Get Incidents

post /public_api/v1/incidents/get_incidents

- The maximum result set size is >100.
- Offset is the zero-based number of incidents from the start of the result set.

Note: You can send a request to retrieve either **all** or **filtered** results.

Required license: **Cortex Xpanse Expander**

Get details for a single incident or a list of incidents filtered by a list of severity or creation time. - The response is concatenated using AND condition (OR is not supported).

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" -H "authorization: authorization_example" -H "x-xdr-auth-id: xXdrAuthId_example" \
"https://api-yourfqdn/public_api/v1/incidents/get_incidents" \
 -d '{
  "request_data" : {
    "search_from" : 0,
    "next_page_token" : "next_page_token",
    "filters" : [ {
      "field" : "incident_id_list",
      "value" : [ "value", "value" ],
      "operator" : "operator"
    }, {
      "field" : "incident_id_list",
      "value" : [ "value", "value" ],
      "operator" : "operator"
    } ],
    "sort" : {
      "field" : "severity",
      "keyword" : "ASC"
    },
    "search_to" : 6,
    "use_page_token" : true
  }
}'
  

Request headers

authorization

required

String

api-key

Example: authorization_example

x-xdr-auth-id

required

String

api-key-id

Example: xXdrAuthId_example

Request

Body

optional

If no parameters are included, all results will be returned.

Example: {"request_data":{}}

request_data

required

A dictionary containing the API request fields. An empty dictionary returns all results.

filters

optional

Array

Array of filter fields.

field

optional

String (Enum)

Identifies the incident field the filter is matching. Filters are based on the following keywords:

alert_sources
cloud_management_status
creation_time
description
incident_id_list
modification_time
status

Allowed values:

incident_id_list

operator

optional

String

Identifies the comparison operator you want to use for this filter. Valid keywords are:

in: incident_id_list, alert_sources, cloud_management_status, description
contains: description
gte / lte: modification_time, creation_time: Integer in timestamp epoch milliseconds
eq / nqe: status

value

optional

Array of strings

Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:

alert_sources: String
cloud_management_status: String. Values are Managed Cloud, Unmanaged Cloud, and Not Applicable.
creation_time: Integer in timestamp epoch milliseconds
description: String
incident_id_list: List of strings. Each item in the list must be an incident ID.
modification_time: Integer in timestamp epoch milliseconds
status: Valid values: new, under_investigation, resolved

search_from

optional

Integer

Integer representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.

search_to

optional

Integer

Integer representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.

sort

optional

Identifies the sort order for the result set. Default sort is defined as creation_time, DESC.

field

optional

String (Enum)

Can be creation_time or severity.

Allowed values:

severity

creation_time

keyword

optional

String (Enum)

Can either be ASC (ascending order) or DESC (descending order).

Allowed values:

ASC

DESC

use_page_token

optional

Boolean

Use "use_page_token":true in the initial request to paginate the response data. Sort is not supported when using the use_page_token/next_page_token fields.

next_page_token

optional

String

If "use_page_token":true was included in the initial request, the response for that request will include a page token. Use "next_page_token":"string" to pass that page token into the next request to paginate the next set of data.

Responses

Successful response

Body

total_count

optional

Integer

result_count

optional

Integer

incidents

optional

Array

incident_id

optional

String

incident_name

optional

String

creation_time

optional

Integer

modification_time

optional

Integer

detection_time

optional

Integer

status

optional

String

severity

optional

String

description

optional

String

assigned_user_mail

optional

String

assigned_user_pretty_name

optional

String

alert_count

optional

Integer

low_severity_alert_count

optional

Integer

med_severity_alert_count

optional

Integer

high_severity_alert_count

optional

Integer

critical_severity_alert_count

optional

Integer

user_count

optional

Integer

host_count

optional

Integer

notes

optional

String

resolve_comment

optional

String

resolved_timestamp

optional

Integer

manual_severity

optional

String

manual_description

optional

String

xdr_url

optional

String

starred

optional

Boolean

hosts

optional

Array of objects

incident_sources

optional

Array of strings

alerts_grouping_status

optional

String

alert_categories

optional

String

original_tags

optional

Array of objects