On Call Manager for IBM SOAR¶
Table of Contents¶
Release Notes¶
Version |
Date |
Notes |
---|---|---|
1.0.0 |
07/2025 |
Initial Release |
Overview¶
On Call Manager for IBM SOAR
This app allows the creation of Events, updating Incidents, retrieving the details of incidents and the details of events in On Call Manager from SOAR.
Links:
Key Features¶
Create an event
Create a comment on an incident
List incidents
Update an incident
Get details of an event
Get details of an incident
Query incidents
Requirements¶
This app supports the IBM Security QRadar SOAR Platform and the IBM Security QRadar SOAR for IBM Cloud Pak for Security.
SOAR platform¶
The SOAR platform supports two app deployment mechanisms, Edge Gateway (also known as App Host) and integration server.
If deploying to a SOAR platform with an App Host, the requirements are:
SOAR platform >=
51.0.0.0.9339
.The app is in a container-based format (available from the AppExchange as a
zip
file).
If deploying to a SOAR platform with an integration server, the requirements are:
SOAR platform >=
51.0.0.0.9339
.The app is in the older integration format (available from the AppExchange as a
zip
file which contains atar.gz
file).Integration server is running
resilient-circuits>=51.0.0.0.0
.If using an API key account, make sure the account provides the following minimum permissions:
Name
Permissions
Org Data
Read
Function
Read
Layout
Read, Write
Incident.Fields
Write
The following SOAR platform guides provide additional information:
Edge Gateway Deployment Guide or App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.
Integration Server Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.
System Administrator Guide: provides the procedure to install, configure and deploy apps.
The above guides are available on the IBM Documentation website at ibm.biz/soar-docs. On this web page, select your SOAR platform version. On the follow-on page, you can find the Edge Gateway Deployment Guide, App Host Deployment Guide, or Integration Server Guide by expanding Apps in the Table of Contents pane. The System Administrator Guide is available by expanding System Administrator.
Cloud Pak for Security¶
If you are deploying to IBM Cloud Pak for Security, the requirements are:
IBM Cloud Pak for Security >=
1.10.15
.Cloud Pak is configured with an Edge Gateway.
The app is in a container-based format (available from the AppExchange as a
zip
file).
The following Cloud Pak guides provide additional information:
Edge Gateway Deployment Guide or App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings. From the Table of Contents, select Case Management and Orchestration & Automation > Orchestration and Automation Apps.
System Administrator Guide: provides information to install, configure, and deploy apps. From the IBM Cloud Pak for Security IBM Documentation table of contents, select Case Management and Orchestration & Automation > System administrator.
These guides are available on the IBM Documentation website at ibm.biz/cp4s-docs. From this web page, select your IBM Cloud Pak for Security version. From the version-specific IBM Documentation page, select Case Management and Orchestration & Automation.
Proxy Server¶
The app does support a proxy server.
Python Environment¶
Python 3.9, 3.11, and 3.12 are officially supported. When deployed as an app, the app runs on Python 3.11. Additional package dependencies may exist for each of these packages:
resilient-circuits>=51.0.0.0.0
Development Version¶
This app has been implemented using:
Product Name |
Product Version |
API URL |
API Version |
---|---|---|---|
On Call Manager |
NA |
https://pages.github.ibm.com/cem-notification/swagger-api-document/incidents/ |
v1 |
Installation¶
Install¶
To install or uninstall an App or Integration on the SOAR platform, see the documentation at ibm.biz/soar-docs.
To install or uninstall an App on IBM Cloud Pak for Security, see the documentation at ibm.biz/cp4s-docs and follow the instructions above to navigate to Orchestration and Automation.
App Configuration¶
The following table provides the settings you need to configure the app. These settings are made in the app.config file. See the documentation discussed in the Requirements section for the procedure.
Config |
Required |
Example |
Description |
---|---|---|---|
client_auth_cert |
No |
|
Client auth certificate |
client_auth_key |
No |
|
Client auth keys |
ocm_api_key_name |
Yes |
|
API key name from On Call Manager. |
ocm_api_key_pass |
Yes |
|
API key pass from On Call Manager. |
ocm_url |
Yes |
|
On Call Manager API url. |
verify |
No |
|
True, Fa lse, or a path the a certificate file. |
Function - On Call Manager: Create Comment¶
Creates a comment for the incident
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
The user creating the comment |
|
|
No |
|
Comment to add to the incident |
|
|
Yes |
|
Incident id for the incident to be updated |
Outputs:
NOTE: This example might be in JSON format, but
results
is a Python Dictionary on the SOAR platform.
