34:43.637240196-05:00", "occurred": "2021-09-20T15:34:43.637239603-05:00", "closed": "0001-01-01T00:00:00Z", "sla": 0, "severity": 0, "investigationId": "34595", "labels": [ { "value": "cdena", "type": "Instance" }, { "value": "Manual", "type": "Brand" } ], "attachment": null, "details": "", "openDuration": 0, "lastOpen": "0001-01-01T00:00:00Z", "closingUserId": "", "owner": "cdena", "activated": "0001-01-01T00:00:00Z", "closeReason": "", "rawCloseReason": "", "closeNotes": "", "playbookId": "1321d4de-9f5f-4150-8e3e-01bf2e7b9799", "dueDate": "2021-10-04T15:34:43.637240196-05:00", "reminder": "0001-01-01T00:00:00Z", "runStatus": "waiting", "notifyTime": "2021-09-20T15:34:44.212182182-05:00", "phase": "", "rawPhase": "", "isPlayground": false, "rawJSON": "", "parent": "", "category": "", "rawCategory": "", "linkedIncidents": null, "linkedCount": 0, "droppedCount": 0, "sourceInstance": "cdena", "sourceBrand": "Manual", "canvases": null, "lastJobRunTime": "0001-01-01T00:00:00Z", "feedBased": false, "dbotMirrorId": "", "dbotMirrorInstance": "", "dbotMirrorDirection": "", "dbotDirtyFields": null, "dbotCurrentDirtyFields": null, "dbotMirrorTags": null, "dbotMirrorLastSync": "0001-01-01T00:00:00Z", "isDebug": false, "changeStatus": "", "insights": 0 } ], "notUpdated": 0, "searchAfter": null, "searchBefore": null, "searchAfterElastic": null, "searchBeforeElastic": null }
... View more
09-22-2021
04:32 PM
This answer is insufficient. The poster asked for the API endpoint that can be used to update an incident. That information is not provided anywhere in the reply. Instead, the responder refers the poster to the Cortex XSOAR API Guide which, while being quite lengthy, lacks far more helpful information than it provides. For instance, every definition example in that guide (except for numerical and boolean values, which really don't need examples) is completely useless. A better solution reply would identify the endpoint and provide a detailed example of a typical request message body that modifies an incident's required, optional, and custom fields. Bonus points for some explanations on how to avoid common "bad request" errors for that endpoint.
... View more
09-22-2021
03:38 PM
Where is the solution? Links do not appear to work.
... View more
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
