Get Incidents

Cortex Xpanse REST API

post /public_api/v1/incidents/get_incidents

- The maximum result set size is >100.
- Offset is the zero-based number of incidents from the start of the result set.

Note: You can send a request to retrieve either **all** or **filtered** results.

Required license: **Cortex Xpanse Expander**

Get details for a single incident or a list of incidents filtered by a list of severity or creation time. - The response is concatenated using AND condition (OR is not supported).

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" -H "authorization: authorization_example" -H "x-xdr-auth-id: xXdrAuthId_example" \ "https://api-yourfqdn/public_api/v1/incidents/get_incidents" \ -d '{ "request_data" : { "search_from" : 0, "next_page_token" : "next_page_token", "filters" : [ { "field" : "incident_id_list", "value" : [ "value", "value" ], "operator" : "operator" }, { "field" : "incident_id_list", "value" : [ "value", "value" ], "operator" : "operator" } ], "sort" : { "field" : "severity", "keyword" : "ASC" }, "search_to" : 6, "use_page_token" : true } }'
Request headers
authorization
required
String
api-key
Example: authorization_example
x-xdr-auth-id
required
String
api-key-id
Example: xXdrAuthId_example
Request
Body
optional
If no parameters are included, all results will be returned.
Example: {"request_data":{}}
request_data
required
A dictionary containing the API request fields. An empty dictionary returns all results.
filters
optional
Array
Array of filter fields.
field
optional
String (Enum)

Identifies the incident field the filter is matching. Filters are based on the following keywords:

  • alert_sources
  • cloud_management_status
  • creation_time
  • description
  • incident_id_list
  • modification_time
  • status
Allowed values:
incident_id_list
operator
optional
String

Identifies the comparison operator you want to use for this filter. Valid keywords are:

  • in: incident_id_list, alert_sources, cloud_management_status, description
  • contains: description
  • gte / lte: modification_time, creation_time: Integer in timestamp epoch milliseconds
  • eq / nqe: status
value
optional
Array of strings

Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:

  • alert_sources: String
  • cloud_management_status: String. Values are Managed Cloud, Unmanaged Cloud, and Not Applicable.
  • creation_time: Integer in timestamp epoch milliseconds
  • description: String
  • incident_id_list: List of strings. Each item in the list must be an incident ID.
  • modification_time: Integer in timestamp epoch milliseconds
  • status: Valid values: new, under_investigation, resolved
search_from
optional
Integer
Integer representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
Integer representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.
sort
optional
Identifies the sort order for the result set. Default sort is defined as creation_time, DESC.
field
optional
String (Enum)
Can be creation_time or severity.
Allowed values:
severity
creation_time
keyword
optional
String (Enum)
Can either be ASC (ascending order) or DESC (descending order).
Allowed values:
ASC
DESC
use_page_token
optional
Boolean
Use "use_page_token":true in the initial request to paginate the response data. Sort is not supported when using the use_page_token/next_page_token fields.
next_page_token
optional
String
If "use_page_token":true was included in the initial request, the response for that request will include a page token. Use "next_page_token":"string" to pass that page token into the next request to paginate the next set of data.
Responses

Successful response

Body
total_count
optional
Integer
result_count
optional
Integer
incidents
optional
Array
incident_id
optional
String
incident_name
optional
String
creation_time
optional
Integer
modification_time
optional
Integer
detection_time
optional
Integer
status
optional
String
severity
optional
String
description
optional
String
assigned_user_mail
optional
String
assigned_user_pretty_name
optional
String
alert_count
optional
Integer
low_severity_alert_count
optional
Integer
med_severity_alert_count
optional
Integer
high_severity_alert_count
optional
Integer
critical_severity_alert_count
optional
Integer
user_count
optional
Integer
host_count
optional
Integer
notes
optional
String
resolve_comment
optional
String
resolved_timestamp
optional
Integer
manual_severity
optional
String
manual_description
optional
String
xdr_url
optional
String
starred
optional
Boolean
hosts
optional
Array of objects
incident_sources
optional
Array of strings
alerts_grouping_status
optional
String
alert_categories
optional
String
original_tags
optional
Array of objects
tags
optional
Array of objects
xpanse_risk_score
optional
String
xpanse_risk_explainer
optional
String

Bad Request. Got an invalid JSON.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.