results = {
"content": {},
"inputs": {
"ocm_comment_author": "me",
"ocm_incident_comment": "hello",
"ocm_incident_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"metrics": {
"execution_time_ms": 6816,
"host": "my.app.host",
"package": "fn-ocm",
"package_version": "1.0.0",
"timestamp": "2025-05-23 11:13:18",
"version": "1.0"
},
"raw": null,
"reason": null,
"success": true,
"version": 2.0
}
Example Function Input Script:
inputs.ocm_comment_author = playbook.inputs.ocm_comment_author
inputs.ocm_incident_comment = playbook.inputs.ocm_incident_comment
inputs.ocm_incident_id = playbook.inputs.ocm_incident_id
Example Function Post Process Script:
results = playbook.functions.results.ocm_create_comment_return
if results.get("success", None):
incident.addNote("On Call Manager: Create Comment was successful.")
else:
incident.addNote(f"On Call Manager: Create Comment failed with reason:\n{results.get('reason', None)}")
Function - On Call Manager: Create Event¶
Create an event
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
This is the key used to determine if two instances of an event record presented to the system de-duplicate. If present prevents construction of identifier for de-duplication. If not present the Identifier will be constructed from the resource and type fields. |
|
|
No |
|
A dictionary. Additional properties for the event, key,value value may be string or integer. |
|
|
No |
|
The number of seconds after which the event will be cleared, if there have been no further occurrence |
|
|
No |
|
Priority |
|
|
No |
|
True if this is a resolution event |
|
|
Yes |
|
Severity |
|
|
Yes |
|
Contains text which describes the event condition |
|
|
No |
|
The project or namespace the resource is part of |
|
|
No |
|
The application that caused the event |
|
|
No |
|
The cluster that caused the event |
|
|
No |
|
The component that caused the event |
|
|
No |
|
The controller that caused the event |
|
|
No |
|
This is the key used to determine if event records presented to the system should be correlated to the same incident. If present, it prevents construction of a corelation key, if not present the corelation will be constructed from the resource. |
|
|
No |
|
The display name for the resource |
|
|
No |
|
The fully qualified hostname |
|
|
No |
|
The interface reporting the issue |
|
|
No |
|
The IP address of the device |
|
|
No |
|
Where the event is being reported from |
|
|
Yes |
|
The name of the resource causing the event. Identifies the primary resource that the event is affecting |
|
|
No |
|
The port reporting the issue |
|
|
No |
|
The service that caused the event |
|
|
No |
|
The id the resource is known by in the source system |
|
|
No |
|
The type of the resource causing the event. Should be used to identify the primary resource that the event is affecting. The value of the type field can be one of the defined key types for resources, eg Application, Server, Service, Cluster. Or it can be a user defined value. If a defined value is used, then the event processing may make use of it during processing. |
|
|
Yes |
|
The SOAR incident ID |
|
|
No |
|
Description of the type of the event. E.g. Utilization, System status, Threshold breach |
|
|
No |
|
The status or the threshold causing the event. E.g. Down, 95%, Unavailable |
Outputs:
NOTE: This example might be in JSON format, but
results
is a Python Dictionary on the SOAR platform.
results = {
"content": {
"deduplicationKey": "abc",
"eventid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"inputs": {
"ocm_event_priority": "3",
"ocm_event_severity": "Minor",
"ocm_event_summary": "failure somewhere",
"ocm_resource_name": "Something failed",
"ocm_soar_inc_id": 2174,
"ocm_type_statusorthreshold": "\u003e 1 minute"
},
"metrics": {
"execution_time_ms": 1052,
"host": "my.app.host",
"package": "fn-ocm",
"package_version": "1.0.0",
"timestamp": "2025-07-08 11:37:32",
"version": "1.0"
},
"raw": null,
"reason": null,
"success": true,
"version": 2.0
}
Example Function Input Script:
inputs.ocm_soar_inc_id = incident.id
inputs.ocm_resource_name = playbook.inputs.ocm_resource_name
inputs.ocm_event_summary = playbook.inputs.ocm_event_summary
inputs.ocm_event_severity = playbook.inputs.ocm_event_severity
if getattr(playbook.inputs, "ocm_event_priority", None):
inputs.ocm_event_priority = playbook.inputs.ocm_event_priority
if not getattr(playbook.inputs, "ocm_type_statusorthreshold", None) and not getattr(playbook.inputs, "ocm_type_eventtype", None):
helper.fail("Either ocm_type_statusorthreshold or ocm_type_eventtype must be given.")
