Get Incidents

Cortex Xpanse REST API
post /public_api/v1/incidents/get_incidents/

Get details for a single incident or a list of incidents filtered by a list of severity or creation time. - The response is concatenated using AND condition (OR is not supported).
- The maximum result set size is >100.
- Offset is the zero-based number of incidents from the start of the result set.

Note: You can send a request to retrieve either all or filtered results.

Required license: Cortex Xpanse Expander

Request headers
authorization
String
required
api-key
Example: {{api_key}}
x-xdr-auth-id
String
required
api-key-id
Example: {{api_key_id}}
Body parameters
required
request_dataObject

A dictionary containing the API request fields. An empty dictionary returns all results.

filtersArray

Array of filter fields.

[
fieldString (Enum)

Identifies the incident field the filter is matching.

Allowed values:"modification_time""description""creation_time""alert_sources""incident_id_list""status""cloud_management_status""starred""incident_id""integration_source"
operatorString (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords are: - in: incident_id_list, alert_sources, cloud_management_status, description, integration_source - contains: description - gte / lte: modification_time, creation_time: Integer in timestamp epoch milliseconds - eq / nqe: status

Allowed values:"in""contains""neq""eq""lte""gte"
valueObject

Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter: - alert_sources: String - cloud_management_status: String. Values are Managed Cloud, Unmanaged Cloud, and Not Applicable. - creation_time:Integer in timestamp epoch milliseconds - description: String - incident_id_list: List of strings. Each item in the list must be an incident ID. - integration_source: List of strings. Valid values:AWS,AZURE,GOOGLE,PRISMA_CLOUD- modification_time:Integerin timestamp epoch milliseconds - status: Valid values:new,under_investigation,resolved`

]
search_fromInteger

Integer representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.

search_toInteger

Integer representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.

sortObject

Identifies the sort order for the result set. Default sort is defined as creation_time, DESC.

fieldString (Enum)

Can be creation_time or severity.

Allowed values:"creation_time""modification_time""incident_id"
keywordString (Enum)

Can either be ASC (ascending order) or DESC (descending order).

Allowed values:"ASC""asc""DESC""desc"
Free-Form object
Free-Form object
REQUEST BODY
{ "request_data": { "search_from": 0, "filters": [ { "field": "modification_time", "value": "IncidentFilter_value", "operator": "in" }, { "field": "modification_time", "value": "IncidentFilter_value", "operator": "in" } ], "sort": { "field": "modification_time", "keyword": "desc" }, "search_to": 0 } }
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'authorization: {{api_key}}' -H 'x-xdr-auth-id: {{api_key_id}}'
'https://api-}/public_api/v1/incidents/get_incidents/'
-d '{ "request_data" : { "search_from" : 0, "filters" : [ { "field" : "modification_time", "value" : "IncidentFilter_value", "operator" : "in" }, { "field" : "modification_time", "value" : "IncidentFilter_value", "operator" : "in" } ], "sort" : { "field" : "modification_time", "keyword" : "desc" }, "search_to" : 0 } }'
import http.client conn = http.client.HTTPSConnection("api-") payload = "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}" headers = { 'authorization': "{{api_key}}", 'x-xdr-auth-id': "{{api_key_id}}", 'content-type': "application/json" } conn.request("POST", "%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["authorization"] = '{{api_key}}' request["x-xdr-auth-id"] = '{{api_key_id}}' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "filters": [ { "field": "modification_time", "operator": "in", "value": "string" } ], "search_from": 0, "search_to": 100, "sort": { "field": "creation_time", "keyword": "ASC" } } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/"); xhr.setRequestHeader("authorization", "{{api_key}}"); xhr.setRequestHeader("x-xdr-auth-id", "{{api_key_id}}"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/") .header("authorization", "{{api_key}}") .header("x-xdr-auth-id", "{{api_key_id}}") .header("content-type", "application/json") .body("{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}") .asString();
import Foundation let headers = [ "authorization": "{{api_key}}", "x-xdr-auth-id": "{{api_key_id}}", "content-type": "application/json" ] let parameters = ["request_data": [ "filters": [ [ "field": "modification_time", "operator": "in", "value": "string" ] ], "search_from": 0, "search_to": 100, "sort": [ "field": "creation_time", "keyword": "ASC" ] ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}", CURLOPT_HTTPHEADER => [ "authorization: {{api_key}}", "content-type: application/json", "x-xdr-auth-id: {{api_key_id}}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "authorization: {{api_key}}"); headers = curl_slist_append(headers, "x-xdr-auth-id: {{api_key_id}}"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/"); var request = new RestRequest(Method.POST); request.AddHeader("authorization", "{{api_key}}"); request.AddHeader("x-xdr-auth-id", "{{api_key_id}}"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Responses

