post
/public_api/v1/incidents/get_incidents/
Get details for a single incident or a list of incidents filtered by a list of severity or creation time. - The response is concatenated using AND condition (OR is not supported).
- The maximum result set size is >100.
- Offset is the zero-based number of incidents from the start of the result set.
Note: You can send a request to retrieve either all or filtered results.
Required license: Cortex Xpanse Expander
Request headers
authorization
String
required
api-key
api-key
Example:
{{api_key}}
x-xdr-auth-id
String
required
api-key-id
api-key-id
Example:
{{api_key_id}}
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'authorization: {{api_key}}'
-H
'x-xdr-auth-id: {{api_key_id}}'
'https://api-}/public_api/v1/incidents/get_incidents/'
-d
'{
"request_data" : {
"search_from" : 0,
"filters" : [ {
"field" : "modification_time",
"value" : "IncidentFilter_value",
"operator" : "in"
}, {
"field" : "modification_time",
"value" : "IncidentFilter_value",
"operator" : "in"
} ],
"sort" : {
"field" : "modification_time",
"keyword" : "desc"
},
"search_to" : 0
}
}'
import http.client
conn = http.client.HTTPSConnection("api-")
payload = "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}"
headers = {
'authorization': "{{api_key}}",
'x-xdr-auth-id': "{{api_key_id}}",
'content-type': "application/json"
}
conn.request("POST", "%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["authorization"] = '{{api_key}}'
request["x-xdr-auth-id"] = '{{api_key_id}}'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"filters": [
{
"field": "modification_time",
"operator": "in",
"value": "string"
}
],
"search_from": 0,
"search_to": 100,
"sort": {
"field": "creation_time",
"keyword": "ASC"
}
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/");
xhr.setRequestHeader("authorization", "{{api_key}}");
xhr.setRequestHeader("x-xdr-auth-id", "{{api_key_id}}");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/")
.header("authorization", "{{api_key}}")
.header("x-xdr-auth-id", "{{api_key_id}}")
.header("content-type", "application/json")
.body("{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}")
.asString();import Foundation
let headers = [
"authorization": "{{api_key}}",
"x-xdr-auth-id": "{{api_key_id}}",
"content-type": "application/json"
]
let parameters = ["request_data": [
"filters": [
[
"field": "modification_time",
"operator": "in",
"value": "string"
]
],
"search_from": 0,
"search_to": 100,
"sort": [
"field": "creation_time",
"keyword": "ASC"
]
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}",
CURLOPT_HTTPHEADER => [
"authorization: {{api_key}}",
"content-type: application/json",
"x-xdr-auth-id: {{api_key_id}}"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "authorization: {{api_key}}");
headers = curl_slist_append(headers, "x-xdr-auth-id: {{api_key_id}}");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/incidents/get_incidents/");
var request = new RestRequest(Method.POST);
request.AddHeader("authorization", "{{api_key}}");
request.AddHeader("x-xdr-auth-id", "{{api_key_id}}");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"modification_time\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"creation_time\",\"keyword\":\"ASC\"}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
required
request_dataobject
filtersarray
search_frominteger
search_tointeger
sortobject
fieldstring (Enum)
keywordstring (Enum)
Free-Form objectFree-Form object
application/json
request_dataobjectA dictionary containing the API request fields. An empty dictionary returns all results.
A dictionary containing the API request fields. An empty dictionary returns all results.
filtersarrayArray of filter fields.
Array of filter fields.
[fieldstring (Enum)
operatorstring (Enum)
valueobject
string
integer
]
fieldstring (Enum)Identifies the incident field the filter is matching.
Identifies the incident field the filter is matching.