if getattr(playbook.inputs, "ocm_type_statusorthreshold", None):
inputs.ocm_type_statusorthreshold = playbook.inputs.ocm_type_statusorthreshold
if getattr(playbook.inputs, "ocm_type_eventtype", None):
inputs.ocm_type_eventtype = playbook.inputs.ocm_type_eventtype
# Example input for adding custom properties to the On Call Manager event.
#inputs.ocm_event_details = {"subject":"Example subject", "reason":"something happened", "country":"US", "region":"NA"}
Example Function Post Process Script:
from json import dumps
results = playbook.functions.results.ocm_create_event_return
if results.get("success", None):
incident.addNote(f"On Call Manager: Create Event was successful and returned:\n{dumps(results.get('content', {}), indent=4)}")
else:
incident.addNote(f"On Call Manager: Create Event failed with reason:\n{results.get('reason', None)}")
Function - On Call Manager: Get Event¶
Get the details of an event
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
This is the key used to determine if two instances of an event record presented to the system de-duplicate. If present prevents construction of identifier for de-duplication. If not present the Identifier will be constructed from the resource and type fields. |
|
|
Yes |
|
ID of the event. |
Outputs:
NOTE: This example might be in JSON format, but
results
is a Python Dictionary on the SOAR platform.
results = {
"content": {
"accessScopes": [],
"deduplicationKey": "abc",
"eventSource": "Event API",
"eventState": "open",
"eventid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"firstOccurrence": "2025-07-08T15:37:31.545Z",
"incidentUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"instanceUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"lastOccurrence": "2025-07-08T15:37:31.545Z",
"maxSeverity10Seen": 40,
"postTime": "2025-07-08T15:37:31.570Z",
"resource": {
"name": "Something failed",
"type": "Unknown"
},
"severity": 3,
"severity10": 40,
"summary": "failure somewhere",
"suppressed": false,
"type": {
"statusOrThreshold": "\u003e 1 minute"
},
"urls": [
{
"description": "Link to the SOAR incident.",
"url": "https://example.com"
}
],
"xInYSuppressed": false
},
"inputs": {
"ocm_deduplicationkey": "***",
"ocm_eventid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"metrics": {
"execution_time_ms": 480,
"host": "my.app.host",
"package": "fn-ocm",
"package_version": "1.0.0",
"timestamp": "2025-07-08 11:37:36",
"version": "1.0"
},
"raw": null,
"reason": null,
"success": true,
"version": 2.0
}
Example Function Input Script:
# Both eventid and deduplicationKey are required inputs
results = playbook.functions.results.ocm_create_event_return
content = results.get("content", {})
if content:
inputs.ocm_deduplicationkey = content.get("deduplicationKey", None)
inputs.ocm_eventid = content.get("eventid", None)
Example Function Post Process Script:
results = playbook.functions.results.ocm_get_event_results
if not results.get("success", None):
incident.addNote(f"On Call Manager: Get Event failed with reason:\n{results.get('reason', None)}")
Function - On Call Manager: Get Incident¶
Get the details of an On Call Manager incident
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
Yes |
|
Incident id for the incident to be updated |
Outputs:
NOTE: This example might be in JSON format, but
results
is a Python Dictionary on the SOAR platform.
results = {
"content": {
"accessScopes": [],
"closedOwner": "-",
"closedTeam": "-",
"correlationDetails": {
"name": "Something failed"
},
"createdTime": "2025-07-08T15:37:31.545Z",
"description": "Name: Something failed",
"displayId": "0000-34m1",
"escalated": false,
"eventSummary": {
"events": 1,
"maxSeverities10Seen": [
{
"count": 1,
"severity": 40
}
],
"openSeverities10": [
{
"count": 1,
"severity": 40
}
],
"severities": [
{
"count": 1,
"severity": 3
}
],
"severities10": [
{
"count": 1,
"severity": 40
}
]
},
"firstInProgressTime": "-",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"lastChanged": "2025-07-08T15:37:33.436Z",
"owner": "-",
"priority": 2,
"resolvedTime": "-",
"state": "unassigned",
"summary": "Name: Something failed",
"team": "-",
"wasEscalated": false
},
"inputs": {
"ocm_incident_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"metrics": {
"execution_time_ms": 571,
"host": "my.app.host",
"package": "fn-ocm",
"package_version": "1.0.0",
"timestamp": "2025-07-08 11:37:38",
"version": "1.0"
},
"raw": null,
"reason": null,
"success": true,
"version": 2.0
}
Example Function Input Script:
inputs.ocm_incident_id = playbook.inputs.ocm_incident_id
Example Function Post Process Script:
from datetime import datetime
results = playbook.functions.results.ocm_get_incident_results
