Get Extra Incident Data

Cortex XDR REST API

post /public_api/v1/incidents/get_incident_extra_data

Get extra data fields of a specific incident including alerts and key artifacts.

Cortex XDR displays in the APIs response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.

Note: The API includes a limit rate of 10 API requests per minute.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data" \ -d '{ "request_data" : { "alerts_limit" : 0, "incident_id" : "incident_id" } }'
Request
Body
optional
Example: {"request_data":{"incident_id":"","alerts_limit":5}}
request_data
required
A dictionary containing the API request fields.
incident_id
required
String
The ID of the incident for which you want to retrieve extra data.
alerts_limit
optional
Integer
The maximum number of related alerts in the incident that you want to retrieve.
Responses

OK

Body
reply
optional
incident
optional
incident_id
optional
String
incident_name
optional
String
creation_time
optional
Integer
modification_time
optional
Integer
detection_time
optional
Object
status
optional
String
severity
optional
String
description
optional
String
assigned_user_mail
optional
String
assigned_user_pretty_name
optional
String
alert_count
optional
Integer
low_severity_alert_count
optional
Integer
med_severity_alert_count
optional
Integer
high_severity_alert_count
optional
Integer
critical_severity_alert_count
optional
Integer
user_count
optional
Integer
host_count
optional
Integer
notes
optional
String
resolve_comment
optional
String
manual_description
optional
String
xdr_url
optional
String
starred
optional
Boolean
hosts
optional
Array of strings
users
optional
Array of objects
incident_sources
optional
Array of strings
rule_based_score
optional
Integer
manual_score
optional
Object
wildfire_hits
optional
Integer
alerts_grouping_status
optional
String
mitre_techniques_ids_and_names
optional
Array of strings
mitre_tactics_ids_and_names
optional
Array of strings
alert_categories
optional
Array of strings
alerts
optional
total_count
optional
Integer
data
optional
Array
external_id
optional
String
severity
optional
String
matching_status
optional
String
end_match_attempt_ts
optional
Object
local_insert_ts
optional
Integer
bioc_indicator
optional
Object
matching_service_rule_id
optional
Object
attempt_counter
optional
Object
bioc_category_enum_key
optional
Object
case_id
optional
Integer
is_whitelisted
optional
Boolean
starred
optional
Boolean
deduplicate_tokens
optional
String
filter_rule_id
optional
Object
mitre_technique_id_and_name
optional
Object
mitre_tactic_id_and_name
optional
Object
agent_version
optional
Object
agent_device_domain
optional
Object
agent_fqdn
optional
Object
agent_os_type
optional
String
agent_os_sub_type
optional
Object
agent_data_collection_status
optional
Object
mac
optional
Object
mac_addresses
optional
Object
agent_is_vdi
optional
Object
agent_install_type
optional
String
agent_host_boot_time
optional
Object
event_sub_type
optional
Object
module_id
optional
Object
association_strength
optional
Object
dst_association_strength
optional
Object
story_id
optional
Object
event_id
optional
Object
event_type
optional
String
events_length
optional
Integer
event_timestamp
optional
Object
actor_process_instance_id
optional
Object
actor_process_image_path
optional
Object
actor_process_image_name
optional
Object
actor_process_command_line
optional
Object
actor_process_signature_status
optional
String
actor_process_signature_vendor
optional
Object
actor_process_image_sha256
optional
Object
actor_process_image_md5
optional
Object
actor_process_causality_id
optional
Object
actor_causality_id
optional
Object
actor_process_os_pid
optional
Object
actor_thread_thread_id
optional
Object
causality_actor_process_image_name
optional
Object
causality_actor_process_command_line
optional
Object
causality_actor_process_image_path
optional
Object
causality_actor_process_signature_vendor
optional
Object
causality_actor_process_signature_status
optional
String
causality_actor_causality_id
optional
Object
causality_actor_process_execution_time
optional
Object
causality_actor_process_image_md5
optional
Object
causality_actor_process_image_sha256
optional
Object
action_file_path
optional
Object
action_file_name
optional
Object
action_file_md5
optional
Object
action_file_sha256
optional
Object
action_file_macro_sha256
optional
Object
action_registry_data
optional
Object
action_registry_key_name
optional
Object
action_registry_value_name
optional
Object
action_registry_full_key
optional
Object
action_local_ip
optional
String
action_local_port
optional
String
action_remote_ip
optional
String
action_remote_port
optional
String
action_external_hostname
optional
String
action_country
optional
String
action_process_instance_id
optional
Object
action_process_causality_id
optional
Object
action_process_image_name
optional
Object
action_process_image_sha256
optional
Object
action_process_image_command_line
optional
Object
action_process_signature_status
optional
String
action_process_signature_vendor
optional
Object
os_actor_effective_username
optional
Object
os_actor_process_instance_id
optional
Object
os_actor_process_image_path
optional
Object
os_actor_process_image_name
optional
Object
os_actor_process_command_line
optional
Object
os_actor_process_signature_status
optional
String
os_actor_process_signature_vendor
optional
Object
os_actor_process_image_sha256
optional
Object
os_actor_process_causality_id
optional
Object
os_actor_causality_id
optional
Object
os_actor_process_os_pid
optional
Object
os_actor_thread_thread_id
optional
Object
fw_app_id
optional
Object
fw_interface_from
optional
Object
fw_interface_to
optional
Object
fw_rule
optional
Object
fw_rule_id
optional
Object
fw_device_name
optional
Object
fw_serial_number
optional
String
fw_url_domain
optional
Object
fw_email_subject
optional
String
fw_email_sender
optional
Object
fw_email_recipient
optional
Object
fw_app_subcategory
optional
Object
fw_app_category
optional
Object
fw_app_technology
optional
Object
fw_vsys
optional
Object
fw_xff
optional
Object
fw_misc
optional
Object
fw_is_phishing
optional
String
dst_agent_id
optional
Object
dst_causality_actor_process_execution_time
optional
Object
dns_query_name
optional
Object
dst_action_external_hostname
optional
Object
dst_action_country
optional
Object
dst_action_external_port
optional
Object
alert_id
optional
String
detection_timestamp
optional
Integer
name
optional
String
category
optional
String
endpoint_id
optional
Object
description
optional
String
host_ip
optional
String
host_name
optional
String
source
optional
String
action
optional
String
action_pretty
optional
String
user_name
optional
Object
contains_featured_host
optional
String
contains_featured_user
optional
String
contains_featured_ip_address
optional
String
tags
optional
Array of strings
original_tags
optional
String
network_artifacts
optional
total_count
optional
Integer
data
optional
Array
type
optional
String
alert_count
optional
Integer
is_manual
optional
Boolean
network_domain
optional
String
network_remote_ip
optional
String
network_remote_port
optional
String
network_country
optional
String
file_artifacts
optional
total_count
optional
Integer
data
optional
Array
alert_count
optional
Integer
file_name
optional
String
File_sha256
optional
String
file_signature_status
optional
String
file_wildfire_verdict
optional
String
is_malicous
optional
Boolean
is_manual
optional
Boolean
is_process
optional
Boolean
low_confidence
optional
Boolean
type
optional
String

Bad Request. Got an invalid JSON.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

An error occurred while processing XDR public API - incident management - update_incident

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Internal Server Error