Get all Incidents

post /public_api/v1/incidents/get_incidents

Get a list of incidents filtered by a list of incident IDs, modification time, or creation time. This includes all incident types and severities, including correlation-generated incidents.

The response is concatenated using AND condition (OR is not supported).
The maximum result set size is >100.
Offset is the zero-based number of incidents from the start of the result set.

Note: You can send a request to retrieve either all or filtered results.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

Request headers

Authorization String required

{api_key}

Example: authorization_example

x-xdr-auth-id String required

{api_key_id}

Example: xXdrAuthId_example

Accept-Encoding String

For retrieving a compressed gzipped response

Example: acceptEncoding_example

Default: gzip

CLIENT REQUEST

          curl -X 'POST'

        -H
        'Accept: application/json'
      
        -H
        'Content-Type: application/json'
      
          -H
          'Authorization: authorization_example'
          -H
          'x-xdr-auth-id: xXdrAuthId_example'
          -H
          'Accept-Encoding: acceptEncoding_example'
      
      'https://api-yourfqdn/public_api/v1/incidents/get_incidents'
    
      -d
      ''

import http.client

conn = http.client.HTTPSConnection("api-yourfqdn")

payload = "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":[null]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"asc\"}}}"

headers = {
    'Authorization': "SOME_STRING_VALUE",
    'x-xdr-auth-id': "SOME_STRING_VALUE",
    'Accept-Encoding': "SOME_STRING_VALUE",
    'content-type': "application/json"
    }

conn.request("POST", "/public_api/v1/incidents/get_incidents", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api-yourfqdn/public_api/v1/incidents/get_incidents")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":[null]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"asc\"}}}"

response = http.request(request)
puts response.read_body

const data = JSON.stringify({
  "request_data": {
    "filters": [
      {
        "field": "modification_time",
        "operator": "in",
        "value": [
          null
        ]
      }
    ],
    "search_from": 0,
    "search_to": 0,
    "sort": {
      "field": "creation_time",
      "keyword": "asc"
    }
  }
});

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api-yourfqdn/public_api/v1/incidents/get_incidents");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");

xhr.send(data);

HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/incidents/get_incidents")
  .header("Authorization", "SOME_STRING_VALUE")
  .header("x-xdr-auth-id", "SOME_STRING_VALUE")
  .header("Accept-Encoding", "SOME_STRING_VALUE")
  .header("content-type", "application/json")
  .body("{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":[null]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"asc\"}}}")
  .asString();

import Foundation

let headers = [
  "Authorization": "SOME_STRING_VALUE",
  "x-xdr-auth-id": "SOME_STRING_VALUE",
  "Accept-Encoding": "SOME_STRING_VALUE",
  "content-type": "application/json"
]
let parameters = ["request_data": [
    "filters": [
      [
        "field": "modification_time",
        "operator": "in",
        "value": []
      ]
    ],
    "search_from": 0,
    "search_to": 0,
    "sort": [
      "field": "creation_time",
      "keyword": "asc"
    ]
  ]] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/incidents/get_incidents")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

<?php

$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://api-yourfqdn/public_api/v1/incidents/get_incidents",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":[null]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"asc\"}}}",
  CURLOPT_HTTPHEADER => [
    "Accept-Encoding: SOME_STRING_VALUE",
    "Authorization: SOME_STRING_VALUE",
    "content-type: application/json",
    "x-xdr-auth-id: SOME_STRING_VALUE"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

CURL *hnd = curl_easy_init();

curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/incidents/get_incidents");

struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);

curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":[null]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"asc\"}}}");

CURLcode ret = curl_easy_perform(hnd);

var client = new RestClient("https://api-yourfqdn/public_api/v1/incidents/get_incidents");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":[null]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"asc\"}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

Body parameters

application/json

request_dataobject

A dictionary containing the API request fields. An empty dictionary returns all results.

filtersarray

An array of filter fields.

[

fieldstring (Enum)

Identifies the incident field the filter is matching. Filters are based on the following keywords:

modification_time: Time the incident has been modified.
creation_time: Incident's creation time.
icident_id: Incident ID.
incident_id_list: List of incident IDs.
description: Incident description.
alert_sources: Source that detected the alert.
status: The status of the incident.
starred: Whether the incident is starred.

Allowed values:"modification_time""creation_time""incident_id_list""description""alert_sources""status""incident_id""starred"

operatorstring (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords are: in:

incident_id_list, alert_sources, description: List of Strings contains
description: String gte / lte
modification_time, creation_time: Integer in timestamp epoch milliseconds eq / neq
status: String
starred: Boolean

Allowed values:"in""contains""gte""lte""eq""neq"

valuearray or integer or string or boolean

Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:

modification_time, creation_time: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
description: List of strings.
incident_id: String.
incident_id_list: List of strings. Each item in the list muste be an incident ID.
alert_sources: List of strings.
status: Single value, can be one of the following: resolved_duplicate, resolved_other, new, resolved_security_testing, resolved_known_issue, resolved_auto, resolved_threat_handled, resolved_true_positive, under_investigation, or resolved_false_positive.
starred: Boolean value: true or false.