if results.get("success", None):
incident.properties.ocm_tab_visible = True
inc = results.get("content", {})
if incident.properties.ocm_incident_id:
# If incident property ocm incident id has a value then add the incident data to the data table
row = incident.addRow("on_call_manager_incidents")
row['ocm_query_time'] = int(datetime.now().timestamp()*1000)
row['ocm_incident_state'] = inc.get("state", None)
row["ocm_incident_summary"] = inc.get("summary", None)
row['ocm_incident_description'] = inc.get("description", None)
row['ocm_incident_owner'] = inc.get("owner", None)
row['ocm_incident_team'] = inc.get("team", None)
row['ocm_incident_id'] = inc.get("id", "").strip()
row['ocm_incident_display_id'] = inc.get("displayId", None)
row['ocm_incident_last_changed'] = int(datetime.strptime(inc.get("lastChanged", None)[:-1], "%Y-%m-%dT%H:%M:%S.%f").timestamp()*1000) if inc.get("lastChanged", None) else None
row['ocm_incident_priority'] = inc.get("priority", None)
else: # else add the incident data to the incident properties
incident.name = inc.get("summary", None)
incident.description = inc.get("description", None)
incident.properties.ocm_incident_assigned_owner = inc.get("owner", None)
incident.properties.ocm_incident_assigned_team = inc.get("team", None)
incident.properties.ocm_incident_description = inc.get("description", None)
incident.properties.ocm_incident_display_id = inc.get("displayId", None)
incident.properties.ocm_incident_id = inc.get("id", None)
incident.properties.ocm_incident_priority = inc.get("priority", None)
incident.properties.ocm_incident_state = inc.get("state", None)
incident.properties.ocm_incident_summary = inc.get("summary", None)
incident.properties.ocm_incident_last_changed_time = int(datetime.strptime(inc.get("lastChanged", None)[:-1], "%Y-%m-%dT%H:%M:%S.%f").timestamp()*1000) if inc.get("lastChanged", None) else None
else:
incident.addNote(f"On Call Manager: Get Incident failed with reason:\n{results.get('reason', None)}")
Function - On Call Manager: List Incidents¶
List incidents in a team, owner, or default queue. Specify only owner to get a personal queue. Specify only team for a team queue. Omit owner and team to fetch incidents that are on the default queue.
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
Include the event summary for each matching incident. |
|
|
No |
|
Fetch only incidents on the queue associated with this owner. This parameter takes precedence over group. If no owner or group is specified, then incidents are retrieved from the default queue. Use a single dash(-) to clear the owner value. |
|
|
No |
|
Fetch only incidents on the queue associated with this Group. Ignored if owner is specified. If no owner or group is specified, then incidents are retrieved from the default queue. Use a single dash(-) to clear the group value. |
|
|
No |
|
Include the event type and resource property counts for each matching incident. |
|
|
No |
|
Limit the returned matching incidents to the first N incidents starting with _start index. Default value : 9999 |
|
|
No |
|
Return the matching incidents starting from the specified 1 based index. Default 1 |
|
|
No |
|
Stream the results |
Outputs:
NOTE: This example might be in JSON format, but
results
is a Python Dictionary on the SOAR platform.
results = {
"content": [
{
"accessScopes": [],
"closedOwner": "-",
"closedTeam": "-",
"correlationDetails": {
"cluster": "SAMPLE - Pipeline Project"
},
"createdTime": "2025-05-23T14:29:03.698Z",
"description": "Cluster: SAMPLE - Pipeline Project",
"displayId": "0000-20m1",
"escalated": false,
"firstInProgressTime": "-",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"lastChanged": "2025-05-23T14:29:10.258Z",
"owner": "-",
"priority": 2,
"resolvedTime": "-",
"state": "unassigned",
"summary": "Cluster: SAMPLE - Pipeline Project",
"team": "-",
"wasEscalated": false
},
{
"accessScopes": [],
"closedOwner": "-",
"closedTeam": "-",
"correlationDetails": {
"application": "SAMPLE - Online Sales"
},
"createdTime": "2025-05-23T14:29:00.871Z",
"description": "Application: SAMPLE - Online Sales",
"displayId": "0000-19m1",
"escalated": false,
"firstInProgressTime": "-",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"lastChanged": "2025-05-23T14:29:14.512Z",
"owner": "-",
"priority": 2,
"resolvedTime": "-",
"state": "unassigned",
"summary": "Application: SAMPLE - Online Sales",
"team": "-",
"wasEscalated": false
}
],
"inputs": {},
"metrics": {
"execution_time_ms": 3845,
"host": "my.app.host",
"package": "fn-ocm",
"package_version": "1.0.0",
"timestamp": "2025-05-23 10:45:17",
"version": "1.0"
},
"raw": null,
