post
/public_api/v1/incidents/get_incident_extra_data/
Get extra data fields for a specific incident including alerts and key artifacts.
Note: The API includes a limit rate of 10 API requests per minute.
Required license: Cortex Xpanse Expander
Request headers
authorization
String
required
api-key
Example:
{{api_key}}
x-xdr-auth-id
String
required
api-key-id
Example:
{{api_key_id}}
Body parameters
required
Free-Form objectFree-Form object
request_dataObjectrequired
A dictionary containing the API request fields.
incident_idString
The ID of the incident for which you want to retrieve extra data.
alerts_limitInteger
The maximum number of related alerts in the incident that you want to retrieve.
Default: 1000
REQUEST BODY
{
"request_data" : {
"alerts_limit" : 0,
"incident_id" : "incident_id"
}
}
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'authorization: {{api_key}}'
-H
'x-xdr-auth-id: {{api_key_id}}'
'https://api-}/public_api/v1/incidents/get_incident_extra_data/'
-d
'{
"request_data" : {
"alerts_limit" : 0,
"incident_id" : "incident_id"
}
}'
import http.client
conn = http.client.HTTPSConnection("api-")
payload = "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}"
headers = {
'authorization': "{{api_key}}",
'x-xdr-auth-id': "{{api_key_id}}",
'content-type': "application/json"
}
conn.request("POST", "%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["authorization"] = '{{api_key}}'
request["x-xdr-auth-id"] = '{{api_key_id}}'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"incident_id": "string",
"alerts_limit": 0
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/");
xhr.setRequestHeader("authorization", "{{api_key}}");
xhr.setRequestHeader("x-xdr-auth-id", "{{api_key_id}}");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/")
.header("authorization", "{{api_key}}")
.header("x-xdr-auth-id", "{{api_key_id}}")
.header("content-type", "application/json")
.body("{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}")
.asString();import Foundation
let headers = [
"authorization": "{{api_key}}",
"x-xdr-auth-id": "{{api_key_id}}",
"content-type": "application/json"
]
let parameters = ["request_data": [
"incident_id": "string",
"alerts_limit": 0
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}",
CURLOPT_HTTPHEADER => [
"authorization: {{api_key}}",
"content-type: application/json",
"x-xdr-auth-id: {{api_key_id}}"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "authorization: {{api_key}}");
headers = curl_slist_append(headers, "x-xdr-auth-id: {{api_key_id}}");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/");
var request = new RestRequest(Method.POST);
request.AddHeader("authorization", "{{api_key}}");
request.AddHeader("x-xdr-auth-id", "{{api_key_id}}");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Responses
OK
Body
replyObject
incidentObject
incident_idString
is_blockedBoolean
incident_nameString
creation_timeInteger
modification_timeInteger
detection_timeInteger
statusString
severityString
descriptionString
assigned_user_mailString
assigned_user_pretty_nameString
alert_countInteger
low_severity_alert_countInteger
med_severity_alert_countInteger
high_severity_alert_countInteger
critical_severity_alert_countInteger
user_countInteger
host_countInteger
notesString
resolve_commentString
resolved_timestampInteger
manual_severityString
manual_descriptionString
xdr_urlString
starredBoolean
starred_manuallyBoolean
hostsArray[string]
incident_sourcesArray[string]
rule_based_scoreInteger
manual_scoreNumber
aggregated_scoreInteger
alerts_grouping_statusString
alert_categoriesArray[string]
original_tagsArray[string]
tagsArray[string]
xpanse_risk_scoreInteger
xpanse_risk_explainerObject
cvesArray
[Free-Form object]
cveIdString
cvssScoreInteger
epssScoreNumber
matchTypeString
exploitMaturityString
reportedExploitInTheWildBoolean
mostRecentReportedExploitDateString
confidenceString
riskFactorsArray
[Free-Form object]
attributeIdString
attributeNameString
issueTypesArray
[Free-Form object]
displayNameString
issueTypeIdString
versionMatchedBoolean
cloud_management_statusString
integration_sourceString
ipv4_addressesArray[string]
ipv6_addressesArray[string]
domain_namesArray[string]
port_numberInteger
asset_idsArray[string]
ip_range_idsArray[string]
website_idsArray[string]
service_idsArray[string]
last_observedInteger
cloud_providersArray[string]
country_codesArray[string]
certificate_common_namesArray[string]
certificate_issuersArray[string]
alertsObjectrequired
total_countInteger
dataArray
[Free-Form objectFree-Form objectFree-Form objectFree-Form object]
categoryString
projectString
cloud_providerString
