Get details for a single incident or a list of incidents filtered by a list of severity or creation time. - The response is concatenated using AND condition (OR is not supported).
- The maximum result set size is >100.
- Offset is the zero-based number of incidents from the start of the result set.
Note: You can send a request to retrieve either all or filtered results.
Required license: Cortex Xpanse Expander
authorization
String
required
{{api_key}}
x-xdr-auth-id
String
required
{{api_key_id}}
request_dataObject
A dictionary containing the API request fields. An empty dictionary returns all results.
filtersArray
Array of filter fields.
fieldString (Enum)
Identifies the incident field the filter is matching.
operatorString (Enum)
Identifies the comparison operator you want to use for this filter. Valid keywords are:
- in: incident_id_list
, alert_sources
, cloud_management_status
, description
, integration_source
- contains: description
- gte / lte: modification_time
, creation_time
: Integer in timestamp epoch milliseconds
- eq / nqe: status
valueObject
Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
- alert_sources: String
- cloud_management_status: String. Values are Managed Cloud
, Unmanaged Cloud
, and Not Applicable
.
- creation_time:Integer in timestamp epoch milliseconds
- description: String
- incident_id_list: List of strings. Each item in the list must be an incident ID.
- integration_source: List of strings. Valid values:
AWS,
AZURE,
GOOGLE,
PRISMA_CLOUD- modification_time:
Integerin timestamp epoch milliseconds
- status: Valid values:
new,
under_investigation,
resolved`
search_fromInteger
Integer representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.
search_toInteger
Integer representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.
sortObject
Identifies the sort order for the result set. Default sort is defined as creation_time
, DESC
.
fieldString (Enum)
Can be creation_time
or severity
.
keywordString (Enum)
Can either be ASC
(ascending order) or DESC
(descending order).
{
"request_data": {
"search_from": 0,
"filters": [
{
"field": "modification_time",
"value": "IncidentFilter_value",
"operator": "in"
},
{
"field": "modification_time",
"value": "IncidentFilter_value",
"operator": "in"
}
],
"sort": {
"field": "modification_time",
"keyword": "desc"
},
"search_to": 0
}
}
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'authorization: {{api_key}}'
-H
'x-xdr-auth-id: {{api_key_id}}'
'https://api-}/public_api/v1/incidents/get_incidents/'
-d
'{
"request_data" : {
"search_from" : 0,
"filters" : [ {
"field" : "modification_time",
"value" : "IncidentFilter_value",
"operator" : "in"
}, {
"field" : "modification_time",
"value" : "IncidentFilter_value",
"operator" : "in"
} ],
"sort" : {
"field" : "modification_time",
"keyword" : "desc"
},
"search_to" : 0
}
}'
import http.client
conn = http.client.HTTPSConnection("api-")
payload = "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}"
headers = {
'authorization': "{{api_key}}",
'x-xdr-auth-id': "{{api_key_id}}",
'content-type': "application/json"
}
conn.request("POST", "%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["authorization"] = '{{api_key}}'
request["x-xdr-auth-id"] = '{{api_key_id}}'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}"
response = http.request(request)
puts response.read_body
const data = JSON.stringify({
"request_data": {
"filters": [
{
"field": "modification_time",
"operator": "in",
"value": "string"
}
],
"search_from": 0,
"search_to": 100,
"sort": {
"field": "creation_time",
"keyword": "ASC"
}
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/");
xhr.setRequestHeader("authorization", "{{api_key}}");
xhr.setRequestHeader("x-xdr-auth-id", "{{api_key_id}}");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/")
.header("authorization", "{{api_key}}")
.header("x-xdr-auth-id", "{{api_key_id}}")
.header("content-type", "application/json")
.body("{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}")
.asString();
import Foundation
let headers = [
"authorization": "{{api_key}}",
"x-xdr-auth-id": "{{api_key_id}}",
"content-type": "application/json"
]
let parameters = ["request_data": [
"filters": [
[
"field": "modification_time",
"operator": "in",
"value": "string"
]
],
"search_from": 0,
"search_to": 100,
"sort": [
"field": "creation_time",
"keyword": "ASC"
]
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()
<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}",
CURLOPT_HTTPHEADER => [
"authorization: {{api_key}}",
"content-type: application/json",
"x-xdr-auth-id: {{api_key_id}}"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "authorization: {{api_key}}");
headers = curl_slist_append(headers, "x-xdr-auth-id: {{api_key_id}}");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}");
CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/");
var request = new RestRequest(Method.POST);
request.AddHeader("authorization", "{{api_key}}");
request.AddHeader("x-xdr-auth-id", "{{api_key_id}}");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);