"reason": null,
"success": true,
"version": 2.0
}
Example Function Input Script:
if getattr(playbook.inputs, "ocm_start", None):
inputs.ocm_start = getattr(playbook.inputs, "ocm_start", None)
if getattr(playbook.inputs, "ocm_limit", None):
inputs.ocm_limit = getattr(playbook.inputs, "ocm_limit", None)
if getattr(playbook.inputs, "ocm_incident_owner", None):
inputs.ocm_incident_owner = getattr(playbook.inputs, "ocm_incident_owner", None)
if getattr(playbook.inputs, "ocm_incident_team", None):
inputs.ocm_incident_team = getattr(playbook.inputs, "ocm_incident_team", None)
Example Function Post Process Script:
from datetime import datetime
results = playbook.functions.results.ocm_list_incidents_return
if results.get("success", None):
content = results.get("content", [])
if content:
incident.properties.ocm_tab_visible = True
for inc in content:
row = incident.addRow("on_call_manager_incidents")
row['ocm_query_time'] = int(datetime.now().timestamp()*1000)
row['ocm_incident_state'] = inc.get("state", None)
row["ocm_incident_summary"] = inc.get("summary", None)
row['ocm_incident_description'] = inc.get("description", None)
row['ocm_incident_owner'] = inc.get("owner", None)
row['ocm_incident_team'] = inc.get("team", None)
row['ocm_incident_id'] = inc.get("id", "").strip()
row['ocm_incident_display_id'] = inc.get("displayId", None)
row['ocm_incident_last_changed'] = int(datetime.strptime(inc.get("lastChanged", None)[:-1], "%Y-%m-%dT%H:%M:%S.%f").timestamp()*1000) if inc.get("lastChanged", None) else None
row['ocm_incident_priority'] = inc.get("priority", None)
else:
incident.addNote(f"On Call Manager: List Incidents failed with reason:\n{results.get('reason', None)}")
Function - On Call Manager: Query Incidents¶
Query incidents for a given period of time based on properties of the incident or properties of the events correlated to the incidents. By default, incidents created in the last 7 days will be retrieved and filtered. A start time and end time can be provided to define the time range, but the range is limited to a 30 day period. The query also has a limit of 500 incidents being returned for any query. Incidents can be requested by incident properties, like incident priority and incident state. You can also set 1 or more event filters that set conditions on events that must be correlated to an incident for it to be included in the query results. You can filter only on incident properties, only on properties of the correlated events, or a combination of the two.
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
Ending UTC timestamp (YYYY-MM-DDTHH:mm:SS.sssZ) for range of incidents to query - - will default to current time. This time is compared to the “created” time of an incident to determine if the incident should be included. Example values: 2017-09-14T17:00:00.000Z, 2017-09-14T17:00, 2017-09-14 |
|
|
No |
|
Set to “and” or “or” to indicate how the event filters should be combined when filtering by event content. The default is to combine the event filters using the “and” operator, meaning all event filters must be satisfied by any returned incident. Use “or” if only one of the event filters must be satisfied. |
|
|
No |
|
A condition filter that specifies expression matches for the properties of a single event on the incident. Examples: severity >= “minor” |
|
|
No |
|
A condition filter that specifies expression matches for the properties of a single event on the incident. Examples: summary starts with “Failure” and resource.application == “payroll” |
|
|
No |
|
A condition filter that specifies expression matches for the properties of a single event on the incident. Examples: type.eventType == ‘a1’ or type.eventType == ‘a2’ or type.eventType == ‘a3’ |
|
|
No |
|
A condition filter that specifies expression matches for the properties of a single event on the incident. Examples: summary starts with “Failure” |
|
|
No |
|
A condition filter that specifies expression matches for the properties of a single event on the incident. Examples: type.eventType == ‘a2’ |
|
|
No |
|
A condition filter that specifies expression matches for incident properties. Examples: ‘lastChanged > “2017-08-01”’, ‘priority == 5 OR priority == 4’ |
|
|
No |
|
Beginning UTC timestamp (YYYY-MM-DDTHH:mm:SS.sssZ) for range of incidents to query - will default to system configured value of 7 days ago. This time is compared to the “created” time of an incident to determine if the incident should be included. Example values: 2017-09-12T08:00:00.000Z, 2017-09-12T08:00, 2017-09-12 |
Outputs:
NOTE: This example might be in JSON format, but
results
is a Python Dictionary on the SOAR platform.
