Get a list of incidents filtered by a list of incident IDs, modification time, or creation time. - The response is concatenated using AND condition (OR is not supported). - The maximum result set size is >100. - Offset is the zero-based number of incidents from the start of the result set.
Note: You can send a request to retrieve either all or filtered results.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/incidents/get_incidents" \
-d '{
"request_data" : {
"search_from" : 0,
"filters" : [ {
"field" : "modification_time",
"value" : [ "", "" ],
"operator" : "in"
}, {
"field" : "modification_time",
"value" : [ "", "" ],
"operator" : "in"
} ],
"sort" : {
"field" : "creation_time",
"keyword" : "asc"
},
"search_to" : 6
}
}'
{"request_data":{}}
Identifies the incident field the filter is matching. Filters are based on the following keywords:
modification_time
: Time the incident has been modified.creation_time
: Incident's creation time.icident_id
: Incident ID.incident_id_list
: List of incident IDs.description
: Incident description.alert_sources
: Source that detected the alert.status
: The status of the incident.starred
: Whether the incident is starred.
Identifies the comparison operator you want to use for this filter. Valid keywords are:
in
:
incident_id_list
,alert_sources
,description
: List of Stringscontains
description
: Stringgte
/lte
modification_time
,creation_time
: Integer in timestamp epoch millisecondseq
/nqe
status
: Stringstarred
: Boolean
Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
modification_time
,creation_time
: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.description
: List of strings.incident_id
: String.incident_id_list
: List of strings. Each item in the list muste be an incident ID.alert_sources
: List of strings.status
: Single value, can be one of the following:resolved_duplicate
,resolved_other
,new
,resolved_security_testing
,resolved_known_issue
,resolved_auto
,resolved_threat_handled
,resolved_true_positive
,under_investigation
, orresolved_false_positive
.starred
: Boolean value:true
orfalse
.
Sort according to this field. Valid options are:
creation_time
incident_id
modification_time