Successful response

Body
replyObjectrequired
total_countInteger
result_countInteger
incidentsArray
[
incident_idString
is_blockedBoolean
incident_nameString
creation_timeInteger
modification_timeInteger
detection_timeInteger
statusString
severityString
descriptionString
assigned_user_mailString
assigned_user_pretty_nameString
alert_countInteger
low_severity_alert_countInteger
med_severity_alert_countInteger
high_severity_alert_countInteger
critical_severity_alert_countInteger
user_countInteger
host_countInteger
notesString
resolve_commentString
resolved_timestampInteger
manual_severityString
manual_descriptionString
xdr_urlString
starredBoolean
starred_manuallyBoolean
hostsArray[string]
incident_sourcesArray[string]
rule_based_scoreInteger
manual_scoreNumber
aggregated_scoreInteger
alerts_grouping_statusString
alert_categoriesArray[string]
original_tagsArray[string]
tagsArray[string]
xpanse_risk_scoreInteger
xpanse_risk_explainerObject
cvesArray
[
cveIdString
cvssScoreInteger
epssScoreNumber
matchTypeString
exploitMaturityString
reportedExploitInTheWildBoolean
mostRecentReportedExploitDateString
confidenceString
Free-Form object
]
riskFactorsArray
[
attributeIdString
attributeNameString
issueTypesArray
[
displayNameString
issueTypeIdString
Free-Form object
]
Free-Form object
]
versionMatchedBoolean
Free-Form object
cloud_management_statusString
integration_sourceString
ipv4_addressesArray[string]
ipv6_addressesArray[string]
domain_namesArray[string]
port_numberInteger
asset_idsArray[string]
ip_range_idsArray[string]
website_idsArray[string]
service_idsArray[string]
last_observedInteger
cloud_providersArray[string]
country_codesArray[string]
certificate_common_namesArray[string]
certificate_issuersArray[string]
Free-Form object
]
restricted_incident_idsArray[string]
Free-Form object
Free-Form object
RESPONSE
{ "reply": { "total_count": 0, "result_count": 0, "incidents": [ { "incident_id": "incident_id_example", "is_blocked": false, "incident_name": "incident_name_example", "creation_time": 0, "modification_time": 0, "detection_time": 0, "status": "status_example", "severity": "severity_example", "description": "description_example", "assigned_user_mail": "assigned_user_mail_example", "assigned_user_pretty_name": "assigned_user_pretty_name_example", "alert_count": 0, "low_severity_alert_count": 0, "med_severity_alert_count": 0, "high_severity_alert_count": 0, "critical_severity_alert_count": 0, "user_count": 0, "host_count": 0, "notes": "notes_example", "resolve_comment": "resolve_comment_example", "resolved_timestamp": 0, "manual_severity": "manual_severity_example", "manual_description": "manual_description_example", "xdr_url": "xdr_url_example", "starred": false, "starred_manually": false, "hosts": [ "hosts_example" ], "incident_sources": [ "incident_sources_example" ], "rule_based_score": 0, "manual_score": 0.0, "aggregated_score": 0, "alerts_grouping_status": "alerts_grouping_status_example", "alert_categories": [ "alert_categories_example" ], "original_tags": [ "original_tags_example" ], "tags": [ "tags_example" ], "xpanse_risk_score": 0, "xpanse_risk_explainer": { "cves": [ { "cveId": "cveId_example", "cvssScore": 0, "epssScore": 0.0, "matchType": "matchType_example", "exploitMaturity": "exploitMaturity_example", "reportedExploitInTheWild": false, "mostRecentReportedExploitDate": "mostRecentReportedExploitDate_example", "confidence": "confidence_example" } ], "riskFactors": [ { "attributeId": "attributeId_example", "attributeName": "attributeName_example", "issueTypes": [ { "displayName": "displayName_example", "issueTypeId": "issueTypeId_example" } ] } ], "versionMatched": false }, "cloud_management_status": "cloud_management_status_example", "integration_source": "integration_source_example", "ipv4_addresses": [ "ipv4_addresses_example" ], "ipv6_addresses": [ "ipv6_addresses_example" ], "domain_names": [ "domain_names_example" ], "port_number": 0, "asset_ids": [ "asset_ids_example" ], "ip_range_ids": [ "ip_range_ids_example" ], "website_ids": [ "website_ids_example" ], "service_ids": [ "service_ids_example" ], "last_observed": 0, "cloud_providers": [ "cloud_providers_example" ], "country_codes": [ "country_codes_example" ], "certificate_common_names": [ "certificate_common_names_example" ], "certificate_issuers": [ "certificate_issuers_example" ] } ], "restricted_incident_ids": [ "restricted_incident_ids_example" ] } }

Bad Request. Got an invalid JSON.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Unauthorized access. User does not have the required license type to run this API.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Unprocessable Entity

Body
codeInteger

Error code

statusString

Error name

messageString

Error message

errorsObject

Errors

RESPONSE
{ "code": 0, "status": "status_example", "message": "message_example", "errors": {} }

Internal server error. A unified status for API communication type errors.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }