Get extra data fields of a specific incident including alerts and key artifacts.
Cortex XDR displays in the APIs response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.
Note: The API includes a limit rate of 10 API requests per minute.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
request_dataObjectrequired
A dictionary containing the API request fields.
incident_idString
The ID of the incident for which you want to retrieve extra data.
alerts_limitInteger
The maximum number of related alerts in the incident that you want to retrieve.
{
"request_data": {
"incident_id": "<incident ID>",
"alerts_limit": 5
}
}
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data'
-d
''
OK
replyObject
incidentObject
incident_idString
incident_nameString
creation_timeInteger
modification_timeInteger
detection_timeObject
statusString
severityString
descriptionString
assigned_user_mailString
assigned_user_pretty_nameString
alert_countInteger
low_severity_alert_countInteger
med_severity_alert_countInteger
high_severity_alert_countInteger
critical_severity_alert_countInteger
user_countInteger
host_countInteger
notesString
resolve_commentString
manual_descriptionString
xdr_urlString
starredBoolean
hostsArray[string]
usersArray
incident_sourcesArray[string]
rule_based_scoreInteger
manual_scoreObject
wildfire_hitsInteger
alerts_grouping_statusString
mitre_techniques_ids_and_namesArray[string]
mitre_tactics_ids_and_namesArray[string]
alert_categoriesArray[string]
alertsObject
total_countInteger
dataArray
external_idString
severityString
matching_statusString
end_match_attempt_tsObject
local_insert_tsInteger
bioc_indicatorObject
matching_service_rule_idObject
attempt_counterObject
bioc_category_enum_keyObject
case_idInteger
is_whitelistedBoolean
starredBoolean
deduplicate_tokensString
filter_rule_idObject
mitre_technique_id_and_nameObject
mitre_tactic_id_and_nameObject
agent_versionObject
agent_device_domainObject
agent_fqdnObject
agent_os_typeString
agent_os_sub_typeObject
agent_data_collection_statusObject
macObject
mac_addressesObject
agent_is_vdiObject
agent_install_typeString
agent_host_boot_timeObject
event_sub_typeObject
module_idObject
association_strengthObject
dst_association_strengthObject
story_idObject
event_idObject
event_typeString
events_lengthInteger
event_timestampObject
actor_process_instance_idObject
actor_process_image_pathObject
actor_process_image_nameObject
actor_process_command_lineObject
actor_process_signature_statusString
actor_process_signature_vendorObject
actor_process_image_sha256Object
actor_process_image_md5Object
actor_process_causality_idObject
actor_causality_idObject
actor_process_os_pidObject
actor_thread_thread_idObject
causality_actor_process_image_nameObject
causality_actor_process_command_lineObject
causality_actor_process_image_pathObject
causality_actor_process_signature_vendorObject
causality_actor_process_signature_statusString
causality_actor_causality_idObject
causality_actor_process_execution_timeObject
causality_actor_process_image_md5Object
causality_actor_process_image_sha256Object
action_file_pathObject
action_file_nameObject
action_file_md5Object
action_file_sha256Object
action_file_macro_sha256Object
action_registry_dataObject
action_registry_key_nameObject
action_registry_value_nameObject
action_registry_full_keyObject
action_local_ipString
action_local_portString
action_remote_ipString
action_remote_portString
action_external_hostnameString
action_countryString
action_process_instance_idObject
action_process_causality_idObject
action_process_image_nameObject
action_process_image_sha256Object
action_process_image_command_lineObject
action_process_signature_statusString
action_process_signature_vendorObject
os_actor_effective_usernameObject
os_actor_process_instance_idObject
os_actor_process_image_pathObject
os_actor_process_image_nameObject
os_actor_process_command_lineObject
os_actor_process_signature_statusString
os_actor_process_signature_vendorObject
os_actor_process_image_sha256Object
os_actor_process_causality_idObject
os_actor_causality_idObject
os_actor_process_os_pidObject
os_actor_thread_thread_idObject
fw_app_idObject
fw_interface_fromObject
fw_interface_toObject
fw_ruleObject
fw_rule_idObject
fw_device_nameObject
fw_serial_numberString
fw_url_domainObject
fw_email_subjectString
fw_email_senderObject
fw_email_recipientObject
fw_app_subcategoryObject
fw_app_categoryObject
