Get Extra Incident Data

Cortex Xpanse REST API

post /public_api/v1/incidents/get_incident_extra_data/

Get extra data fields for a specific incident including alerts and key artifacts. Cortex Xpanse displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data. This API includes a limit rate of 10 API requests per minute. Required license: Cortex Xpanse Expander

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" -H "authorization: {{api_key}}" -H "x-xdr-auth-id: {{api_key_id}}" \ "https://api-}/public_api/v1/incidents/get_incident_extra_data/" \ -d '{ "request_data" : { "alerts_limit" : 0, "incident_id" : "incident_id" } }'
Request headers
authorization
required
String
api-key
Example: {{api_key}}
x-xdr-auth-id
required
String
api-key-id
Example: {{api_key_id}}
Request
Body
required
request_data
required
Object
A dictionary containing the API request fields.
incident_id
required
String
The ID of the incident for which you want to retrieve extra data.
alerts_limit
optional
Integer
The maximum number of related alerts in the incident that you want to retrieve.
Default: 1000
Responses

OK

Body
reply
required
Object
incident
optional
Object
incident_id
optional
String
is_blocked
optional
Boolean
incident_name
optional
String
creation_time
optional
Integer
modification_time
optional
Integer
detection_time
optional
Integer
status
optional
String
severity
optional
String
description
optional
String
assigned_user_mail
optional
String
assigned_user_pretty_name
optional
String
alert_count
optional
Integer
low_severity_alert_count
optional
Integer
med_severity_alert_count
optional
Integer
high_severity_alert_count
optional
Integer
critical_severity_alert_count
optional
Integer
user_count
optional
Integer
host_count
optional
Integer
notes
optional
String
resolve_comment
optional
String
resolved_timestamp
optional
Integer
manual_severity
optional
String
manual_description
optional
String
xdr_url
optional
String
starred
optional
Boolean
starred_manually
optional
Boolean
hosts
optional
Array of strings
incident_sources
optional
Array of strings
rule_based_score
optional
Integer
manual_score
optional
Number
aggregated_score
optional
Integer
alerts_grouping_status
optional
String
alert_categories
optional
Array of strings
original_tags
optional
Array of strings
tags
optional
Array of strings
xpanse_risk_score
optional
Integer
xpanse_risk_explainer
optional
Object
cves
optional
Array of objects
cveId
optional
String
cvssScore
optional
Integer
epssScore
optional
Number
matchType
optional
String
exploitMaturity
optional
String
reportedExploitInTheWild
optional
Boolean
mostRecentReportedExploitDate
optional
String
confidence
optional
String
riskFactors
optional
Array of objects
attributeId
required
String
attributeName
required
String
issueTypes
required
Array of objects
displayName
required
String
issueTypeId
required
String
versionMatched
optional
Boolean
cloud_management_status
optional
String
integration_source
optional
String
ipv4_addresses
optional
Array of strings
ipv6_addresses
optional
Array of strings
domain_names
optional
Array of strings
port_number
optional
Integer
asset_ids
optional
Array of strings (UUID)
format: uuid
ip_range_ids
optional
Array of strings
website_ids
optional
Array of strings
service_ids
optional
Array of strings
last_observed
optional
Integer
cloud_providers
optional
Array of strings
country_codes
optional
Array of strings
certificate_common_names
optional
Array of strings
certificate_issuers
optional
Array of strings
alerts
optional
Object
total_count
required
Integer
data
optional
Array of objects
category
optional
String
project
optional
String
cloud_provider
optional
String
resource_sub_type
optional
String
resource_type
optional
String
action_country
optional
String
event_type
optional
String
is_whitelisted
optional
Boolean
mac
optional
String
image_name
optional
String
action_local_ip
optional
String
action_local_port
optional
String
action_external_hostname
optional
String
action_remote_ip
optional
Array of strings
action_remote_port
optional
Integer
matching_service_rule_id
optional
String
starred
optional
Boolean
external_id
optional
String
severity
optional
String
matching_status
optional
String
end_match_attempt_ts
optional
String
local_insert_ts
optional
Integer
The UNIX timestamp that this record was written to the database
last_modified_ts
optional
Integer
The UNIX timestamp that this record was last modified
case_id
optional
Integer
deduplicate_tokens
optional
String
filter_rule_id
optional
String
event_id
optional
String
event_timestamp
optional
Integer
action_local_ip_v6
optional
String
action_remote_ip_v6
optional
String
alert_type
optional
String
resolution_status
optional
String
resolution_comment
optional
String
dynamic_fields
optional
String
tags
optional
String
malicious_urls
optional
String
asm_alert_categories
optional
String
last_observed
optional
Integer
country_codes
optional
String
cloud_providers
optional
String
ipv4_addresses
optional
String
ipv6_addresses
optional
String
domain_names
optional
String
service_ids
optional
String
website_ids
optional
String
asset_ids
optional
String
certificate
optional
Object
issuerName
optional
String
subjectName
optional
String
validNotBefore
optional
Integer
validNotAfter
optional
Integer
serialNumber
optional
String
port_protocol
optional
String
port_number
optional
Integer
business_unit_hierarchies
optional
Array of objects
creation_time
optional
Integer
family
optional
String
family_alias
optional
String
id
optional
String
is_active
optional
Integer
name
optional
String
parent_id
optional
String
update_time
optional
Integer
attack_surface_rule_name
optional
String
remediation_guidance
optional
String
attack_surface_rule_id
optional
String
asset_identifiers
optional
Object
domain
optional
String
certificate
optional
Object
issuerName
optional
String
subjectName
optional
String
validNotBefore
optional
Integer
validNotAfter
optional
Integer
serialNumber
optional
String
ipv4Address
optional
String
ipv6Address
optional
String
httpPath
optional
String
portNumber
optional
Integer
portProtocol
optional
String
firstObserved
optional
Integer
lastObserved
optional
Integer
alert_id
optional
String
detection_timestamp
optional
Integer
name
optional
String
endpoint_id
optional
String
description
optional
String
host_ip
optional
String
host_name
optional
String
source
optional
String
action
optional
String
action_pretty
optional
String
user_name
optional
String
events_length
optional
Integer
mitre_tactic_id_and_name
optional
String
mitre_technique_id_and_name
optional
String
cloud_management_status
optional
String
network_artifacts
optional
Object
total_count
required
Integer
data
optional
Array of strings
file_artifacts
optional
Object
total_count
required
Integer
data
optional
Array of strings

Bad Request. Got an invalid JSON.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unprocessable Entity

Body
code
optional
Integer
Error code
status
optional
String
Error name
message
optional
String
Error message
errors
optional
Object
Errors

Internal server error. A unified status for API communication type errors.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.