post
/public_api/v1/incidents/update_incident
Update one or more fields of a specific incident. Missing fields are ignored. Note the following:
assigned_user_mailfield is validated by Cortex XDR to confirm the provided assignee email address belongs to a user that exists in the same Cortex XDR tenant.- To unassign an incident pass
noneor”assigned_user_mail”: “”. - To remove a manually set severity pass
noneor“manual_severity”: “”.
Request headers
Authorization
String
required
{api_key}
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
Example:
xXdrAuthId_example
Accept-Encoding
String
For retrieving a compressed gzipped response
For retrieving a compressed gzipped response
Example:
acceptEncoding_example
Default:
gzip
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
-H
'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/incidents/update_incident'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "\"{ \\n \\\"request_data\\\":{ \\n \\\"incident_id\\\":\\\"<incident ID>\\\",\\n \\\"update_data\\\":{ \\n \\\"assigned_user_mail\\\":\\\"username@test.com\\\",\\n \\\"manual_severity\\\":\\\"low\\\",\\n \\\"status\\\":\\\"resolved_other\\\",\\n \\\"resolve_comment\\\":\\\"This incident is resolved\\\"\\n }\\n }\""
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'Accept-Encoding': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/incidents/update_incident", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/incidents/update_incident")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "\"{ \\n \\\"request_data\\\":{ \\n \\\"incident_id\\\":\\\"<incident ID>\\\",\\n \\\"update_data\\\":{ \\n \\\"assigned_user_mail\\\":\\\"username@test.com\\\",\\n \\\"manual_severity\\\":\\\"low\\\",\\n \\\"status\\\":\\\"resolved_other\\\",\\n \\\"resolve_comment\\\":\\\"This incident is resolved\\\"\\n }\\n }\""
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify("{ \n \"request_data\":{ \n \"incident_id\":\"<incident ID>\",\n \"update_data\":{ \n \"assigned_user_mail\":\"username@test.com\",\n \"manual_severity\":\"low\",\n \"status\":\"resolved_other\",\n \"resolve_comment\":\"This incident is resolved\"\n }\n }");
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/incidents/update_incident");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/incidents/update_incident")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("Accept-Encoding", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("\"{ \\n \\\"request_data\\\":{ \\n \\\"incident_id\\\":\\\"<incident ID>\\\",\\n \\\"update_data\\\":{ \\n \\\"assigned_user_mail\\\":\\\"username@test.com\\\",\\n \\\"manual_severity\\\":\\\"low\\\",\\n \\\"status\\\":\\\"resolved_other\\\",\\n \\\"resolve_comment\\\":\\\"This incident is resolved\\\"\\n }\\n }\"")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"Accept-Encoding": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = "{
\"request_data\":{
\"incident_id\":\"<incident ID>\",
\"update_data\":{
\"assigned_user_mail\":\"username@test.com\",
\"manual_severity\":\"low\",
\"status\":\"resolved_other\",
\"resolve_comment\":\"This incident is resolved\"
}
}" as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/incidents/update_incident")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/incidents/update_incident",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "\"{ \\n \\\"request_data\\\":{ \\n \\\"incident_id\\\":\\\"<incident ID>\\\",\\n \\\"update_data\\\":{ \\n \\\"assigned_user_mail\\\":\\\"username@test.com\\\",\\n \\\"manual_severity\\\":\\\"low\\\",\\n \\\"status\\\":\\\"resolved_other\\\",\\n \\\"resolve_comment\\\":\\\"This incident is resolved\\\"\\n }\\n }\"",
CURLOPT_HTTPHEADER => [
"Accept-Encoding: SOME_STRING_VALUE",
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/incidents/update_incident");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "\"{ \\n \\\"request_data\\\":{ \\n \\\"incident_id\\\":\\\"<incident ID>\\\",\\n \\\"update_data\\\":{ \\n \\\"assigned_user_mail\\\":\\\"username@test.com\\\",\\n \\\"manual_severity\\\":\\\"low\\\",\\n \\\"status\\\":\\\"resolved_other\\\",\\n \\\"resolve_comment\\\":\\\"This incident is resolved\\\"\\n }\\n }\"");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/incidents/update_incident");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "\"{ \\n \\\"request_data\\\":{ \\n \\\"incident_id\\\":\\\"<incident ID>\\\",\\n \\\"update_data\\\":{ \\n \\\"assigned_user_mail\\\":\\\"username@test.com\\\",\\n \\\"manual_severity\\\":\\\"low\\\",\\n \\\"status\\\":\\\"resolved_other\\\",\\n \\\"resolve_comment\\\":\\\"This incident is resolved\\\"\\n }\\n }\"", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
application/json
request_dataobject
incident_idstringrequiredA string representing the incident ID you want to update.
A string representing the incident ID you want to update.
update_dataobjectrequiredThe data to update the incident with.
The data to update the incident with.
assigned_user_mailstringUpdated email address of the incident assignee.
Updated email address of the incident assignee.
manual_severitystringAdministrator-defined severity.Updated incident status.
Administrator-defined severity.Updated incident status.
statusstringUpdated incident status.
Updated incident status.
resolve_commentstringDescriptive comment explaining the incident change. This can be set only for resolved incidents.
Descriptive comment explaining the incident change. This can be set only for resolved incidents.
commentobjectAdd a comment to the incident.
Add a comment to the incident.
comment_actionstringrequiredThe comment action must be 'add'.
The comment action must be 'add'.
valuestringrequiredThe comment text.
The comment text.
<custom_fields>stringYou can include custom incident fields in the request. The names of the custom fields are standardized into lowercase with no white spaces.
or example, Single Select would be included as singleselect.
You can include custom incident fields in the request. The names of the custom fields are standardized into lowercase with no white spaces.
or example, Single Select would be included as singleselect.
notesstringNotes for the incident. If there are already notes, these notes will replace existing notes.
Notes for the incident. If there are already notes, these notes will replace existing notes.
REQUEST
{
"request_data": {
"incident_id": "2927",
"update_data": {
"assigned_user_mail": "username@test.com",
"manual_severity": "low",
"status": "resolved_other",
"resolve_comment": "This incident is resolved"
}
}
}Responses
Successful response
Body
application/json
Whether the incident update was successful.
booleanWhether the incident update was successful.
Whether the incident update was successful.
RESPONSE
falseBad Request. Got an invalid JSON.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. User does not have the required license type to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal server error. A unified status for API communication type errors. For example, test@test.com is not a valid Cortex XDR email address.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}