post
/public_api/v1/incidents/get_incidents/
- The maximum result set size is >100.
- Offset is the zero-based number of incidents from the start of the result set.
Note: You can send a request to retrieve either **all** or **filtered** results.
Required license: **Cortex Xpanse Expander**
Get details for a single incident or a list of incidents filtered by a list of severity or creation time. - The response is concatenated using AND condition (OR is not supported).
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" -H "authorization: {{api_key}}" -H "x-xdr-auth-id: {{api_key_id}}" \
"https://api-}/public_api/v1/incidents/get_incidents/" \
-d '{
"request_data" : {
"search_from" : 0,
"filters" : [ {
"field" : "modification_time",
"value" : "IncidentFilter_value",
"operator" : "in"
}, {
"field" : "modification_time",
"value" : "IncidentFilter_value",
"operator" : "in"
} ],
"sort" : {
"field" : "modification_time",
"keyword" : "desc"
},
"search_to" : 0
}
}'
Request headers
authorization
required
String
api-key
Example:
{{api_key}}
x-xdr-auth-id
required
String
api-key-id
Example:
{{api_key_id}}
Request
Body
required
If no parameters are included, all results will be returned.
request_data
required
A dictionary containing the API request fields. An empty dictionary returns all results.
filters
optional
Array
Array of filter fields.
field
optional
String
(Enum)
Identifies the incident field the filter is matching.
Allowed values:
modification_time
description
creation_time
alert_sources
incident_id_list
status
cloud_management_status
starred
incident_id
integration_source
operator
optional
String
(Enum)
Identifies the comparison operator you want to use for this filter. Valid keywords are:
- in:
incident_id_list
,alert_sources
,cloud_management_status
,description
,integration_source
- contains:
description
- gte / lte:
modification_time
,creation_time
: Integer in timestamp epoch milliseconds - eq / nqe:
status
Allowed values:
in
contains
neq
eq
lte
gte
value
optional
Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
- alert_sources: String
- cloud_management_status: String. Values are
Managed Cloud
,Unmanaged Cloud
, andNot Applicable
. - creation_time:`Integer in timestamp epoch milliseconds
- description: String
- incident_id_list: List of strings. Each item in the list must be an incident ID.
- integration_source: List of strings. Valid values:
AWS
,AZURE
,GOOGLE
,PRISMA_CLOUD
- modification_time:
Integer
in timestamp epoch milliseconds - status: Valid values:
new
,under_investigation
,resolved
search_from
optional
Integer
Integer representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
Integer representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.
sort
optional
Object
Identifies the sort order for the result set. Default sort is defined as
creation_time
, DESC
.
field
optional
String
(Enum)
Can be
creation_time
or severity
.
Allowed values:
creation_time
modification_time
incident_id
keyword
optional
String
(Enum)
Can either be
ASC
(ascending order) or DESC
(descending order).
Allowed values:
ASC
asc
DESC
desc
Responses