post
/public_api/v1/incidents/get_incident_extra_data
Get extra data fields of a specific incident including alerts and key artifacts.
Cortex XDR displays in the APIs response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.
Note: The API includes a limit rate of 10 API requests per minute.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
Request headers
Authorization
String
required
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
Example:
xXdrAuthId_example
Accept-Encoding
String
For retrieving a compressed gzipped response
Example:
acceptEncoding_example
Body parameters
request_dataObjectrequired
A dictionary containing the API request fields.
incident_idString
The ID of the incident for which you want to retrieve extra data.
alerts_limitInteger
The maximum number of related alerts in the incident that you want to retrieve.
REQUEST BODY
{"request_data":{"incident_id":"<incident ID>","alerts_limit":5}}
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
-H
'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'Accept-Encoding': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/incidents/get_incident_extra_data", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"incident_id": "string",
"alerts_limit": 1000
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("Accept-Encoding", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"Accept-Encoding": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": [
"incident_id": "string",
"alerts_limit": 1000
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}",
CURLOPT_HTTPHEADER => [
"Accept-Encoding: SOME_STRING_VALUE",
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Responses
OK
Body
replyObject
incidentObject
incident_idString
incident_nameString
creation_timeInteger
modification_timeInteger
detection_timeObject
statusString
severityString
descriptionString
assigned_user_mailString
assigned_user_pretty_nameString
alert_countInteger
low_severity_alert_countInteger
med_severity_alert_countInteger
high_severity_alert_countInteger
critical_severity_alert_countInteger
user_countInteger
host_countInteger
notesString
resolve_commentString
manual_descriptionString
xdr_urlString
starredBoolean
hostsArray[string]
usersArray
[]
incident_sourcesArray[string]
rule_based_scoreInteger
manual_scoreObject
wildfire_hitsInteger
alerts_grouping_statusString
mitre_techniques_ids_and_namesArray[string]
mitre_tactics_ids_and_namesArray[string]
alert_categoriesArray[string]
alertsObject
total_countInteger
dataArray
[]
external_idString
severityString
matching_statusString
end_match_attempt_tsObject
local_insert_tsInteger
bioc_indicatorObject
matching_service_rule_idObject
attempt_counterObject
bioc_category_enum_keyObject
case_idInteger
is_whitelistedBoolean
starredBoolean
deduplicate_tokensString
filter_rule_idObject
mitre_technique_id_and_nameObject
mitre_tactic_id_and_nameObject
agent_versionObject
agent_device_domainObject
agent_fqdnObject
agent_os_typeString
agent_os_sub_typeObject
agent_data_collection_statusObject
macObject
mac_addressesObject
agent_is_vdiObject
agent_install_typeString
agent_host_boot_timeObject
event_sub_typeObject
module_idObject
association_strengthObject
dst_association_strengthObject
story_idObject
event_idObject
event_typeString
events_lengthInteger
event_timestampObject
actor_process_instance_idObject
actor_process_image_pathObject
actor_process_image_nameObject
actor_process_command_lineObject
actor_process_signature_statusString
actor_process_signature_vendorObject
actor_process_image_sha256Object
actor_process_image_md5Object
actor_process_causality_idObject
actor_causality_idObject
actor_process_os_pidObject
actor_thread_thread_idObject
causality_actor_process_image_nameObject
causality_actor_process_command_lineObject
causality_actor_process_image_pathObject
causality_actor_process_signature_vendorObject
causality_actor_process_signature_statusString
causality_actor_causality_idObject
causality_actor_process_execution_timeObject
causality_actor_process_image_md5Object
causality_actor_process_image_sha256Object
action_file_pathObject
action_file_nameObject
action_file_md5Object
action_file_sha256Object
action_file_macro_sha256Object
action_registry_dataObject
action_registry_key_nameObject
action_registry_value_nameObject
action_registry_full_keyObject
action_local_ipString
action_local_portString
action_remote_ipString
action_remote_portString
action_external_hostnameString
action_countryString
action_process_instance_idObject
action_process_causality_idObject
action_process_image_nameObject
action_process_image_sha256Object
action_process_image_command_lineObject
action_process_signature_statusString
action_process_signature_vendorObject
os_actor_effective_usernameObject
os_actor_process_instance_idObject
os_actor_process_image_pathObject
