Get Extra Incident Data

Cortex Xpanse REST API

post /public_api/v1/incidents/get_incident_extra_data/

Get extra data fields for a specific incident including alerts and key artifacts.

Note: The API includes a limit rate of 10 API requests per minute.

Required license: Cortex Xpanse Expander

Request headers
authorization
String
required
api-key
Example: {{api_key}}
x-xdr-auth-id
String
required
api-key-id
Example: {{api_key_id}}
Body parameters
required
request_dataObjectrequired

A dictionary containing the API request fields.

incident_idString

The ID of the incident for which you want to retrieve extra data.

alerts_limitInteger

The maximum number of related alerts in the incident that you want to retrieve.
Default: 1000

REQUEST BODY
{ "request_data": { "alerts_limit": 0, "incident_id": "incident_id" } }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'authorization: {{api_key}}' -H 'x-xdr-auth-id: {{api_key_id}}'
'https://api-}/public_api/v1/incidents/get_incident_extra_data/'
-d '{ "request_data" : { "alerts_limit" : 0, "incident_id" : "incident_id" } }'
Responses

OK

Body
replyObject
incidentObject
alertsObject
network_artifactsObject
file_artifactsObjectrequired
total_countInteger
dataArray[string]
RESPONSE
{ "reply": { "incident": {}, "alerts": {}, "network_artifacts": {}, "file_artifacts": { "total_count": 0, "data": [ "data_example" ] } } }

Bad Request. Got an invalid JSON.

Body
replyObject

The query results upon error.

RESPONSE
{ "reply": {} }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
replyObject

The query results upon error.

RESPONSE
{ "reply": {} }

Unauthorized access. User does not have the required license type to run this API.

Body
replyObject

The query results upon error.

RESPONSE
{ "reply": {} }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
replyObject

The query results upon error.

RESPONSE
{ "reply": {} }

Unprocessable Entity

Body
codeInteger

Error code

statusString

Error name

messageString

Error message

errorsObject

Errors

RESPONSE
{ "code": 0, "status": "status_example", "message": "message_example", "errors": {} }

Exceeded 10 requests in a 60-second window. If you get this response, wait 60 seconds and retry your request.

Internal server error. A unified status for API communication type errors.

Body
replyObject

The query results upon error.

RESPONSE
{ "reply": {} }