Use the Alert Logic IRIS API to Close Incidents in Bulk

The following article explains how to close/modify and query incidents for a specific timeframe.

Solution

1. Run the IRIS API to get the AIMS token (using an alias $TOKEN):
   
   ~$ TOKEN=$(curl -X POST -u '<UIuser>:<UIpass>' -d '{"mfa_code": "<INSERTCODE>"}' https://api.cloudinsight.alertlogic.com/aims/v1/authenticate/ | jq -r .authentication.token)
   
   
2. Check that you have a valid token using:
   
   ~$ echo $TOKEN
   
   
3. Query the IRIS API for a list of open incidents in the timeframe in question and output to a file:
   
   curl -s -X POST -d '{"query":{"select":["*"]},"limit":99999,"offset":0}' -H "x-aims-auth-token: $TOKEN" "https://api.cloudinsight.alertlogic.com/iris/v2/<INSERT_Customer_ID>/incident/search" | jq -r ' .incidents[] | select(.createTime >= 1517490767) | select(.createTime <= 1559365187) | select(.customer_status.status == "open") | .incidentId' | tr -d '"' > incident.list
   
   Note: The “createTime” epoch date will need to be changed to the expected start time “>=” and end time “<=”.
   
   
4. POST the required fields and notes to close the incidents:
   
   ~$ while read incidentID; do curl -s -X POST -d "{ \"operation\": \"completed\", \"reason_code\": \"other\", \"notes\": \"auto closed per cx request\", \"incidents\": [\"$incidentID\"] }" -H "x-aims-auth-token: $TOKEN" "https://api.cloudinsight.alertlogic.com/iris/v3/<INSERT_Customer_ID>/batch/complete" | jq .; done < incident.list
   
   Note: This process will take longer if there are a higher number of incidents.