os_actor_process_image_nameObject
os_actor_process_command_lineObject
os_actor_process_signature_statusString
os_actor_process_signature_vendorObject
os_actor_process_image_sha256Object
os_actor_process_causality_idObject
os_actor_causality_idObject
os_actor_process_os_pidObject
os_actor_thread_thread_idObject
fw_app_idObject
fw_interface_fromObject
fw_interface_toObject
fw_ruleObject
fw_rule_idObject
fw_device_nameObject
fw_serial_numberString
fw_url_domainObject
fw_email_subjectString
fw_email_senderObject
fw_email_recipientObject
fw_app_subcategoryObject
fw_app_categoryObject
fw_app_technologyObject
fw_vsysObject
fw_xffObject
fw_miscObject
fw_is_phishingString
dst_agent_idObject
dst_causality_actor_process_execution_timeObject
dns_query_nameObject
dst_action_external_hostnameObject
dst_action_countryObject
dst_action_external_portObject
alert_idString
detection_timestampInteger
nameString
categoryString
endpoint_idObject
descriptionString
host_ipString
host_nameString
sourceString
actionString
action_prettyString
user_nameObject
contains_featured_hostString
contains_featured_userString
contains_featured_ip_addressString
tagsArray[string]
original_tagsString
network_artifactsObject
total_countInteger
dataArray
[]
typeString
alert_countInteger
is_manualBoolean
network_domainString
network_remote_ipString
network_remote_portString
network_countryString
file_artifactsObject
total_countInteger
dataArray
[]
alert_countInteger
file_nameString
File_sha256String
file_signature_statusString
file_wildfire_verdictString
is_malicousBoolean
is_manualBoolean
is_processBoolean
low_confidenceBoolean
typeString
RESPONSE
{
"reply": {
"incident": {
"incident_id": "<incient ID>",
"incident_name": "test",
"creation_time": 1603184209710,
"modification_time": 1603184209710,
"detection_time": null,
"status": "new",
"severity": "high",
"description": "generated by PAN NGFW",
"assigned_user_mail": null,
"assigned_user_pretty_name": null,
"alert_count": 1,
"low_severity_alert_count": 0,
"med_severity_alert_count": 0,
"high_severity_alert_count": 1,
"critical_severity_alert_count": 0,
"user_count": 0,
"host_count": 0,
"notes": null,
"resolve_comment": null,
"manual_severity": null,
"manual_description": null,
"xdr_url": "https://test.xdr.us.paloaltonetworks.com/incident-view/1",
"starred": false,
"hosts": [
"<host1>:<agent_id1>",
"<host2>:<agent_id2>"
],
"users": [],
"incident_sources": [
"PAN NGFW"
],
"rule_based_score": 342,
"manual_score": null,
"wildfire_hits": 0,
"alerts_grouping_status": "Enabled",
"mitre_techniques_ids_and_names": [
"TA0004 - Privilege Escalation",
"TA0005 - Defense Evasion",
"TA0006 - Credential Access"
],
"mitre_tactics_ids_and_names": [
"T1001.001 - Data Obfuscation: Junk Data",
"T1001.002 - Data Obfuscation: Steganography",
"T1001.003 - Data Obfuscation: Protocol Impersonation"
],
"alert_categories": [
"Collection",
"Credential Access",
"File Name"
]
},
"alerts": {
"total_count": 1,
"data": [
{
"external_id": "<external ID>",
"severity": "high",
"matching_status": "UNMATCHABLE",
"end_match_attempt_ts": null,
"local_insert_ts": 1603175431,
"bioc_indicator": null,
"matching_service_rule_id": null,
"attempt_counter": null,
"bioc_category_enum_key": null,
"case_id": 1,
"is_whitelisted": false,
"starred": false,
"deduplicate_tokens": "<token value>",
"filter_rule_id": null,
"mitre_technique_id_and_name": null,
"mitre_tactic_id_and_name": null,
"agent_version": null,
"agent_device_domain": null,
"agent_fqdn": null,
"agent_os_type": "NO_HOST",
"agent_os_sub_type": null,
"agent_data_collection_status": null,
"mac": null,
"mac_addresses": null,
"agent_is_vdi": null,
"agent_install_type": "NA",
"agent_host_boot_time": null,
"event_sub_type": null,
"module_id": null,
"association_strength": null,
"dst_association_strength": null,
"story_id": null,
"event_id": null,
"event_type": "Network Event",
"events_length": 1,
"event_timestamp": null,
"actor_process_instance_id": null,
"actor_process_image_path": null,
"actor_process_image_name": null,
"actor_process_command_line": null,
"actor_process_signature_status": "N/A",
"actor_process_signature_vendor": null,
"actor_process_image_sha256": null,
"actor_process_image_md5": null,
"actor_process_causality_id": null,
"actor_causality_id": null,
"actor_process_os_pid": null,
"actor_thread_thread_id": null,
"causality_actor_process_image_name": null,
"causality_actor_process_command_line": null,
"causality_actor_process_image_path": null,
"causality_actor_process_signature_vendor": null,
"causality_actor_process_signature_status": "N/A",
"causality_actor_causality_id": null,
"causality_actor_process_execution_time": null,
"causality_actor_process_image_md5": null,
"causality_actor_process_image_sha256": null,
"action_file_path": null,
"action_file_name": null,
"action_file_md5": null,
"action_file_sha256": null,
"action_file_macro_sha256": null,
"action_registry_data": null,
"action_registry_key_name": null,
"action_registry_value_name": null,
"action_registry_full_key": null,
"action_local_ip": "<IP address>",
"action_local_port": "<port>",
"action_remote_ip": "<IP address>",
"action_remote_port": "<port>",
"action_external_hostname": "<hostname>",
"action_country": "UNKNOWN",
"action_process_instance_id": null,
"action_process_causality_id": null,
"action_process_image_name": null,
"action_process_image_sha256": null,
"action_process_image_command_line": null,
"action_process_signature_status": "N/A",
"action_process_signature_vendor": null,
"os_actor_effective_username": null,
"os_actor_process_instance_id": null,
"os_actor_process_image_path": null,
"os_actor_process_image_name": null,
"os_actor_process_command_line": null,
"os_actor_process_signature_status": "N/A",
"os_actor_process_signature_vendor": null,
"os_actor_process_image_sha256": null,
"os_actor_process_causality_id": null,
"os_actor_causality_id": null,
"os_actor_process_os_pid": null,
"os_actor_thread_thread_id": null,
"fw_app_id": null,
"fw_interface_from": null,
"fw_interface_to": null,
"fw_rule": null,
"fw_rule_id": null,
"fw_device_name": null,
"fw_serial_number": "<serial number>",
"fw_url_domain": null,
"fw_email_subject": "",
"fw_email_sender": null,
"fw_email_recipient": null,
"fw_app_subcategory": null,
"fw_app_category": null,
"fw_app_technology": null,
"fw_vsys": null,
"fw_xff": null,
"fw_misc": null,
"fw_is_phishing": "N/A",
"dst_agent_id": null,
"dst_causality_actor_process_execution_time": null,
"dns_query_name": null,
"dst_action_external_hostname": null,
"dst_action_country": null,
"dst_action_external_port": null,
"alert_id": "1",
"detection_timestamp": 1603184109000,
"name": "sagcalun",
"category": "Spyware Detected via Anti-Spyware profile",
"endpoint_id": null,
"description": "Spyware Phone Home Detection",
"host_ip": "<IP address>",
"host_name": "<hostname>",
"source": "PAN NGFW",
"action": "DETECTED_4",
"action_pretty": "Detected (Raised An Alert)",
"user_name": null,
"contains_featured_host": "Yes",
"contains_featured_user": "Yes",
"contains_featured_ip_address": "Yes",
"tags": [
"XDR Agent",
"EG:Windows"
],
"original_tags": "None"
}
]
},
"network_artifacts": {
"total_count": 2,
"data": [
{
"type": "DOMAIN",
"alert_count": 1,
"is_manual": false,
"network_domain": "<domain name>",
"network_remote_ip": "<IP address>",
"network_remote_port": "<port>",
"network_country": "UNKNOWN"
},
{
"type": "IP",
"alert_count": 1,
"is_manual": false,
"network_domain": "<domain name>",
"network_remote_ip": "<IP address>",
"network_remote_port": "<port>",
"network_country": "UNKNOWN"
}
]
},
"file_artifacts": {
"total_count": 2,
"data": [
{
"alert_count": 2,
"file_name": "Test",
"File_sha256": "1111",
"file_signature_status": "SIGNATURE_UNAVAILABLE",
"file_wildfire_verdict": "BENIGN",
"is_malicous": false,
"is_manual": false,
"is_process": false,
"low_confidence": true,
"type": "HASH"
},
{
"alert_count": 43,
"file_name": "Test1",
"File_sha256": "2222",
"file_signature_status": "SIGNATURE_UNAVAILABLE",
"file_wildfire_verdict": "MALWARE",
"is_malicous": true,
"is_manual": false,
"is_process": false,
"low_confidence": true,
"type": "HASH"
}
]
}
}
}Bad Request. Got an invalid JSON.
Body
The query result upon error.
err_codeString
HTTP response code.
err_msgString
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extraString
Additional information describing the error.
RESPONSE
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
The query result upon error.
err_codeString
HTTP response code.
err_msgString
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extraString
Additional information describing the error.
RESPONSE
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}Unauthorized access. User does not have the required license type to run this API.
Body
The query result upon error.
err_codeString
HTTP response code.
err_msgString
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extraString
Additional information describing the error.
RESPONSE
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
The query result upon error.
err_codeString
HTTP response code.
err_msgString
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extraString
Additional information describing the error.
RESPONSE
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}An error occurred while processing XDR public API - incident management - update_incident
Body
The query result upon error.
err_codeString
HTTP response code.
err_msgString
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extraString
Additional information describing the error.
RESPONSE
{
"err_code": "err_code_example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "err_extra_example"
}Internal Server Error