Get Extra Incident Data

Cortex XDR REST API

post /public_api/v1/incidents/get_incident_extra_data

Get extra data fields of a specific incident including alerts and key artifacts.

Cortex XDR displays in the APIs response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.

Note: The API includes a limit rate of 10 API requests per minute.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

Body parameters
request_dataObjectrequired

A dictionary containing the API request fields.

incident_idString

The ID of the incident for which you want to retrieve extra data.

alerts_limitInteger

The maximum number of related alerts in the incident that you want to retrieve.

REQUEST BODY
{ "request_data": { "incident_id": "<incident ID>", "alerts_limit": 5 } }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data'
-d ''
Responses

OK

Body
replyObject
incidentObject
incident_idString
incident_nameString
creation_timeInteger
modification_timeInteger
detection_timeObject
statusString
severityString
descriptionString
assigned_user_mailString
assigned_user_pretty_nameString
alert_countInteger
low_severity_alert_countInteger
med_severity_alert_countInteger
high_severity_alert_countInteger
critical_severity_alert_countInteger
user_countInteger
host_countInteger
notesString
resolve_commentString
manual_descriptionString
xdr_urlString
starredBoolean
hostsArray[string]
usersArray
incident_sourcesArray[string]
rule_based_scoreInteger
manual_scoreObject
wildfire_hitsInteger
alerts_grouping_statusString
mitre_techniques_ids_and_namesArray[string]
mitre_tactics_ids_and_namesArray[string]
alert_categoriesArray[string]
alertsObject
total_countInteger
dataArray
external_idString
severityString
matching_statusString
end_match_attempt_tsObject
local_insert_tsInteger
bioc_indicatorObject
matching_service_rule_idObject
attempt_counterObject
bioc_category_enum_keyObject
case_idInteger
is_whitelistedBoolean
starredBoolean
deduplicate_tokensString
filter_rule_idObject
mitre_technique_id_and_nameObject
mitre_tactic_id_and_nameObject
agent_versionObject
agent_device_domainObject
agent_fqdnObject
agent_os_typeString
agent_os_sub_typeObject
agent_data_collection_statusObject
macObject
mac_addressesObject
agent_is_vdiObject
agent_install_typeString
agent_host_boot_timeObject
event_sub_typeObject
module_idObject
association_strengthObject
dst_association_strengthObject
story_idObject
event_idObject
event_typeString
events_lengthInteger
event_timestampObject
actor_process_instance_idObject
actor_process_image_pathObject
actor_process_image_nameObject
actor_process_command_lineObject
actor_process_signature_statusString
actor_process_signature_vendorObject
actor_process_image_sha256Object
actor_process_image_md5Object
actor_process_causality_idObject
actor_causality_idObject
actor_process_os_pidObject
actor_thread_thread_idObject
causality_actor_process_image_nameObject
causality_actor_process_command_lineObject
causality_actor_process_image_pathObject
causality_actor_process_signature_vendorObject
causality_actor_process_signature_statusString
causality_actor_causality_idObject
causality_actor_process_execution_timeObject
causality_actor_process_image_md5Object
causality_actor_process_image_sha256Object
action_file_pathObject
action_file_nameObject
action_file_md5Object
action_file_sha256Object
action_file_macro_sha256Object
action_registry_dataObject
action_registry_key_nameObject
action_registry_value_nameObject
action_registry_full_keyObject
action_local_ipString
action_local_portString
action_remote_ipString
action_remote_portString
action_external_hostnameString
action_countryString
action_process_instance_idObject
action_process_causality_idObject
action_process_image_nameObject
action_process_image_sha256Object
action_process_image_command_lineObject
action_process_signature_statusString
action_process_signature_vendorObject
os_actor_effective_usernameObject
os_actor_process_instance_idObject
os_actor_process_image_pathObject
os_actor_process_image_nameObject
os_actor_process_command_lineObject
os_actor_process_signature_statusString
