I'm new to Qradar and facing difficulties in understanding filter parameter in Qradar REST api /siem/offenses. Can anyone suggest me how to use filter based on offense 'rules' field? As rules is a list of JSON objects, i'm finding it difficult to write filter.
sample offense with rules field
{
"username_count": 1,
"description": "String",
"rules": [
{
"id": 1,
"type": "String <one of: ADE_RULE, BUILDING_BLOCK_RULE, CRE_RULE>"
}```
]
}
We experienced a similar issue and find a way out, you can use 'contains' keyword to access list elements. For example, to filter rules[0]["id"] you could use:
rules contains (id = 42)
Related
I have below JSON which I need to update inside a logic app
{
"name": "SampleDoc",
"type": "123",
"properties": {
"GP.Test": "M1",
"MG.Test": "C1"
}
}
I have used following setProperty syntax: -
#setProperty(variables('ResponseBody'),'properties', setProperty(variables('ResponseBody')['properties'], 'test','abc'),
setProperty(variables('ResponseBody')['properties'], 'GP.Test','M2'))
My desired JSON output should be
{
"name": "SampleDoc",
"type": "123",
"properties": {
"GP.Test": "M2",
"MG.Test": "C1"
}
}
But when I am running this, I am getting this error: -
InvalidTemplate. Unable to process template language expressions in action 'Compose' inputs at line '1' and column '2617': 'The provided property name 'GP.Test' has these invalid characters '.'. The name cannot contain any of the following symbols: '[, ], .'.'.
Could anyone suggest if we can handle '.' inside compose or any other way for achieving this?
Yes that is correct behavior that is occurring in the logic apps. The reason is that you have used the set property function to set the value of the GP.Test property. When working with the expressions in logic apps, the '.' operator is reserved operator and will be used to access sub properties etc of the expressions, functions etc. Hence you get the error. The solution to this is actually simple, you use the compose action directly without using the set property. Sample screenshot below.
Or if you want complex transformations, then using the liquid transformations through the integration account is the way to go
I'm having a hard time finding for the API in getting the contacts of the people who open the newsletter after sending it to a list of email. In the official API documentation of GetResponse, I didn't find a solution. Any idea or suggestion can help. thanks.
Though it's rather old now, I'll try to answer, maybe it helps someone.
Just as inside GetResponse web interface, you'll need to search contacts according to some criteria. These pages of the API docs describe how this is done:
http://apidocs.getresponse.com/v3/resources/search-contacts
Search contacts is the most complex part of the API. To save a search of contacts who opened a particular message you'll need to POST something like below to https://api.getresponse.com/v3/search-contacts/:
{
"name": "test_conditions", //can be any you like
"subscribersType": [
"subscribed" //can also be "undelivered", "removed" and "unconfirmed"
],
"sectionLogicOperator": "or", //or "and"
"section": [ //section can have up to 8 conditions; one saved search can have up to 4 sections
{
"campaignIdsList": [
"V" //you'll need to get campaigns' IDs with http://apidocs.getresponse.com/v3/resources/campaigns#campaigns.get.all
],
"logicOperator": "or",
"subscriberCycle": [
"receiving_autoresponder",
"not_receiving_autoresponder"
],
"subscriptionDate": "all_time", //"today", "yesterday", "this_month", "last_month", "this_week", "last_week" are also possible
"conditions": [
{
"conditionType": "opened",
"operatorType": "message_operator",
"operator": "autoresponder", //or "newsletter", or "split"
"value": "WTjXF" //message id, should be firstly got with a separate API call
}
]
}
]
}
More info on how the payload for such requests should be formed is here: http://apidocs.getresponse.com/v3/resources/search-contacts-reference
And the last point: if you don't need to save a search but only get the emails who've opened a message, in the object above you should remove the "name" property and post this to http://apidocs.getresponse.com/v3/search-contacts/contacts
More: http://apidocs.getresponse.com/v3/resources/search-contacts#search-contacts.contacts.form
I'm using the graph search method of the Microsoft Academic API to retrieve citation IDs and reference IDs for a paper. However, while retrieving citation IDs works, the reference IDs field is always empty, even for papers which should have linked references. For example, retrieving this publication through the API:
POST https://westus.api.cognitive.microsoft.com/academic/v1.0/graph/search?mode=json
Content-Type: application/json
Host: westus.api.cognitive.microsoft.com
Ocp-Apim-Subscription-Key: my-api-key
{
"path": "/paper",
"paper": {
"select": [
"OriginalTitle",
"CitationIDs",
"ReferenceIDs"
],
"type": "Paper",
"id": [2059999322]
}
}
yields this response (I shortened the CitationIDs list for the sake of legibility):
{
"Results": [
[
{
"CellID": 2059999322,
"CitationIDs": "[630584464,2053566310,2239657960,...]",
"OriginalTitle": "Biodistribution of colloidal gold nanoparticles after intravenous administration: Effect of particle size",
"ReferenceIDs": ""
}
]
]
}
One thing I've noticed is that the graph schema provided here (at the bottom of the page) doesn't match the schema shown here (some of the attributes were renamed, e.g. NormalizedPaperTitle -> NormalizedTitle), so I thought the field was perhaps renamed to something else.
What is the correct query to get reference IDs through the API?
It should be ReferencesIDs, not ReferenceIDs
Our goal is to develop API where you can POST /data/save/ that will accept some JSON data like below. The main requirement that JSON should contain one of the following attributes:
"attribute1", "attribute2", "attribute3". Namely when one attribute is exist another one should not exist.
{
"name": "test name",
"attribute1": [
"test1", "test2"
]
or
"attribute2": [
"test3", "test4"
]
or
"attribute3": true
}
The question is how to correctly design such API that it will be easy to use and not confused from the client side.
It would be good to know some best practices in such direction.
I would return a
400 Bad Request
The request could not be understood by the server due to malformed
syntax. The client SHOULD NOT repeat the request without
modifications.
and a phrase explaining that multiple attributes are not supported.
I agree such API is confusing for client side.
What's about creating different endpoints:
POST /data/save/attribute1 json_1
POST /data/save/attribute2 json_2
A custom media type should clarify how to use your API. It should specify what to include in your request.
Another solution might be, building the request like this:
{
"name": "test name",
"attr-key": "my-attribute1",
"values": ["test1", "test2"]
}
Using extractions api in keen.io I can't get back specific properties that are objects.
curl "https://api.keen.io/3.0/projects/PROJECT_ID/queries/extraction?api_key=READ_KEY&event_collection=COLLECTION_NAME&timeframe=this_7_days"
Gives me back all properties, let's say
{"result": [
{
"userId": 1,
"keen": {"timestamp": 'val', "created_at": 'val'},
"name":'val'
}
]}
But if I want to get just "userId" and "keen", the "keen" gets ignored.
curl "https://api.keen.io/3.0/projects/PROJECT_ID/queries/extraction?api_key=READ_KEY&event_collection=COLLECTION_NAME&timeframe=this_7_days&property_names=["userId","keen"]"
{"result": [{"userId": 1}...]}
I also noticed that I can get back specific properties from keen object if I specify:
property_names=["userId", "keen.timestamp"]
Result
{"result": [
{
"userId":"1",
"keen":{"timestamp":"val"}
}
]}
But I would like to get the whole object without specifying all properties. I have a top level property that is an object with many properties.
After contacting keen.io (very responsive and informative) I confirmed that retrieving just specified object with all its properties is not implemented at the moment and the only solution for now is to either get all of them or specify each property in the request (like i did in question above).
They will discuss adding this feature as it makes sense to have it working like that.