results = {
"content": [
{
"accessScopes": [],
"closedOwner": "-",
"closedTeam": "-",
"correlationDetails": {
"application": "SAMPLE - Online Sales"
},
"createdTime": "2025-07-08T15:00:37.538Z",
"description": "Application: SAMPLE - Online Sales",
"displayId": "0000-32m1",
"escalated": false,
"eventsURL": "https://oncallmanager.ibm.com/api/incidentquery/v1/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/events",
"firstInProgressTime": "-",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"incidentURL": "https://oncallmanager.ibm.com/api/incidentquery/v1/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"lastChanged": "2025-07-08T15:00:49.937Z",
"owner": "-",
"priority": 2,
"resolvedTime": "-",
"state": "unassigned",
"summary": "Application: SAMPLE - Online Sales",
"team": "-",
"timelineURL": "https://oncallmanager.ibm.com/api/incidentquery/v1/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/timeline",
"wasEscalated": false
},
{
"accessScopes": [],
"closedOwner": "-",
"closedTeam": "-",
"correlationDetails": {
"application": "SAMPLE - Online Banking"
},
"createdTime": "2025-07-08T15:00:30.658Z",
"description": "Application: SAMPLE - Online Banking",
"displayId": "0000-31m1",
"escalated": false,
"eventsURL": "https://oncallmanager.ibm.com/api/incidentquery/v1/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/events",
"firstInProgressTime": "-",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"incidentURL": "https://oncallmanager.ibm.com/api/incidentquery/v1/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"lastChanged": "2025-07-08T15:00:54.943Z",
"owner": "-",
"priority": 2,
"resolvedTime": "-",
"state": "unassigned",
"summary": "Application: SAMPLE - Online Banking",
"team": "-",
"timelineURL": "https://oncallmanager.ibm.com/api/incidentquery/v1/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/timeline",
"wasEscalated": false
}
],
"inputs": {
"ocm_endtime": 1752033600000,
"ocm_event_combiner": "and",
"ocm_event_filter_1": "severity \u003e= \"minor\"",
"ocm_starttime": 1751860800000
},
"metrics": {
"execution_time_ms": 592,
"host": "my.app.host",
"package": "fn-ocm",
"package_version": "1.0.0",
"timestamp": "2025-07-08 11:11:46",
"version": "1.0"
},
"raw": null,
"reason": null,
"success": true,
"version": 2.0
}
Example Function Input Script:
if getattr(playbook.inputs, "ocm_endtime", None):
inputs.ocm_endtime = getattr(playbook.inputs, "ocm_endtime", None)
if getattr(playbook.inputs, "ocm_event_combiner", None):
inputs.ocm_event_combiner = getattr(playbook.inputs, "ocm_event_combiner", None)
if getattr(playbook.inputs, "ocm_event_filter_1", None):
inputs.ocm_event_filter_1 = getattr(playbook.inputs, "ocm_event_filter_1", None)
if getattr(playbook.inputs, "ocm_event_filter_2", None):
inputs.ocm_event_filter_2 = getattr(playbook.inputs, "ocm_event_filter_2", None)
if getattr(playbook.inputs, "ocm_event_filter_3", None):
inputs.ocm_event_filter_3 = getattr(playbook.inputs, "ocm_event_filter_3", None)
if getattr(playbook.inputs, "ocm_event_filter_4", None):
inputs.ocm_event_filter_4 = getattr(playbook.inputs, "ocm_event_filter_4", None)
if getattr(playbook.inputs, "ocm_event_filter_5", None):
inputs.ocm_event_filter_5 = getattr(playbook.inputs, "ocm_event_filter_5", None)
if getattr(playbook.inputs, "ocm_incident_filter", None):
inputs.ocm_incident_filter = getattr(playbook.inputs, "ocm_incident_filter", None)
if getattr(playbook.inputs, "ocm_starttime", None):
inputs.ocm_starttime = getattr(playbook.inputs, "ocm_starttime", None)
Example Function Post Process Script:
from datetime import datetime
results = playbook.functions.results.ocm_query_incidents_results
if results.get("success", None):
content = results.get("content", [])
if content:
incident.properties.ocm_tab_visible = True
for inc in content:
row = incident.addRow("on_call_manager_incidents")
row['ocm_query_time'] = int(datetime.now().timestamp()*1000)
row['ocm_incident_state'] = inc.get("state", None)
row["ocm_incident_summary"] = inc.get("summary", None)
row['ocm_incident_description'] = inc.get("description", None)
row['ocm_incident_owner'] = inc.get("owner", None)
row['ocm_incident_team'] = inc.get("team", None)
row['ocm_incident_id'] = inc.get("id", None)
row['ocm_incident_display_id'] = inc.get("displayId", None)
row['ocm_incident_last_changed'] = int(datetime.strptime(inc.get("lastChanged", None)[:-1], "%Y-%m-%dT%H:%M:%S.%f").timestamp()*1000) if inc.get("lastChanged", None) else None
row['ocm_incident_priority'] = inc.get("priority", None)
else:
incident.addNote(f"On Call Manager: Query Incidents failed with reason:\n{results.get('reason', None)}")
Function - On Call Manager: Update Incident¶
Updates the header properties of an incident, like state, owner, and team. Set the owner to move the incident to a personal queue associated with the owner. Set the team, but not the owner, to put the incident on the team queue. Incidents with no team or owner set are on the default queue. Set the owner and/or team to a single dash(-) to clear the values and move the incident back to the default queue.