]

search_frominteger

Integer representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.

search_tointeger

Integer representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.

sortobjectrequired

Identifies the sort order for the result set.

fieldobject (Enum)

Sort according to this field. Valid options are:

creation_time
incident_id
modification_time

Allowed values:"creation_time""incident_id""modification_time"

keywordstring (Enum)

Sort in ascending or descending order.

Allowed values:"asc""desc"

REQUEST

{
  "request_data": {}
}

{
  "request_data": {
    "filters": [
      {
        "field": "incident_id_list",
        "operator": "in",
        "value": [
          "<incident ID>",
          "<incident ID>"
        ]
      }
    ],
    "search_from": 0,
    "search_to": 100,
    "sort": {
      "field": "creation_time",
      "keyword": "desc"
    }
  }
}

Responses

Successful response

Body

application/json

replyobject

total_countinteger

The total number of possible results.

result_countinteger

The number of incidents actually returned as result.

incidentsarray

A list of incidents. Note: If a manual_description was set, the description field will display the manual description and the system description is not returned. Depending on the defined user permissions, with full permissions, the response displays original_tags and tags fields.

[

incident_idstring

incident_namestring

creation_timeinteger

modification_timeinteger

detection_timeobject

statusstring

severitystring

descriptionstring

assigned_user_mailobject

assigned_user_pretty_nameobject

alert_countinteger

low_severity_alert_countinteger

med_severity_alert_countinteger

high_severity_alert_countinteger

critical_severity_alert_countinteger

user_countinteger

host_countinteger

notesobject

resolve_commentobject

resolved_timestampinteger

manual_severityobject

manual_descriptionstring

xdr_urlstring

starredboolean

starred_manuallyboolean

True = this incident was manually starred. False = This incident was starred by starring rules.

hostsarray[string]

usersarray[string]

incident_sourcesarray[string]

rule_based_scoreinteger

manual_scoreobject

wildfire_hitsinteger

alerts_grouping_statusstring

mitre_tactics_ids_and_namesarray[string]

mitre_techniques_ids_and_namesarray[string]

alert_categoriesarray[string]

original_tagsarray[string]

tagsarray[string]

]

restricted_incident_idsarray

Depending on the defined user permissions, in restrictive or partial permission mode, the response displays only the incident ID. For example: "restricted_incident_ids": [ "1491"]

[

]

RESPONSE

{
  "reply": {
    "total_count": 1,
    "result_count": 1,
    "incidents": [
      {
        "incident_id": "<incident ID>",
        "incident_name": "test",
        "creation_time": 1577024425126,
        "modification_time": 1577024425126,
        "detection_time": null,
        "status": "resolved_known_issue",
        "severity": "medium",
        "description": "Memory Corruption Exploit generated by XDR Agent",
        "assigned_user_mail": null,
        "assigned_user_pretty_name": null,
        "alert_count": 1,
        "low_severity_alert_count": 0,
        "med_severity_alert_count": 1,
        "high_severity_alert_count": 0,
        "critical_severity_alert_count": 0,
        "user_count": 1,
        "host_count": 1,
        "notes": null,
        "resolve_comment": null,
        "resolved_timestamp": 1577024425126,
        "manual_severity": null,
        "manual_description": "Memory Corruption Exploit generated by XDR Agent",
        "xdr_url": "https://<link to incident>",
        "starred": false,
        "hosts": [
          "<host ID>"
        ],
        "users": [
          "test_1",
          "test_2"
        ],
        "incident_sources": [
          "XDR Agent",
          "XDR BIOC"
        ],
        "rule_based_score": 342,
        "manual_score": null,
        "wildfire_hits": 0,
        "alerts_grouping_status": "Enabled",
        "mitre_tactics_ids_and_names": [
          "TA0004 - Privilege Escalation",
          "TA0005 - Defense Evasion",
          "TA0006 - Credential Access"
        ],
        "mitre_techniques_ids_and_names": [
          "T1001.001 - Data Obfuscation: Junk Data",
          "T1001.002 - Data Obfuscation: Steganography",
          "T1001.003 - Data Obfuscation: Protocol Impersonation"
        ],
        "alert_categories": [
          "Credential Access",
          "Exploit",
          "Spyware Detected via Anti-Spyware profile"
        ],
        "original_tags": [
          "DS:PANW/NGFW",
          "EG:acme-2",
          "EG:Acme group",
          "DS:PANW/XDR Agent"
        ],
        "tags": [
          "EG:Acme group",
          "DS:PANW/NGFW",
          "DS:PANW/XDR Agent",
          "EG:acme-2"
        ],
        "starred_manually": true
      }
    ],
    "restricted_incident_ids": []
  }
}

Bad Request. Got an invalid JSON.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Unauthorized access. User does not have the required license type to run this API.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Internal server error. A unified status for API communication type errors.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}