Get Extra Incident Data

Cortex Xpanse REST API

post /public_api/v1/incidents/get_incident_extra_data

Get extra data fields for a specific incident including alerts and key artifacts.

Cortex Xpanse displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.

This API includes a limit rate of 10 API requests per minute.

Required license: Cortex Xpanse Expander

CURL
curl -X POST \ \ -H "Accept: application/json" \ -H "Content-Type: application/json" -H "authorization: authorization_example" -H "x-xdr-auth-id: xXdrAuthId_example" \ "https://api-yourfqdn/public_api/v1/incidents/get_incident_extra_data" \ -d '{ "request_data" : { "alerts_limit" : 0, "incident_id" : "incident_id" } }'
Authentication: api_key Api Key "apiKey"
Request headers
authorization
required
String
api-key
Example: authorization_example
x-xdr-auth-id
required
String
api-key-id
Example: xXdrAuthId_example
Request
Body
optional
Example: {"request_data":{"incident_id":"string","alerts_limit":0}}
request_data
required
A dictionary containing the API request fields.
incident_id
required
String
The ID of the incident for which you want to retrieve extra data.
alerts_limit
optional
Integer
The maximum number of related alerts in the incident that you want to retrieve. Default: 1000
Responses

OK

Body
reply
optional
incident
optional
incident_id
optional
String
is_blocked
optional
Boolean
incident_name
optional
Object
creation_time
optional
Integer
modification_time
optional
Integer
detection_time
optional
Object
status
optional
String
severity
optional
String
description
optional
String
assigned_user_mail
optional
Object
assigned_user_pretty_name
optional
Object
alert_count
optional
Integer
low_severity_alert_count
optional
Integer
med_severity_alert_count
optional
Integer
high_severity_alert_count
optional
Integer
critical_severity_alert_count
optional
Integer
user_count
optional
Integer
host_count
optional
Integer
notes
optional
Object
resolve_comment
optional
String
resolved_timestamp
optional
Integer
manual_severity
optional
Object
manual_description
optional
Object
xdr_url
optional
String
starred
optional
Boolean
hosts
optional
Array of strings
incident_sources
optional
Array of strings
rule_based_score
optional
Integer
manual_score
optional
Object
aggregated_score
optional
Integer
alerts_grouping_status
optional
String
alert_categories
optional
Object
original_tags
optional
Array of strings
tags
optional
Array of strings
xpanse_risk_score
optional
Integer
xpanse_risk_explainer
optional
cves
optional
Array
cveId
optional
String
cvssScore
optional
Object
epssScore
optional
Number
matchType
optional
String
exploitMaturity
optional
String
reportedExploitInTheWild
optional
Boolean
mostRecentReportedExploitDate
optional
Object
riskFactors
optional
Array of objects
versionMatched
optional
Boolean
alerts
optional
total_count
optional
Integer
data
optional
Array
category
optional
Object
project
optional
Object
cloud_provider
optional
Object
resource_sub_type
optional
Object
resource_type
optional
Object
action_country
optional
String
event_type
optional
Object
is_whitelisted
optional
Boolean
mac
optional
Object
image_name
optional
Object
action_local_ip
optional
Object
action_local_port
optional
Object
action_external_hostname
optional
Object
action_remote_ip
optional
String
action_remote_port
optional
Object
matching_service_rule_id
optional
Object
starred
optional
Boolean
external_id
optional
String
severity
optional
String
matching_status
optional
String
end_match_attempt_ts
optional
Object
local_insert_ts
optional
Integer
last_modified_ts
optional
Integer
case_id
optional
Integer
deduplicate_tokens
optional
Object
filter_rule_id
optional
Object
event_id
optional
Object
event_timestamp
optional
Integer
action_local_ip_v6
optional
Object
action_remote_ip_v6
optional
Object
alert_type
optional
String
resolution_status
optional
String
resolution_comment
optional
String
dynamic_fields
optional
Object
tags
optional
String
malicious_urls
optional
Object
asm_alert_categories
optional
String
last_observed
optional
Integer
country_codes
optional
String
cloud_providers
optional
String
ipv4_addresses
optional
String
ipv6_addresses
optional
Object
domain_names
optional
String
service_ids
optional
String
website_ids
optional
Object
asset_ids
optional
String
certificate
optional
issuerName
optional
String
subjectName
optional
String
validNotBefore
optional
Integer
validNotAfter
optional
Integer
serialNumber
optional
String
port_protocol
optional
String
business_unit_hierarchies
optional
Array
creation_time
optional
Integer
family
optional
String
family_alias
optional
String
id
optional
String
name
optional
String
parent_id
optional
Object
update_time
optional
Integer
attack_surface_rule_name
optional
Object
remediation_guidance
optional
Object
attack_surface_rule_id
optional
Object
asset_identifiers
optional
domain
optional
Object
certificate
optional
issuerName
optional
String
subjectName
optional
String
validNotBefore
optional
Integer
validNotAfter
optional
Integer
serialNumber
optional
String
ipv4Address
optional
String
ipv6Address
optional
Object
httpPath
optional
String
portNumber
optional
Object
portProtocol
optional
String
firstObserved
optional
Integer
lastObserved
optional
Integer
alert_id
optional
String
detection_timestamp
optional
Integer
name
optional
String
endpoint_id
optional
Object
description
optional
String
host_ip
optional
Object
host_name
optional
String
source
optional
String
action
optional
String
action_pretty
optional
String
user_name
optional
Object
events_length
optional
Integer
network_artifacts
optional
total_count
optional
Integer
data
optional
Array of objects
file_artifacts
optional
total_count
optional
Integer
data
optional
Array of objects