Inputs:
Name |
Type |
Required |
Example |
Tooltip |
---|---|---|---|---|
|
|
No |
|
Include the event summary for each matching incident. |
|
|
Yes |
|
Incident id for the incident to be updated |
|
|
No |
|
Owner to be assigned to the incident. If Owner Given then Group must also be given. |
|
|
No |
|
Reason for incident being moved to the resolved state. Only allowed when state is also specified with a value of resolved or closed. |
|
|
No |
|
State to be set for the incident. |
|
|
No |
|
Group to be set as responsible for the incident. |
|
|
No |
|
Include the event type and resource property counts for each matching incident. |
|
|
No |
|
Comma separated list of policy ids that have been matched to the incident. |
Outputs:
NOTE: This example might be in JSON format, but
results
is a Python Dictionary on the SOAR platform.
results = {
"content": {
"accessScopes": [],
"assignedBy": "MANUAL",
"closedOwner": "-",
"closedTeam": "-",
"correlationDetails": {
"cluster": "SAMPLE - Pipeline Project"
},
"createdTime": "2025-05-23T14:29:03.698Z",
"description": "Cluster: SAMPLE - Pipeline Project",
"displayId": "0000-20m1",
"escalated": false,
"eventTypeCounts": [
{
"count": 3,
"eventType": "Build Status"
}
],
"firstInProgressTime": "-",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"lastChanged": "2025-05-23T15:27:13.602Z",
"owner": "-",
"priority": 2,
"resolvedTime": "-",
"resourcePropertyCounts": [
{
"count": 3,
"propertyName": "cluster",
"propertyValue": "SAMPLE - Pipeline Project"
},
{
"count": 3,
"propertyName": "hostname",
"propertyValue": "buildbox"
},
{
"count": 3,
"propertyName": "name",
"propertyValue": "SAMPLE - Pipeline Project"
},
{
"count": 3,
"propertyName": "type",
"propertyValue": "Pipeline"
}
],
"state": "assignedToTeam",
"summary": "Cluster: SAMPLE - Pipeline Project",
"team": "test_1",
"wasEscalated": false
},
"inputs": {
"ocm_eventsummary": true,
"ocm_incident_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"ocm_incident_state": "assignedToTeam",
"ocm_incident_team": "test_1",
"ocm_includecounts": true
},
"metrics": {
"execution_time_ms": 4373,
"host": "my.app.host",
"package": "fn-ocm",
"package_version": "1.0.0",
"timestamp": "2025-05-23 11:27:17",
"version": "1.0"
},
"raw": null,
"reason": null,
"success": true,
"version": 2.0
}
Example Function Input Script:
inputs.ocm_incident_id = incident.properties.ocm_incident_id
if getattr(playbook.inputs, "ocm_incident_state", None):
inputs.ocm_incident_state = getattr(playbook.inputs, "ocm_incident_state", None)
else:
inputs.ocm_incident_state = incident.properties.ocm_incident_state
if getattr(playbook.inputs, "ocm_incident_owner", None):
inputs.ocm_incident_owner = getattr(playbook.inputs, "ocm_incident_owner", None)
if getattr(playbook.inputs, "ocm_incident_team", None):
inputs.ocm_incident_team = getattr(playbook.inputs, "ocm_incident_team", None)
if getattr(playbook.inputs, "ocm_incident_resolutioncode", None):
inputs.ocm_incident_resolutioncode = getattr(playbook.inputs, "ocm_incident_resolutioncode", None)
Example Function Post Process Script:
from datetime import datetime
results = playbook.functions.results.ocm_update_incident_output
if results.get("success", None):
incident.addNote(f"On Call Manager: Update Incident successfully updated the incident with ID: {incident.properties.ocm_incident_id}")
inc = results.get("content", {})
incident.properties.ocm_incident_assigned_owner = inc.get("owner", None)
incident.properties.ocm_incident_assigned_team = inc.get("team", None)
incident.properties.ocm_incident_description = inc.get("description", None)
incident.properties.ocm_incident_display_id = inc.get("displayId", None)
incident.properties.ocm_incident_id = inc.get("id", None)
incident.properties.ocm_incident_priority = inc.get("priority", None)
incident.properties.ocm_incident_state = inc.get("state", None)
incident.properties.ocm_incident_summary = inc.get("summary", None)
incident.properties.ocm_incident_last_changed_time = int(datetime.strptime(inc.get("lastChanged", None)[:-1], "%Y-%m-%dT%H:%M:%S.%f").timestamp()*1000) if inc.get("lastChanged", None) else None
else:
incident.addNote(f"On Call Manager: Update Incident failed with reason:\n{results.get('reason', None)}")
Playbooks¶
Playbook Name |
Description |
Activation Type |
Object |
Status |
Condition |
---|---|---|---|---|---|
On Call Manager: Create Comment - Example (PB) |
Add a comment to an incident in On Call Manager |
Manual |
incident |
|
|
On Call Manager: Create Event - Example (PB) |
Creates an event in On Call Manager |
Manual |
incident |
|
|
On Call Manager: Get Incident - Example (PB) |
