Get Extra Incident Data

Cortex XDR REST API
post /public_api/v1/incidents/get_incident_extra_data

Get extra data fields of a specific incident including alerts and key artifacts.

Cortex XDR displays in the APIs response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.

Note: The API includes a limit rate of 10 API requests per minute.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

Request headers
Authorization String required

{api_key}
Example: authorization_example
x-xdr-auth-id String required

{api_key_id}
Example: xXdrAuthId_example
Accept-Encoding String

For retrieving a compressed gzipped response
Example: acceptEncoding_example
Default: gzip
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example' -H 'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}" headers = { 'Authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'Accept-Encoding': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/incidents/get_incident_extra_data", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["Accept-Encoding"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "incident_id": "string", "alerts_limit": 1000 } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data") .header("Authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("Accept-Encoding", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}") .asString();
import Foundation let headers = [ "Authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "Accept-Encoding": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = ["request_data": [ "incident_id": "string", "alerts_limit": 1000 ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}", CURLOPT_HTTPHEADER => [ "Accept-Encoding: SOME_STRING_VALUE", "Authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":1000}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
application/json
request_dataobjectrequired

A dictionary containing the API request fields.

incident_idstring

The ID of the incident for which you want to retrieve extra data.

alerts_limitinteger

The maximum number of related alerts in the incident that you want to retrieve.

Default:1000
REQUEST
{ "request_data": { "incident_id": "<incident ID>", "alerts_limit": 5 } }
Responses