os_actor_process_signature_vendorObject
os_actor_process_image_sha256Object
os_actor_process_causality_idObject
os_actor_causality_idObject
os_actor_process_os_pidObject
os_actor_thread_thread_idObject
fw_app_idObject
fw_interface_fromObject
fw_interface_toObject
fw_ruleObject
fw_rule_idObject
fw_device_nameObject
fw_serial_numberString
fw_url_domainObject
fw_email_subjectString
fw_email_senderObject
fw_email_recipientObject
fw_app_subcategoryObject
fw_app_categoryObject
fw_app_technologyObject
fw_vsysObject
fw_xffObject
fw_miscObject
fw_is_phishingString
dst_agent_idObject
dst_causality_actor_process_execution_timeObject
dns_query_nameObject
dst_action_external_hostnameObject
dst_action_countryObject
dst_action_external_portObject
alert_idString
detection_timestampInteger
nameString
categoryString
endpoint_idObject
descriptionString
host_ipString
host_nameString
sourceString
actionString
action_prettyString
user_nameObject
contains_featured_hostString
contains_featured_userString
contains_featured_ip_addressString
tagsArray[string]
original_tagsString
network_artifactsObject
total_countInteger
dataArray
typeString
alert_countInteger
is_manualBoolean
network_domainString
network_remote_ipString
network_remote_portString
network_countryString
file_artifactsObject
total_countInteger
dataArray
alert_countInteger
file_nameString
File_sha256String
file_signature_statusString
file_wildfire_verdictString
is_malicousBoolean
is_manualBoolean
is_processBoolean
low_confidenceBoolean
typeString
RESPONSE
{ "reply": { "incident": { "incident_id": "<incient ID>", "incident_name": "test", "creation_time": 1603184209710, "modification_time": 1603184209710, "detection_time": null, "status": "new", "severity": "high", "description": "generated by PAN NGFW", "assigned_user_mail": null, "assigned_user_pretty_name": null, "alert_count": 1, "low_severity_alert_count": 0, "med_severity_alert_count": 0, "high_severity_alert_count": 1, "critical_severity_alert_count": 0, "user_count": 0, "host_count": 0, "notes": null, "resolve_comment": null, "manual_severity": null, "manual_description": null, "xdr_url": "https://test.xdr.us.paloaltonetworks.com/incident-view/1", "starred": false, "hosts": [ "<host1>:<agent_id1>", "<host2>:<agent_id2>" ], "users": [], "incident_sources": [ "PAN NGFW" ], "rule_based_score": 342, "manual_score": null, "wildfire_hits": 0, "alerts_grouping_status": "Enabled", "mitre_techniques_ids_and_names": [ "TA0004 - Privilege Escalation", "TA0005 - Defense Evasion", "TA0006 - Credential Access" ], "mitre_tactics_ids_and_names": [ "T1001.001 - Data Obfuscation: Junk Data", "T1001.002 - Data Obfuscation: Steganography", "T1001.003 - Data Obfuscation: Protocol Impersonation" ], "alert_categories": [ "Collection", "Credential Access", "File Name" ] }, "alerts": { "total_count": 1, "data": [ { "external_id": "<external ID>", "severity": "high", "matching_status": "UNMATCHABLE", "end_match_attempt_ts": null, "local_insert_ts": 1603175431, "bioc_indicator": null, "matching_service_rule_id": null, "attempt_counter": null, "bioc_category_enum_key": null, "case_id": 1, "is_whitelisted": false, "starred": false, "deduplicate_tokens": "<token value>", "filter_rule_id": null, "mitre_technique_id_and_name": null, "mitre_tactic_id_and_name": null, "agent_version": null, "agent_device_domain": null, "agent_fqdn": null, "agent_os_type": "NO_HOST", "agent_os_sub_type": null, "agent_data_collection_status": null, "mac": null, "mac_addresses": null, "agent_is_vdi": null, "agent_install_type": "NA", "agent_host_boot_time": null, "event_sub_type": null, "module_id": null, "association_strength": null, "dst_association_strength": null, "story_id": null, "event_id": null, "event_type": "Network Event", "events_length": 