post
/public_api/v1/incidents/get_incident_extra_data/
Get extra data fields for a specific incident including alerts and key artifacts.
Note: The API includes a limit rate of 10 API requests per minute.
Required license: Cortex Xpanse Expander
Request headers
authorization
String
required
api-key
api-key
Example:
{{api_key}}
x-xdr-auth-id
String
required
api-key-id
api-key-id
Example:
{{api_key_id}}
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'authorization: {{api_key}}'
-H
'x-xdr-auth-id: {{api_key_id}}'
'https://api-}/public_api/v1/incidents/get_incident_extra_data/'
-d
'{
"request_data" : {
"alerts_limit" : 0,
"incident_id" : "incident_id"
}
}'
import http.client
conn = http.client.HTTPSConnection("api-")
payload = "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}"
headers = {
'authorization': "{{api_key}}",
'x-xdr-auth-id': "{{api_key_id}}",
'content-type': "application/json"
}
conn.request("POST", "%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["authorization"] = '{{api_key}}'
request["x-xdr-auth-id"] = '{{api_key_id}}'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"incident_id": "string",
"alerts_limit": 0
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/");
xhr.setRequestHeader("authorization", "{{api_key}}");
xhr.setRequestHeader("x-xdr-auth-id", "{{api_key_id}}");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/")
.header("authorization", "{{api_key}}")
.header("x-xdr-auth-id", "{{api_key_id}}")
.header("content-type", "application/json")
.body("{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}")
.asString();import Foundation
let headers = [
"authorization": "{{api_key}}",
"x-xdr-auth-id": "{{api_key_id}}",
"content-type": "application/json"
]
let parameters = ["request_data": [
"incident_id": "string",
"alerts_limit": 0
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}",
CURLOPT_HTTPHEADER => [
"authorization: {{api_key}}",
"content-type: application/json",
"x-xdr-auth-id: {{api_key_id}}"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "authorization: {{api_key}}");
headers = curl_slist_append(headers, "x-xdr-auth-id: {{api_key_id}}");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incident_extra_data/");
var request = new RestRequest(Method.POST);
request.AddHeader("authorization", "{{api_key}}");
request.AddHeader("x-xdr-auth-id", "{{api_key_id}}");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"incident_id\":\"string\",\"alerts_limit\":0}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
required
request_dataobjectrequired
incident_idstring
alerts_limitinteger
Free-Form objectFree-Form object
application/json
request_dataobjectrequiredA dictionary containing the API request fields.
A dictionary containing the API request fields.
incident_idstringThe ID of the incident for which you want to retrieve extra data.
The ID of the incident for which you want to retrieve extra data.
alerts_limitintegerThe maximum number of related alerts in the incident that you want to retrieve.
Default: 1000
The maximum number of related alerts in the incident that you want to retrieve.
Default: 1000
REQUEST
{
"request_data": {
"incident_id": "example",
"alerts_limit": 0
}
}Responses
OK
Body
application/json
replyobject
incidentobject
incident_idstring
is_blockedboolean
incident_namestring
creation_timeinteger
modification_timeinteger
detection_timeinteger
statusstring
severitystring
descriptionstring
assigned_user_mailstring
assigned_user_pretty_namestring
alert_countinteger
low_severity_alert_countinteger
med_severity_alert_countinteger
high_severity_alert_countinteger
critical_severity_alert_countinteger
user_countinteger
host_countinteger
notesstring
resolve_commentstring
resolved_timestampinteger
manual_severitystring
manual_descriptionstring
xdr_urlstring
starredboolean
starred_manuallyboolean
hostsarray[string]
incident_sourcesarray[string]
rule_based_scoreinteger
manual_scorenumber
aggregated_scoreinteger
alerts_grouping_statusstring
alert_categoriesarray[string]
original_tagsarray[string]
tagsarray[string]
xpanse_risk_scoreinteger
xpanse_risk_explainerobject
cvesarray
[cveIdstring
cvssScoreinteger
epssScorenumber
matchTypestring
exploitMaturitystring
reportedExploitInTheWildboolean
mostRecentReportedExploitDatestring
confidencestring
Free-Form object]
cveIdstring
cvssScoreinteger
epssScorenumber
matchTypestring
exploitMaturitystring
reportedExploitInTheWildboolean
mostRecentReportedExploitDatestring
confidencestring
riskFactorsarray
[attributeIdstring
attributeNamestring
issueTypesarray
Free-Form object]
attributeIdstring
attributeNamestring
issueTypesarray
[displayNamestring
issueTypeIdstring
Free-Form object]
displayNamestring
issueTypeIdstring
versionMatchedboolean
cloud_management_statusstring
integration_sourcestring
ipv4_addressesarray[string]
ipv6_addressesarray[string]
domain_namesarray[string]
port_numberinteger
asset_idsarray[string]
ip_range_idsarray[string]