OK

Body
application/json
replyobject
incidentobject
incident_idstring
incident_namestring
creation_timeinteger
modification_timeinteger
detection_timeobject
statusstring
severitystring
descriptionstring
assigned_user_mailstring
assigned_user_pretty_namestring
alert_countinteger
low_severity_alert_countinteger
med_severity_alert_countinteger
high_severity_alert_countinteger
critical_severity_alert_countinteger
user_countinteger
host_countinteger
notesstring
resolve_commentstring
manual_descriptionstring
xdr_urlstring
starredboolean
hostsarray[string]
usersarray
[
]
incident_sourcesarray[string]
rule_based_scoreinteger
manual_scoreobject
wildfire_hitsinteger
alerts_grouping_statusstring
mitre_techniques_ids_and_namesarray[string]
mitre_tactics_ids_and_namesarray[string]
alert_categoriesarray[string]
original_tagsarray[string]
tagsarray[string]
incident_domainstring
custom_fieldsobject
alertsobject
total_countinteger
dataarray
[
external_idstring
severitystring
matching_statusstring
end_match_attempt_tsobject
local_insert_tsinteger
bioc_indicatorobject
matching_service_rule_idobject
attempt_counterobject
bioc_category_enum_keyobject
case_idinteger
is_whitelistedboolean
starredboolean
deduplicate_tokensstring
filter_rule_idobject
mitre_technique_id_and_nameobject
mitre_tactic_id_and_nameobject
agent_versionobject
agent_device_domainobject
agent_fqdnobject
agent_os_typestring
agent_os_sub_typeobject
agent_data_collection_statusobject
macobject
agent_is_vdiobject
agent_install_typestring
agent_host_boot_timeobject
event_sub_typeobject
module_idobject
association_strengthobject
dst_association_strengthobject
story_idobject
event_idobject
event_typestring
events_lengthinteger
event_timestampobject
actor_process_instance_idobject
actor_process_image_pathobject
actor_process_image_nameobject
actor_process_command_lineobject
actor_process_signature_statusstring
actor_process_signature_vendorobject
actor_process_image_sha256object
actor_process_image_md5object
actor_process_causality_idobject
actor_causality_idobject
actor_process_os_pidobject
actor_thread_thread_idobject
causality_actor_process_image_nameobject
causality_actor_process_command_lineobject
causality_actor_process_image_pathobject
causality_actor_process_signature_vendorobject
causality_actor_process_signature_statusstring
causality_actor_causality_idobject
causality_actor_process_execution_timeobject
causality_actor_process_image_md5object
causality_actor_process_image_sha256object
action_file_pathobject
action_file_nameobject
action_file_md5object
action_file_sha256object
action_file_macro_sha256object
action_registry_dataobject
action_registry_key_nameobject
action_registry_value_nameobject
action_registry_full_keyobject
action_local_ipstring
action_local_portstring
action_remote_ipstring
action_remote_portstring
action_external_hostnamestring
action_countrystring
action_process_instance_idobject
action_process_causality_idobject
action_process_image_nameobject
action_process_image_sha256object
action_process_image_command_lineobject
action_process_signature_statusstring
action_process_signature_vendorobject
os_actor_effective_usernameobject
os_actor_process_instance_idobject
os_actor_process_image_pathobject
os_actor_process_image_nameobject
os_actor_process_command_lineobject
os_actor_process_signature_statusstring
os_actor_process_signature_vendorobject
os_actor_process_image_sha256object
os_actor_process_causality_idobject
os_actor_causality_idobject
os_actor_process_os_pidobject
os_actor_thread_thread_idobject
fw_app_idobject
fw_interface_fromobject
fw_interface_toobject
fw_ruleobject
fw_rule_idobject
fw_device_nameobject
fw_serial_numberstring
fw_url_domainobject
fw_email_subjectstring
fw_email_senderobject
fw_email_recipientobject
fw_app_subcategoryobject
fw_app_categoryobject
fw_app_technologyobject
fw_vsysobject
fw_xffobject
fw_miscobject
fw_is_phishingstring
dst_agent_idobject
dst_causality_actor_process_execution_timeobject
dns_query_nameobject
dst_action_external_hostnameobject
dst_action_countryobject
dst_action_external_portobject
alert_idstring
detection_timestampinteger
namestring
categorystring
endpoint_idobject
descriptionstring
host_ipstring
host_namestring
sourcestring
actionstring
action_prettystring
user_nameobject
contains_featured_hoststring
contains_featured_userstring
contains_featured_ip_addressstring
tagsarray[string]
original_tagsstring
]
network_artifactsobject
total_countinteger
dataarray
[
typestring
alert_countinteger
is_manualboolean
network_domainstring
network_remote_ipstring
network_remote_portstring
network_countrystring
]
file_artifactsobject
total_countinteger
dataarray
[
alert_countinteger
file_namestring
File_sha256string
file_signature_statusstring
file_wildfire_verdictstring
is_malicousboolean
is_manualboolean
is_processboolean
low_confidenceboolean
typestring
]
RESPONSE
{ "reply": { "incident": { "incident_id": "<incient ID>", "incident_name": "test", "creation_time": 1603184209710, "modification_time": 1603184209710, "detection_time": null, "status": "new", "severity": "high", "description": "generated by PAN NGFW", "assigned_user_mail": null, "assigned_user_pretty_name": null, "alert_count": 1, "low_severity_alert_count": 0, "med_severity_alert_count": 0, "high_severity_alert_count": 1, "critical_severity_alert_count": 0, "user_count": 0, "host_count": 0, "notes": null, "resolve_comment": null, "manual_severity": null, "manual_description": null, "xdr_url": "https://test.xdr.us.paloaltonetworks.com/incident-view/1", "starred": false, "hosts": [ "<host1>:<agent_id1>", "<host2>:<agent_id2>" ], "users": [], "incident_sources": [ "PAN NGFW" ], "rule_based_score": 342, "manual_score": null, "wildfire_hits": 0, "alerts_grouping_status": "Enabled", "mitre_techniques_ids_and_names": [ "TA0004 - Privilege Escalation", "TA0005 - Defense