Get all Incidents

post /public_api/v1/incidents/get_incidents

Get a list of incidents filtered by a list of incident IDs, modification time, or creation time. - The response is concatenated using AND condition (OR is not supported). - The maximum result set size is >100. - Offset is the zero-based number of incidents from the start of the result set.

Note: You can send a request to retrieve either all or filtered results.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/incidents/get_incidents" \
 -d '{
  "request_data" : {
    "search_from" : 0,
    "filters" : [ {
      "field" : "modification_time",
      "value" : [ "", "" ],
      "operator" : "in"
    }, {
      "field" : "modification_time",
      "value" : [ "", "" ],
      "operator" : "in"
    } ],
    "sort" : {
      "field" : "creation_time",
      "keyword" : "asc"
    },
    "search_to" : 6
  }
}'
  

Request

Body

optional

If no parameters are included, all results will be returned.

Example: {"request_data":{}}

request_data

optional

A dictionary containing the API request fields. An empty dictionary returns all results.

filters

optional

Array

An array of filter fields.

field

required

String (Enum)

Identifies the incident field the filter is matching. Filters are based on the following keywords:

modification_time: Time the incident has been modified.
creation_time: Incident's creation time.
icident_id: Incident ID.
incident_id_list: List of incident IDs.
description: Incident description.
alert_sources: Source that detected the alert.
status: The status of the incident.
starred: Whether the incident is starred.

Allowed values:

modification_time

creation_time

incident_id_list

description

alert_sources

status

incident_id

starred

operator

required

String (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords are: in:

incident_id_list, alert_sources, description: List of Strings contains
description: String gte / lte
modification_time, creation_time: Integer in timestamp epoch milliseconds eq / nqe
status: String
starred: Boolean

Allowed values:

contains

gte

lte

neq

value

required

Array of objects

Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:

modification_time, creation_time: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
description: List of strings.
incident_id: String.
incident_id_list: List of strings. Each item in the list muste be an incident ID.
alert_sources: List of strings.
status: Single value, can be one of the following: resolved_duplicate, resolved_other, new, resolved_security_testing, resolved_known_issue, resolved_auto, resolved_threat_handled, resolved_true_positive, under_investigation, or resolved_false_positive.
starred: Boolean value: true or false.

search_from

optional

Integer

Integer representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.

search_to

optional

Integer

Integer representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.

sort

optional

Identifies the sort order for the result set.

field

required

String (Enum)

Sort according to this field. Valid options are:

creation_time
incident_id
modification_time

Allowed values:

creation_time

incident_id

modification_time

keyword

required

String (Enum)

Sort in ascending or descending order.

Allowed values:

asc

desc

Responses

Successful response

Body

optional

total_count

optional

Integer

The total number of possible results.

result_count

optional

Integer

The number of incidents actually returned as result.

incidents

optional

Array

A list of incidents. Note: If a manual_description was set, the description field will display the manual description and the system description is not returned. Depending on the defined user permissions, with full permissions, the response displays original_tags and tags fields.

incident_id

optional

String

incident_name

optional

String

creation_time

optional

Integer

modification_time

optional

Integer

detection_time

optional

Object

status

optional

String

severity

optional

String

description

optional

String

assigned_user_mail

optional

Object

assigned_user_pretty_name

optional

Object

alert_count

optional

Integer

low_severity_alert_count

optional

Integer

med_severity_alert_count

optional

Integer

high_severity_alert_count

optional

Integer

critical_severity_alert_count

optional

Integer

user_count

optional

Integer

host_count

optional

Integer

notes

optional

Object

resolve_comment

optional

Object

resolved_timestamp

optional

Integer

manual_severity

optional

Object

manual_description

optional

String

xdr_url

optional

String

starred

optional

Boolean

starred_manually

optional

Boolean

True = this incident was manually starred. False = This incident was starred by starring rules.

hosts

optional

Array of strings

users

optional

Array of strings

incident_sources

optional

Array of strings

rule_based_score

optional

Integer

manual_score

optional

Object

wildfire_hits

optional

Integer

alerts_grouping_status

optional

String

mitre_tactics_ids_and_names

optional

Array of strings

mitre_techniques_ids_and_names

optional

Array of strings

alert_categories

optional

Array of strings

original_tags

optional

Array of strings