website_idsarray[string]
service_idsarray[string]
last_observedinteger
cloud_providersarray[string]
country_codesarray[string]
certificate_common_namesarray[string]
certificate_issuersarray[string]
alertsobjectrequired
total_countinteger
dataarray
[categorystring
projectstring
cloud_providerstring
resource_sub_typestring
resource_typestring
action_countrystring
event_typestring
is_whitelistedboolean
macstring
image_namestring
action_local_ipstring
action_local_portstring
action_external_hostnamestring
action_remote_iparray[string]
action_remote_portinteger
matching_service_rule_idstring
starredboolean
external_idstring
severitystring
matching_statusstring
end_match_attempt_tsstring
local_insert_tsinteger
last_modified_tsinteger
case_idinteger
deduplicate_tokensstring
filter_rule_idstring
event_idstring
event_timestampinteger
action_local_ip_v6string
action_remote_ip_v6string
alert_typestring
resolution_statusstring
resolution_commentstring
dynamic_fieldsstring
tagsstring
malicious_urlsstring
asm_alert_categoriesstring
last_observedinteger
country_codesstring
cloud_providersstring
ipv4_addressesstring
ipv6_addressesstring
domain_namesstring
service_idsstring
website_idsstring
asset_idsstring
certificateobject
issuerNamestring
subjectNamestring
validNotBeforeinteger
validNotAfterinteger
serialNumberstring
Free-Form objectport_protocolstring
port_numberinteger
business_unit_hierarchiesarray
attack_surface_rule_namestring
remediation_guidancestring
attack_surface_rule_idstring
asset_identifiersobject
domainstring
certificateobject
issuerNamestring
subjectNamestring
validNotBeforeinteger
validNotAfterinteger
serialNumberstring
Free-Form objectipv4Addressstring
ipv6Addressstring
httpPathstring
portNumberinteger
portProtocolstring
firstObservedinteger
lastObservedinteger
Free-Form objectalert_idstring
detection_timestampinteger
namestring
endpoint_idstring
descriptionstring
host_ipstring
host_namestring
sourcestring
actionstring
action_prettystring
user_namestring
events_lengthinteger
mitre_tactic_id_and_namestring
mitre_technique_id_and_namestring
cloud_management_statusstring
Free-Form object]
categorystring
projectstring
cloud_providerstring
resource_sub_typestring
resource_typestring
action_countrystring
event_typestring
is_whitelistedboolean
macstring
image_namestring
action_local_ipstring
action_local_portstring
action_external_hostnamestring
action_remote_iparray[string]
action_remote_portinteger
matching_service_rule_idstring
starredboolean
external_idstring
severitystring
matching_statusstring
end_match_attempt_tsstring
local_insert_tsintegerThe UNIX timestamp that this record was written to the database
The UNIX timestamp that this record was written to the database
last_modified_tsintegerThe UNIX timestamp that this record was last modified
The UNIX timestamp that this record was last modified
case_idinteger
deduplicate_tokensstring
filter_rule_idstring
event_idstring
event_timestampinteger
action_local_ip_v6string
action_remote_ip_v6string
alert_typestring
resolution_statusstring
resolution_commentstring
dynamic_fieldsstring
tagsstring
malicious_urlsstring
asm_alert_categoriesstring
last_observedinteger
country_codesstring
cloud_providersstring
ipv4_addressesstring
ipv6_addressesstring
domain_namesstring
service_idsstring
website_idsstring
asset_idsstring
certificateobject
issuerNamestring
subjectNamestring
validNotBeforeinteger
validNotAfterinteger
serialNumberstring
port_protocolstring
port_numberinteger
business_unit_hierarchiesarray
[creation_timeinteger
familystring
family_aliasstring
idstring
is_activeinteger
namestring
parent_idstring
update_timeinteger
Free-Form object]
creation_timeinteger
familystring
family_aliasstring
idstring
is_activeinteger
namestring
parent_idstring
update_timeinteger
attack_surface_rule_namestring
remediation_guidancestring
attack_surface_rule_idstring
asset_identifiersobject
domainstring
certificateobject
issuerNamestring
subjectNamestring
validNotBeforeinteger
validNotAfterinteger
serialNumberstring
ipv4Addressstring
ipv6Addressstring
httpPathstring
portNumberinteger
portProtocolstring
firstObservedinteger
lastObservedinteger
alert_idstring
detection_timestampinteger
namestring
endpoint_idstring
descriptionstring
host_ipstring
host_namestring
sourcestring
actionstring
action_prettystring
user_namestring
events_lengthinteger
mitre_tactic_id_and_namestring
mitre_technique_id_and_namestring
cloud_management_statusstring
network_artifactsobjectrequired
total_countinteger
dataarray[string]
file_artifactsobjectrequired
total_countinteger
dataarray[string]
RESPONSE
{
"reply": {
"incident": {
"incident_id": "example",
"is_blocked": false,
"incident_name": "example",
"creation_time": 0,
"modification_time": 0,
"detection_time": 0,
"status": "example",
"severity": "example",
"description": "example",
"assigned_user_mail": "example",
"assigned_user_pretty_name": "example",
"alert_count": 0,
"low_severity_alert_count": 0,