Get the details of an On Call Manager Incident. If the SOAR incident property OCM Incident ID has a value, then the incident data will be added to the OCM Incidents data table. If the SOAR incident property OCM Incident ID does not have a value, then the data will be added to the OCM SOAR incident properties. |
Manual |
incident |
|
|
On Call Manager: List Incidents - Example (PB) |
List incidents in a team, owner, or default queue. Specify only owner to get a personal queue. Specify only team for a team queue. Omit owner and team to fetch incidents that are on the default queue. |
Manual |
incident |
|
|
On Call Manager: Query Incidents - Example (PB) |
Query incidents for a given period of time based on properties of the incident or properties of the events correlated to the incidents. By default, incidents created in the last 7 days will be retrieved and filtered. A start time and end time can be provided to define the time range, but the range is limited to a 30 day period. The query also has a limit of 500 incidents being returned for any query. Incidents can be requested by incident properties, like incident priority and incident state. You can also set 1 or more event filters that set conditions on events that must be correlated to an incident for it to be included in the query results. You can filter only on incident properties, only on properties of the correlated events, or a combination of the two. |
Manual |
incident |
|
|
On Call Manager: Sync Incident - Example (PB) |
Update the OCM SOAR incident properties with the latest data from the OCM incident. |
Manual |
incident |
|
|
On Call Manager: Sync Incident (datatable) - Example (PB) |
Sync the OCM incident data |
Manual |
on_call_manager_incidents |
|
|
On Call Manager: Update Incident - Example (PB) |
Updates the header properties of an incident, like state, owner, and team. Set the owner to move the incident to a personal queue associated with the owner. Set the team, but not the owner, to put the incident on the team queue. Incidents with no team or owner set are on the default queue. Set the owner and/or team to a single dash(-) to clear the values and move the incident back to the default queue. |
Manual |
incident |
|
|
Custom Layouts¶
Import the Data Tables and Custom Fields like the screenshot below:
Data Table - On Call Manager: Incidents¶
API Name:¶
on_call_manager_incidents
Columns:¶
Column Name |
API Access Name |
Type |
Tooltip |
---|---|---|---|
Description |
|
|
Description of the issue that raised the incident. |
Display ID |
|
|
Display Id for the incident – generated by the server from id. |
Group |
|
|
Group that is responsible for the incident. |
ID |
|
|
Id for the incident – generated by the server. |
Last Changed |
|
|
Time at which a change was made to the incident. Changes to the fields in the incident and additional event instances (but not occurrences) are included. |
Owner |
|
|
Assigned owner for the incident. |
Priority |
|
|
The priority assigned to the incident. 1 is the highest |
Query time |
|
|
The time the query was made. |
State |
|
|
Current state of the incident. |
Summary |
|
|
Summary of the incident. |
Custom Fields¶
Label |
API Access Name |
Type |
Prefix |
Placeholder |
Tooltip |
---|---|---|---|---|---|
OCM Incident Assigned Group |
|
|
|
- |
Group with responsibility for the incident. A single hyphen (-) indicates no group. If the incident has no group it will appear in the default queue. |
OCM Incident Assigned Owner |
|
|
|
- |
Individual with responsibility for the incident. A single hyphen (-) indicates no user. If the incident has no owner it will appear in the group queue. |
OCM Incident Description |
|
|
|
- |
Description of the issue that raised the incident. |
OCM Incident Display ID |
|
|
|
#lxr2-6az6 |
Display Id for the incident – generated by the server from id. |
OCM Incident ID |
|
|
|
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
ID of an On Call Manager incident |
OCM Incident Last Changed Time |
|
|
|
- |
Time at which a change was made to the incident. Changes to the fields in the incident and additional event instances (but not occurrences) are included. |
OCM Incident Priority |
|
|
|
5 |
The priority assigned to the incident. 1 is the highest |
OCM Incident State |
|
|
|
- |
Incident State |
OCM Incident Summary |
|
|
|
- |
Summary of the incident. |
ocm_tab_visible |
|
|
|
- |
This is used to make the OCM SOAR Incident tab visible when Get All Incidents is run. |
Troubleshooting & Support¶
Refer to the documentation listed in the Requirements section for troubleshooting information.
For Support¶
This is an IBM supported app. Please search ibm.com/mysupport for assistance.