fw_app_technologyObject
fw_vsysObject
fw_xffObject
fw_miscObject
fw_is_phishingString
dst_agent_idObject
dst_causality_actor_process_execution_timeObject
dns_query_nameObject
dst_action_external_hostnameObject
dst_action_countryObject
dst_action_external_portObject
alert_idString
detection_timestampInteger
nameString
categoryString
endpoint_idObject
descriptionString
host_ipString
host_nameString
sourceString
actionString
action_prettyString
user_nameObject
contains_featured_hostString
contains_featured_userString
contains_featured_ip_addressString
tagsArray[string]
original_tagsString
network_artifactsObject
total_countInteger
dataArray
typeString
alert_countInteger
is_manualBoolean
network_domainString
network_remote_ipString
network_remote_portString
network_countryString
file_artifactsObject
total_countInteger
dataArray
alert_countInteger
file_nameString
File_sha256String
file_signature_statusString
file_wildfire_verdictString
is_malicousBoolean
is_manualBoolean
is_processBoolean
low_confidenceBoolean
typeString
{
"reply": {
"incident": {
"incident_id": "<incient ID>",
"incident_name": "test",
"creation_time": 1603184209710,
"modification_time": 1603184209710,
"detection_time": null,
"status": "new",
"severity": "high",
"description": "generated by PAN NGFW",
"assigned_user_mail": null,
"assigned_user_pretty_name": null,
"alert_count": 1,
"low_severity_alert_count": 0,
"med_severity_alert_count": 0,
"high_severity_alert_count": 1,
"critical_severity_alert_count": 0,
"user_count": 0,
"host_count": 0,
"notes": null,
"resolve_comment": null,
"manual_severity": null,
"manual_description": null,
"xdr_url": "https://test.xdr.us.paloaltonetworks.com/incident-view/1",
"starred": false,
"hosts": [
"<host1>:<agent_id1>",
"<host2>:<agent_id2>"
],
"users": [],
"incident_sources": [
"PAN NGFW"
],
"rule_based_score": 342,
"manual_score": null,
"wildfire_hits": 0,
"alerts_grouping_status": "Enabled",
"mitre_techniques_ids_and_names": [
"TA0004 - Privilege Escalation",
"TA0005 - Defense Evasion",
"TA0006 - Credential Access"
],
"mitre_tactics_ids_and_names": [
"T1001.001 - Data Obfuscation: Junk Data",
"T1001.002 - Data Obfuscation: Steganography",
"T1001.003 - Data Obfuscation: Protocol Impersonation"
],
"alert_categories": [
"Collection",
"Credential Access",
"File Name"
]
},
"alerts": {
"total_count": 1,
"data": [
{
"external_id": "<external ID>",
"severity": "high",
"matching_status": "UNMATCHABLE",
"end_match_attempt_ts": null,
"local_insert_ts": 1603175431,
"bioc_indicator": null,
"matching_service_rule_id": null,
"attempt_counter": null,
"bioc_category_enum_key": null,
"case_id": 1,
"is_whitelisted": false,
"starred": false,
"deduplicate_tokens": "<token value>",
"filter_rule_id": null,
"mitre_technique_id_and_name": null,
"mitre_tactic_id_and_name": null,
"agent_version": null,
"agent_device_domain": null,
"agent_fqdn": null,
"agent_os_type": "NO_HOST",
"agent_os_sub_type": null,
"agent_data_collection_status": null,
"mac": null,
"mac_addresses": null,
"agent_is_vdi": null,
"agent_install_type": "NA",
"agent_host_boot_time": null,
"event_sub_type": null,
"module_id": null,
"association_strength": null,
"dst_association_strength": null,
"story_id": null,
"event_id": null,
"event_type": "Network Event",
"events_length": 1,
"event_timestamp": null,
"actor_process_instance_id": null,
"actor_process_image_path": null,
"actor_process_image_name": null,
"actor_process_command_line": null,
"actor_process_signature_status": "N/A",
"actor_process_signature_vendor": null,
"actor_process_image_sha256": null,
"actor_process_image_md5": null,
"actor_process_causality_id": null,
"actor_causality_id": null,
"actor_process_os_pid": null,
"actor_thread_thread_id": null,
"causality_actor_process_image_name": null,
"causality_actor_process_command_line": null,
"causality_actor_process_image_path": null,
"causality_actor_process_signature_vendor": null,
"causality_actor_process_signature_status": "N/A",
"causality_actor_causality_id": null,
"causality_actor_process_execution_time": null,
"causality_actor_process_image_md5": null,
"causality_actor_process_image_sha256": null,
"action_file_path": null,
"action_file_name": null,
"action_file_md5": null,
"action_file_sha256": null,
"action_file_macro_sha256": null,
"action_registry_data": null,
"action_registry_key_name": null,
"action_registry_value_name": null,
"action_registry_full_key": null,
"action_local_ip": "<IP address>",