"med_severity_alert_count": 0,
"high_severity_alert_count": 0,
"critical_severity_alert_count": 0,
"user_count": 0,
"host_count": 0,
"notes": "example",
"resolve_comment": "example",
"resolved_timestamp": 0,
"manual_severity": "example",
"manual_description": "example",
"xdr_url": "example",
"starred": false,
"starred_manually": false,
"hosts": [
"example"
],
"incident_sources": [
"example"
],
"rule_based_score": 0,
"manual_score": 0.1,
"aggregated_score": 0,
"alerts_grouping_status": "example",
"alert_categories": [
"example"
],
"original_tags": [
"example"
],
"tags": [
"example"
],
"xpanse_risk_score": 0,
"xpanse_risk_explainer": {
"cves": [
{
"cveId": "example",
"cvssScore": 0,
"epssScore": 0.1,
"matchType": "example",
"exploitMaturity": "example",
"reportedExploitInTheWild": false,
"mostRecentReportedExploitDate": "example",
"confidence": "example"
}
],
"riskFactors": [
{
"attributeId": "example",
"attributeName": "example",
"issueTypes": [
{
"displayName": "example",
"issueTypeId": "example"
}
]
}
],
"versionMatched": false
},
"cloud_management_status": "example",
"integration_source": "example",
"ipv4_addresses": [
"example"
],
"ipv6_addresses": [
"example"
],
"domain_names": [
"example"
],
"port_number": 0,
"asset_ids": [
"uuid string"
],
"ip_range_ids": [
"example"
],
"website_ids": [
"example"
],
"service_ids": [
"example"
],
"last_observed": 0,
"cloud_providers": [
"example"
],
"country_codes": [
"example"
],
"certificate_common_names": [
"example"
],
"certificate_issuers": [
"example"
]
},
"alerts": {
"total_count": 0,
"data": [
{
"category": "example",
"project": "example",
"cloud_provider": "example",
"resource_sub_type": "example",
"resource_type": "example",
"action_country": "example",
"event_type": "example",
"is_whitelisted": false,
"mac": "example",
"image_name": "example",
"action_local_ip": "example",
"action_local_port": "example",
"action_external_hostname": "example",
"action_remote_ip": [
"example"
],
"action_remote_port": 0,
"matching_service_rule_id": "example",
"starred": false,
"external_id": "example",
"severity": "example",
"matching_status": "example",
"end_match_attempt_ts": "example",
"local_insert_ts": 0,
"last_modified_ts": 0,
"case_id": 0,
"deduplicate_tokens": "example",
"filter_rule_id": "example",
"event_id": "example",
"event_timestamp": 0,
"action_local_ip_v6": "example",
"action_remote_ip_v6": "example",
"alert_type": "example",
"resolution_status": "example",
"resolution_comment": "example",
"dynamic_fields": "example",
"tags": "example",
"malicious_urls": "example",
"asm_alert_categories": "example",
"last_observed": 0,
"country_codes": "example",
"cloud_providers": "example",
"ipv4_addresses": "example",
"ipv6_addresses": "example",
"domain_names": "example",
"service_ids": "example",
"website_ids": "example",
"asset_ids": "example",
"certificate": {
"issuerName": "example",
"subjectName": "example",
"validNotBefore": 0,
"validNotAfter": 0,
"serialNumber": "example"
},
"port_protocol": "example",
"port_number": 0,
"business_unit_hierarchies": [
{
"creation_time": 0,
"family": "example",
"family_alias": "example",
"id": "example",
"is_active": 0,
"name": "example",
"parent_id": "example",
"update_time": 0
}
],
"attack_surface_rule_name": "example",
"remediation_guidance": "example",
"attack_surface_rule_id": "example",
"asset_identifiers": {
"domain": "example",
"certificate": {
"issuerName": "example",
"subjectName": "example",
"validNotBefore": 0,
"validNotAfter": 0,
"serialNumber": "example"
},
"ipv4Address": "example",
"ipv6Address": "example",
"httpPath": "example",
"portNumber": 0,
"portProtocol": "example",
"firstObserved": 0,
"lastObserved": 0
},
"alert_id": "example",
"detection_timestamp": 0,
"name": "example",
"endpoint_id": "example",
"description": "example",
"host_ip": "example",
"host_name": "example",
"source": "example",
"action": "example",
"action_pretty": "example",
"user_name": "example",
"events_length": 0,
"mitre_tactic_id_and_name": "example",
"mitre_technique_id_and_name": "example",
"cloud_management_status": "example"
}
]
},
"network_artifacts": {
"total_count": 0,
"data": [
"example"
]
},
"file_artifacts": {
"total_count": 0,
"data": [
"example"
]
}
}
}Bad Request. Got an invalid JSON.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}Unauthorized access. User does not have the required license type to run this API.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}Unprocessable Entity
Body
application/json
codeintegerError code
Error code
statusstringError name
Error name
messagestringError message
Error message
errorsobjectErrors
Errors
RESPONSE
{
"code": 0,
"status": "example",
"message": "example",
"errors": {}
}Exceeded 10 requests in a 60-second window.
If you get this response, wait 60 seconds and retry your request.
Internal server error. A unified status for API communication type errors.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}