post
/public_api/v1/incidents/get_incidents
- The maximum result set size is >100.
- Offset is the zero-based number of incidents from the start of the result set.
Note: You can send a request to retrieve either **all** or **filtered** results.
Required license: **Cortex Xpanse Expander**
Get details for a single incident or a list of incidents filtered by a list of severity or creation time. - The response is concatenated using AND condition (OR is not supported).
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" -H "authorization: authorization_example" -H "x-xdr-auth-id: xXdrAuthId_example" \
"https://api-yourfqdn/public_api/v1/incidents/get_incidents" \
-d '{
"request_data" : {
"search_from" : 0,
"next_page_token" : "next_page_token",
"filters" : [ {
"field" : "incident_id_list",
"value" : [ "value", "value" ],
"operator" : "operator"
}, {
"field" : "incident_id_list",
"value" : [ "value", "value" ],
"operator" : "operator"
} ],
"sort" : {
"field" : "severity",
"keyword" : "ASC"
},
"search_to" : 6,
"use_page_token" : true
}
}'
Request headers
authorization
required
String
api-key
Example:
authorization_example
x-xdr-auth-id
required
String
api-key-id
Example:
xXdrAuthId_example
Request
Body
optional
If no parameters are included, all results will be returned.
Example:
{"request_data":{}}
request_data
required
A dictionary containing the API request fields.
An empty dictionary returns all results.
filters
optional
Array
Array of filter fields.
field
optional
String
(Enum)
Identifies the incident field the filter is matching. Filters are based on the following keywords:
- alert_sources
- cloud_management_status
- creation_time
- description
- incident_id_list
- modification_time
- status
Allowed values:
incident_id_list
operator
optional
String
Identifies the comparison operator you want to use for this filter. Valid keywords are:
- in:
incident_id_list
,alert_sources
,cloud_management_status
,description
- contains:
description
- gte / lte:
modification_time
,creation_time
: Integer in timestamp epoch milliseconds - eq / nqe:
status
value
optional
Array
of strings
Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
- alert_sources:
String
- cloud_management_status:
String
. Values areManaged Cloud
,Unmanaged Cloud
, andNot Applicable
. - creation_time:
Integer
in timestamp epoch milliseconds - description:
String
- incident_id_list:
List of strings
. Each item in the list must be an incident ID. - modification_time:
Integer
in timestamp epoch milliseconds - status: Valid values:
new
,under_investigation
,resolved
search_from
optional
Integer
Integer representing the starting offset within the query result set from which you want incidents returned.
Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
Integer representing the end offset within the result set after which you do not want incidents returned.
Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.
sort
optional
Identifies the sort order for the result set. Default sort is defined as
creation_time
, DESC
.
field
optional
String
(Enum)
Can be
creation_time
or severity
.
Allowed values:
severity
creation_time
keyword
optional
String
(Enum)
Can either be
ASC
(ascending order) or DESC
(descending order).
Allowed values:
ASC
DESC
use_page_token
optional
Boolean
Use
"use_page_token":true
in the initial request to paginate the response data.
Sort is not supported when using the use_page_token/next_page_token fields.
next_page_token
optional
String
If
"use_page_token":true
was included in the initial request, the response for that request will include a page token. Use "next_page_token":"string"
to pass that page token into the next request to paginate the next set of data.
Responses