resource_sub_typeString
resource_typeString
action_countryString
event_typeString
is_whitelistedBoolean
macString
image_nameString
action_local_ipString
action_local_portString
action_external_hostnameString
action_remote_ipArray[string]
action_remote_portInteger
matching_service_rule_idString
starredBoolean
external_idString
severityString
matching_statusString
end_match_attempt_tsString
local_insert_tsInteger
The UNIX timestamp that this record was written to the database
last_modified_tsInteger
The UNIX timestamp that this record was last modified
case_idInteger
deduplicate_tokensString
filter_rule_idString
event_idString
event_timestampInteger
action_local_ip_v6String
action_remote_ip_v6String
alert_typeString
resolution_statusString
resolution_commentString
dynamic_fieldsString
tagsString
malicious_urlsString
asm_alert_categoriesString
last_observedInteger
country_codesString
cloud_providersString
ipv4_addressesString
ipv6_addressesString
domain_namesString
service_idsString
website_idsString
asset_idsString
certificateObject
issuerNameString
subjectNameString
validNotBeforeInteger
validNotAfterInteger
serialNumberString
port_protocolString
port_numberInteger
business_unit_hierarchiesArray
[Free-Form object]
creation_timeInteger
familyString
family_aliasString
idString
is_activeInteger
nameString
parent_idString
update_timeInteger
attack_surface_rule_nameString
remediation_guidanceString
attack_surface_rule_idString
asset_identifiersObject
domainString
certificateObject
issuerNameString
subjectNameString
validNotBeforeInteger
validNotAfterInteger
serialNumberString
ipv4AddressString
ipv6AddressString
httpPathString
portNumberInteger
portProtocolString
firstObservedInteger
lastObservedInteger
alert_idString
detection_timestampInteger
nameString
endpoint_idString
descriptionString
host_ipString
host_nameString
sourceString
actionString
action_prettyString
user_nameString
events_lengthInteger
mitre_tactic_id_and_nameString
mitre_technique_id_and_nameString
cloud_management_statusString
network_artifactsObjectrequired
total_countInteger
dataArray[string]
file_artifactsObjectrequired
total_countInteger
dataArray[string]
RESPONSE
{
"reply": {
"incident": {
"incident_id": "incident_id_example",
"is_blocked": false,
"incident_name": "incident_name_example",
"creation_time": 0,
"modification_time": 0,
"detection_time": 0,
"status": "status_example",
"severity": "severity_example",
"description": "description_example",
"assigned_user_mail": "assigned_user_mail_example",
"assigned_user_pretty_name": "assigned_user_pretty_name_example",
"alert_count": 0,
"low_severity_alert_count": 0,
"med_severity_alert_count": 0,
"high_severity_alert_count": 0,
"critical_severity_alert_count": 0,
"user_count": 0,
"host_count": 0,
"notes": "notes_example",
"resolve_comment": "resolve_comment_example",
"resolved_timestamp": 0,
"manual_severity": "manual_severity_example",
"manual_description": "manual_description_example",
"xdr_url": "xdr_url_example",
"starred": false,
"starred_manually": false,
"hosts": [
"hosts_example"
],
"incident_sources": [
"incident_sources_example"
],
"rule_based_score": 0,
"manual_score": 0.0,
"aggregated_score": 0,
"alerts_grouping_status": "alerts_grouping_status_example",
"alert_categories": [
"alert_categories_example"
],
"original_tags": [
"original_tags_example"
],
"tags": [
"tags_example"
],
"xpanse_risk_score": 0,
"xpanse_risk_explainer": {
"cves": [
{
"cveId": "cveId_example",
"cvssScore": 0,
"epssScore": 0.0,
"matchType": "matchType_example",
"exploitMaturity": "exploitMaturity_example",
"reportedExploitInTheWild": false,
"mostRecentReportedExploitDate": "mostRecentReportedExploitDate_example",
"confidence": "confidence_example"
}
],
"riskFactors": [
{
"attributeId": "attributeId_example",
"attributeName": "attributeName_example",
"issueTypes": [
{
"displayName": "displayName_example",
"issueTypeId": "issueTypeId_example"
}
]
}
],
"versionMatched": false
},
"cloud_management_status": "cloud_management_status_example",
"integration_source": "integration_source_example",
"ipv4_addresses": [
"ipv4_addresses_example"
],
"ipv6_addresses": [
"ipv6_addresses_example"
],
"domain_names": [
"domain_names_example"
],
"port_number": 0,
"asset_ids": [
"asset_ids_example"
],
"ip_range_ids": [
"ip_range_ids_example"
],
"website_ids": [
"website_ids_example"
],
"service_ids": [
"service_ids_example"
],
"last_observed": 0,
"cloud_providers": [
"cloud_providers_example"
],
"country_codes": [
"country_codes_example"
],
"certificate_common_names": [
"certificate_common_names_example"
],
"certificate_issuers": [
"certificate_issuers_example"
]
},
"alerts": {
"total_count": 0,
"data": [
{
"category": "category_example",
"project": "project_example",
"cloud_provider": "cloud_provider_example",
"resource_sub_type": "resource_sub_type_example",
"resource_type": "resource_type_example",
"action_country": "action_country_example",
"event_type": "event_type_example",
"is_whitelisted": false,
"mac": "mac_example",
"image_name": "image_name_example",
"action_local_ip": "action_local_ip_example",
"action_local_port": "action_local_port_example",
"action_external_hostname": "action_external_hostname_example",
"action_remote_ip": [
"action_remote_ip_example"
],
"action_remote_port": 0,
"matching_service_rule_id": "matching_service_rule_id_example",
"starred": false,
"external_id": "external_id_example",
"severity": "severity_example",
"matching_status": "matching_status_example",
"end_match_attempt_ts": "end_match_attempt_ts_example",
"local_insert_ts": 0,
"last_modified_ts": 0,
"case_id": 0,
"deduplicate_tokens": "deduplicate_tokens_example",
"filter_rule_id": "filter_rule_id_example",
"event_id": "event_id_example",
"event_timestamp": 0,
"action_local_ip_v6": "action_local_ip_v6_example",
"action_remote_ip_v6": "action_remote_ip_v6_example",
"alert_type": "alert_type_example",
"resolution_status": "resolution_status_example",
"resolution_comment": "resolution_comment_example",
"dynamic_fields": "dynamic_fields_example",
"tags": "tags_example",
"malicious_urls": "malicious_urls_example",
"asm_alert_categories": "asm_alert_categories_example",
"last_observed": 0,
"country_codes": "country_codes_example",
"cloud_providers": "cloud_providers_example",
"ipv4_addresses": "ipv4_addresses_example",
"ipv6_addresses": "ipv6_addresses_example",
"domain_names": "domain_names_example",
"service_ids": "service_ids_example",
"website_ids": "website_ids_example",
"asset_ids": "asset_ids_example",
"certificate": {
"issuerName": "issuerName_example",
"subjectName": "subjectName_example",
"validNotBefore": 0,
"validNotAfter": 0,
"serialNumber": "serialNumber_example"
},
"port_protocol": "port_protocol_example",
"port_number": 0,
"business_unit_hierarchies": [
{
"creation_time": 0,
"family": "family_example",
"family_alias": "family_alias_example",
"id": "id_example",
"is_active": 0,
"name": "name_example",
"parent_id": "parent_id_example",
"update_time": 0
}
],
"attack_surface_rule_name": "attack_surface_rule_name_example",
"remediation_guidance": "remediation_guidance_example",
"attack_surface_rule_id": "attack_surface_rule_id_example",
"asset_identifiers": {
"domain": "domain_example",
"certificate": {
"issuerName": "issuerName_example",
"subjectName": "subjectName_example",
"validNotBefore": 0,
"validNotAfter": 0,
"serialNumber": "serialNumber_example"
},
"ipv4Address": "ipv4Address_example",
"ipv6Address": "ipv6Address_example",
"httpPath": "httpPath_example",
"portNumber": 0,
"portProtocol": "portProtocol_example",
"firstObserved": 0,
"lastObserved": 0
},
"alert_id": "alert_id_example",
"detection_timestamp": 0,
"name": "name_example",
"endpoint_id": "endpoint_id_example",
"description": "description_example",
"host_ip": "host_ip_example",
"host_name": "host_name_example",
"source": "source_example",
"action": "action_example",
"action_pretty": "action_pretty_example",
"user_name": "user_name_example",
"events_length": 0,
"mitre_tactic_id_and_name": "mitre_tactic_id_and_name_example",
"mitre_technique_id_and_name": "mitre_technique_id_and_name_example",
"cloud_management_status": "cloud_management_status_example"
}
]
},
"network_artifacts": {
"total_count": 0,
"data": [
"data_example"
]
},
"file_artifacts": {
"total_count": 0,
"data": [
"data_example"
]
}
}
}Bad Request. Got an invalid JSON.
Body
replyObject
The query results upon error.
RESPONSE
{
"reply": {}
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
replyObject
The query results upon error.
RESPONSE
{
"reply": {}
}Unauthorized access. User does not have the required license type to run this API.
Body
replyObject
The query results upon error.
RESPONSE
{
"reply": {}
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
replyObject
The query results upon error.
RESPONSE
{
"reply": {}
}Unprocessable Entity
Body
codeInteger
Error code
statusString
Error name
messageString
Error message
errorsObject
Errors
RESPONSE
{
"code": 0,
"status": "status_example",
"message": "message_example",
"errors": {}
}Exceeded 10 requests in a 60-second window. If you get this response, wait 60 seconds and retry your request.
Internal server error. A unified status for API communication type errors.
Body
replyObject
The query results upon error.
RESPONSE
{
"reply": {}
}