Evasion", "TA0006 - Credential Access" ], "mitre_tactics_ids_and_names": [ "T1001.001 - Data Obfuscation: Junk Data", "T1001.002 - Data Obfuscation: Steganography", "T1001.003 - Data Obfuscation: Protocol Impersonation" ], "alert_categories": [ "Collection", "Credential Access", "File Name" ] }, "alerts": { "total_count": 1, "data": [ { "external_id": "<external ID>", "severity": "high", "matching_status": "UNMATCHABLE", "end_match_attempt_ts": null, "local_insert_ts": 1603175431, "bioc_indicator": null, "matching_service_rule_id": null, "attempt_counter": null, "bioc_category_enum_key": null, "case_id": 1, "is_whitelisted": false, "starred": false, "deduplicate_tokens": "<token value>", "filter_rule_id": null, "mitre_technique_id_and_name": null, "mitre_tactic_id_and_name": null, "agent_version": null, "agent_device_domain": null, "agent_fqdn": null, "agent_os_type": "NO_HOST", "agent_os_sub_type": null, "agent_data_collection_status": null, "mac": null, "agent_is_vdi": null, "agent_install_type": "NA", "agent_host_boot_time": null, "event_sub_type": null, "module_id": null, "association_strength": null, "dst_association_strength": null, "story_id": null, "event_id": null, "event_type": "Network Event", "events_length": 1, "event_timestamp": null, "actor_process_instance_id": null, "actor_process_image_path": null, "actor_process_image_name": null, "actor_process_command_line": null, "actor_process_signature_status": "N/A", "actor_process_signature_vendor": null, "actor_process_image_sha256": null, "actor_process_image_md5": null, "actor_process_causality_id": null, "actor_causality_id": null, "actor_process_os_pid": null, "actor_thread_thread_id": null, "causality_actor_process_image_name": null, "causality_actor_process_command_line": null, "causality_actor_process_image_path": null, "causality_actor_process_signature_vendor": null, "causality_actor_process_signature_status": "N/A", "causality_actor_causality_id": null, "causality_actor_process_execution_time": null, "causality_actor_process_image_md5": null, "causality_actor_process_image_sha256": null, "action_file_path": null, "action_file_name": null, "action_file_md5": null, "action_file_sha256": null, "action_file_macro_sha256": null, "action_registry_data": null, "action_registry_key_name": null, "action_registry_value_name": null, "action_registry_full_key": null, "action_local_ip": "<IP address>", "action_local_port": "<port>", "action_remote_ip": "<IP address>", "action_remote_port": "<port>", "action_external_hostname": "<hostname>", "action_country": "UNKNOWN", "action_process_instance_id": null, "action_process_causality_id": null, "action_process_image_name": null, "action_process_image_sha256": null, "action_process_image_command_line": null, "action_process_signature_status": "N/A", "action_process_signature_vendor": null, "os_actor_effective_username": null, "os_actor_process_instance_id": null, "os_actor_process_image_path": null, "os_actor_process_image_name": null, "os_actor_process_command_line": null, "os_actor_process_signature_status": "N/A", "os_actor_process_signature_vendor": null, "os_actor_process_image_sha256": null, "os_actor_process_causality_id": null, "os_actor_causality_id": null, "os_actor_process_os_pid": null, "os_actor_thread_thread_id": null, "fw_app_id": null, "fw_interface_from": null, "fw_interface_to": null, "fw_rule": null, "fw_rule_id": null, "fw_device_name": null, "fw_serial_number": "<serial number>", "fw_url_domain": null, "fw_email_subject": "", "fw_email_sender": null, "fw_email_recipient": null, "fw_app_subcategory": null, "fw_app_category": null, "fw_app_technology": null, "fw_vsys": null, "fw_xff": null, "fw_misc": null, "fw_is_phishing": "N/A", "dst_agent_id": null, "dst_causality_actor_process_execution_time": null, "dns_query_name": null, "dst_action_external_hostname": null, "dst_action_country": null, "dst_action_external_port": null, "alert_id": "1", "detection_timestamp": 1603184109000, "name": "sagcalun", "category": "Spyware Detected via Anti-Spyware profile", "endpoint_id": null, "description": "Spyware Phone Home Detection", "host_ip": "<IP address>", "host_name": "<hostname>", "source": "PAN NGFW", "action": "DETECTED_4", "action_pretty": "Detected (Raised An Alert)", "user_name": null, "contains_featured_host": "Yes", "contains_featured_user": "Yes", "contains_featured_ip_address": "Yes", "tags": [ "XDR Agent", "EG:Windows" ], "original_tags": "None" } ] }, "network_artifacts": { "total_count": 2, "data": [ { "type": "DOMAIN", "alert_count": 1, "is_manual": false, "network_domain": "<domain name>", "network_remote_ip": "<IP address>", "network_remote_port": "<port>", "network_country": "UNKNOWN" }, { "type": "IP", "alert_count": 1, "is_manual": false, "network_domain": "<domain name>", "network_remote_ip": "<IP address>", "network_remote_port": "<port>", "network_country": "UNKNOWN" } ] }, "file_artifacts": { "total_count": 2, "data": [ { "alert_count": 2, "file_name": "Test", "File_sha256": "1111", "file_signature_status": "SIGNATURE_UNAVAILABLE", "file_wildfire_verdict": "BENIGN", "is_malicous": false, "is_manual": false, "is_process": false, "low_confidence": true, "type": "HASH" }, { "alert_count": 43, "file_name": "Test1", "File_sha256": "2222", "file_signature_status": "SIGNATURE_UNAVAILABLE", "file_wildfire_verdict": "MALWARE", "is_malicous": true, "is_manual": false, "is_process": false, "low_confidence": true, "type": "HASH" } ] } } }

Bad Request. Got an invalid JSON.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Unauthorized access. User does not have the required license type to run this API.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

An error occurred while processing XDR public API - incident management - update_incident

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Internal Server Error