1, "event_timestamp": null, "actor_process_instance_id": null, "actor_process_image_path": null, "actor_process_image_name": null, "actor_process_command_line": null, "actor_process_signature_status": "N/A", "actor_process_signature_vendor": null, "actor_process_image_sha256": null, "actor_process_image_md5": null, "actor_process_causality_id": null, "actor_causality_id": null, "actor_process_os_pid": null, "actor_thread_thread_id": null, "causality_actor_process_image_name": null, "causality_actor_process_command_line": null, "causality_actor_process_image_path": null, "causality_actor_process_signature_vendor": null, "causality_actor_process_signature_status": "N/A", "causality_actor_causality_id": null, "causality_actor_process_execution_time": null, "causality_actor_process_image_md5": null, "causality_actor_process_image_sha256": null, "action_file_path": null, "action_file_name": null, "action_file_md5": null, "action_file_sha256": null, "action_file_macro_sha256": null, "action_registry_data": null, "action_registry_key_name": null, "action_registry_value_name": null, "action_registry_full_key": null, "action_local_ip": "<IP address>", "action_local_port": "<port>", "action_remote_ip": "<IP address>", "action_remote_port": "<port>", "action_external_hostname": "<hostname>", "action_country": "UNKNOWN", "action_process_instance_id": null, "action_process_causality_id": null, "action_process_image_name": null, "action_process_image_sha256": null, "action_process_image_command_line": null, "action_process_signature_status": "N/A", "action_process_signature_vendor": null, "os_actor_effective_username": null, "os_actor_process_instance_id": null, "os_actor_process_image_path": null, "os_actor_process_image_name": null, "os_actor_process_command_line": null, "os_actor_process_signature_status": "N/A", "os_actor_process_signature_vendor": null, "os_actor_process_image_sha256": null, "os_actor_process_causality_id": null, "os_actor_causality_id": null, "os_actor_process_os_pid": null, "os_actor_thread_thread_id": null, "fw_app_id": null, "fw_interface_from": null, "fw_interface_to": null, "fw_rule": null, "fw_rule_id": null, "fw_device_name": null, "fw_serial_number": "<serial number>", "fw_url_domain": null, "fw_email_subject": "", "fw_email_sender": null, "fw_email_recipient": null, "fw_app_subcategory": null, "fw_app_category": null, "fw_app_technology": null, "fw_vsys": null, "fw_xff": null, "fw_misc": null, "fw_is_phishing": "N/A", "dst_agent_id": null, "dst_causality_actor_process_execution_time": null, "dns_query_name": null, "dst_action_external_hostname": null, "dst_action_country": null, "dst_action_external_port": null, "alert_id": "1", "detection_timestamp": 1603184109000, "name": "sagcalun", "category": "Spyware Detected via Anti-Spyware profile", "endpoint_id": null, "description": "Spyware Phone Home Detection", "host_ip": "<IP address>", "host_name": "<hostname>", "source": "PAN NGFW", "action": "DETECTED_4", "action_pretty": "Detected (Raised An Alert)", "user_name": null, "contains_featured_host": "Yes", "contains_featured_user": "Yes", "contains_featured_ip_address": "Yes", "tags": [ "XDR Agent", "EG:Windows" ], "original_tags": "None" } ] }, "network_artifacts": { "total_count": 2, "data": [ { "type": "DOMAIN", "alert_count": 1, "is_manual": false, "network_domain": "<domain name>", "network_remote_ip": "<IP address>", "network_remote_port": "<port>", "network_country": "UNKNOWN" }, { "type": "IP", "alert_count": 1, "is_manual": false, "network_domain": "<domain name>", "network_remote_ip": "<IP address>", "network_remote_port": "<port>", "network_country": "UNKNOWN" } ] }, "file_artifacts": { "total_count": 2, "data": [ { "alert_count": 2, "file_name": "Test", "File_sha256": "1111", "file_signature_status": "SIGNATURE_UNAVAILABLE", "file_wildfire_verdict": "BENIGN", "is_malicous": false, "is_manual": false, "is_process": false, "low_confidence": true, "type": "HASH" }, { "alert_count": 43, "file_name": "Test1", "File_sha256": "2222", "file_signature_status": "SIGNATURE_UNAVAILABLE", "file_wildfire_verdict": "MALWARE", "is_malicous": true, "is_manual": false, "is_process": false, "low_confidence": true, "type": "HASH" } ] } } }

Bad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

An error occurred while processing XDR public API - incident management - update_incident

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal Server Error