"action_local_port": "<port>",
"action_remote_ip": "<IP address>",
"action_remote_port": "<port>",
"action_external_hostname": "<hostname>",
"action_country": "UNKNOWN",
"action_process_instance_id": null,
"action_process_causality_id": null,
"action_process_image_name": null,
"action_process_image_sha256": null,
"action_process_image_command_line": null,
"action_process_signature_status": "N/A",
"action_process_signature_vendor": null,
"os_actor_effective_username": null,
"os_actor_process_instance_id": null,
"os_actor_process_image_path": null,
"os_actor_process_image_name": null,
"os_actor_process_command_line": null,
"os_actor_process_signature_status": "N/A",
"os_actor_process_signature_vendor": null,
"os_actor_process_image_sha256": null,
"os_actor_process_causality_id": null,
"os_actor_causality_id": null,
"os_actor_process_os_pid": null,
"os_actor_thread_thread_id": null,
"fw_app_id": null,
"fw_interface_from": null,
"fw_interface_to": null,
"fw_rule": null,
"fw_rule_id": null,
"fw_device_name": null,
"fw_serial_number": "<serial number>",
"fw_url_domain": null,
"fw_email_subject": "",
"fw_email_sender": null,
"fw_email_recipient": null,
"fw_app_subcategory": null,
"fw_app_category": null,
"fw_app_technology": null,
"fw_vsys": null,
"fw_xff": null,
"fw_misc": null,
"fw_is_phishing": "N/A",
"dst_agent_id": null,
"dst_causality_actor_process_execution_time": null,
"dns_query_name": null,
"dst_action_external_hostname": null,
"dst_action_country": null,
"dst_action_external_port": null,
"alert_id": "1",
"detection_timestamp": 1603184109000,
"name": "sagcalun",
"category": "Spyware Detected via Anti-Spyware profile",
"endpoint_id": null,
"description": "Spyware Phone Home Detection",
"host_ip": "<IP address>",
"host_name": "<hostname>",
"source": "PAN NGFW",
"action": "DETECTED_4",
"action_pretty": "Detected (Raised An Alert)",
"user_name": null,
"contains_featured_host": "Yes",
"contains_featured_user": "Yes",
"contains_featured_ip_address": "Yes",
"tags": [
"XDR Agent",
"EG:Windows"
],
"original_tags": "None"
}
]
},
"network_artifacts": {
"total_count": 2,
"data": [
{
"type": "DOMAIN",
"alert_count": 1,
"is_manual": false,
"network_domain": "<domain name>",
"network_remote_ip": "<IP address>",
"network_remote_port": "<port>",
"network_country": "UNKNOWN"
},
{
"type": "IP",
"alert_count": 1,
"is_manual": false,
"network_domain": "<domain name>",
"network_remote_ip": "<IP address>",
"network_remote_port": "<port>",
"network_country": "UNKNOWN"
}
]
},
"file_artifacts": {
"total_count": 2,
"data": [
{
"alert_count": 2,
"file_name": "Test",
"File_sha256": "1111",
"file_signature_status": "SIGNATURE_UNAVAILABLE",
"file_wildfire_verdict": "BENIGN",
"is_malicous": false,
"is_manual": false,
"is_process": false,
"low_confidence": true,
"type": "HASH"
},
{
"alert_count": 43,
"file_name": "Test1",
"File_sha256": "2222",
"file_signature_status": "SIGNATURE_UNAVAILABLE",
"file_wildfire_verdict": "MALWARE",
"is_malicous": true,
"is_manual": false,
"is_process": false,
"low_confidence": true,
"type": "HASH"
}
]
}
}
}
Bad Request. Got an invalid JSON.
err_codeString
HTTP response code.
err_msgString
Error message.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString
Additional information describing the error.
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
err_codeString
HTTP response code.
err_msgString
Error message.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString
Additional information describing the error.
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}
Unauthorized access. User does not have the required license type to run this API.
err_codeString
HTTP response code.
err_msgString
Error message.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString
Additional information describing the error.
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
err_codeString
HTTP response code.
err_msgString
Error message.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString
Additional information describing the error.
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}
An error occurred while processing XDR public API - incident management - update_incident
err_codeString
HTTP response code.
err_msgString
Error message.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString
Additional information describing the error.
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}
Internal Server Error