Allowed values:"modification_time""description""creation_time""alert_sources""incident_id_list""status""cloud_management_status""starred""incident_id""integration_source"
operatorstring (Enum)Identifies the comparison operator you want to use for this filter. Valid keywords are:
- in:
incident_id_list, alert_sources, cloud_management_status, description, integration_source
- contains:
description
- gte / lte:
modification_time, creation_time: Integer in timestamp epoch milliseconds
- eq / nqe:
status
Identifies the comparison operator you want to use for this filter. Valid keywords are:
- in:
incident_id_list,alert_sources,cloud_management_status,description,integration_source - contains:
description - gte / lte:
modification_time,creation_time: Integer in timestamp epoch milliseconds - eq / nqe:
status
Allowed values:"in""contains""neq""eq""lte""gte"
valueobjectValue that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
- alert_sources: String
- cloud_management_status: String. Values are
Managed Cloud, Unmanaged Cloud, and Not Applicable.
- creation_time:`Integer in timestamp epoch milliseconds
- description: String
- incident_id_list: List of strings. Each item in the list must be an incident ID.
- integration_source: List of strings. Valid values:
AWS, AZURE, GOOGLE, PRISMA_CLOUD
- modification_time:
Integer in timestamp epoch milliseconds
- status: Valid values:
new, under_investigation, resolved
Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
- alert_sources: String
- cloud_management_status: String. Values are
Managed Cloud,Unmanaged Cloud, andNot Applicable. - creation_time:`Integer in timestamp epoch milliseconds
- description: String
- incident_id_list: List of strings. Each item in the list must be an incident ID.
- integration_source: List of strings. Valid values:
AWS,AZURE,GOOGLE,PRISMA_CLOUD - modification_time:
Integerin timestamp epoch milliseconds - status: Valid values:
new,under_investigation,resolved
stringValue that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
- alert_sources: String
- cloud_management_status: String. Values are
Managed Cloud, Unmanaged Cloud, and Not Applicable.
- creation_time:`Integer in timestamp epoch milliseconds
- description: String
- incident_id_list: List of strings. Each item in the list must be an incident ID.
- integration_source: List of strings. Valid values:
AWS, AZURE, GOOGLE, PRISMA_CLOUD
- modification_time:
Integer in timestamp epoch milliseconds
- status: Valid values:
new, under_investigation, resolved
Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
- alert_sources: String
- cloud_management_status: String. Values are
Managed Cloud,Unmanaged Cloud, andNot Applicable. - creation_time:`Integer in timestamp epoch milliseconds
- description: String
- incident_id_list: List of strings. Each item in the list must be an incident ID.
- integration_source: List of strings. Valid values:
AWS,AZURE,GOOGLE,PRISMA_CLOUD - modification_time:
Integerin timestamp epoch milliseconds - status: Valid values:
new,under_investigation,resolved
integerValue that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
- alert_sources: String
- cloud_management_status: String. Values are
Managed Cloud, Unmanaged Cloud, and Not Applicable.
- creation_time:`Integer in timestamp epoch milliseconds
- description: String
- incident_id_list: List of strings. Each item in the list must be an incident ID.
- integration_source: List of strings. Valid values:
AWS, AZURE, GOOGLE, PRISMA_CLOUD
- modification_time:
Integer in timestamp epoch milliseconds
- status: Valid values:
new, under_investigation, resolved
Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
- alert_sources: String
- cloud_management_status: String. Values are
Managed Cloud,Unmanaged Cloud, andNot Applicable. - creation_time:`Integer in timestamp epoch milliseconds
- description: String
- incident_id_list: List of strings. Each item in the list must be an incident ID.
- integration_source: List of strings. Valid values:
AWS,AZURE,GOOGLE,PRISMA_CLOUD - modification_time:
Integerin timestamp epoch milliseconds - status: Valid values:
new,under_investigation,resolved
Array
Array
search_fromintegerInteger representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.
Integer representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.
search_tointegerInteger representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.
Integer representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.
Default:
100sortobjectIdentifies the sort order for the result set. Default sort is defined as creation_time, DESC.
Identifies the sort order for the result set. Default sort is defined as creation_time, DESC.
fieldstring (Enum)Can be creation_time or severity.
Can be creation_time or severity.
Default:
"modification_time"Allowed values:"creation_time""modification_time""incident_id"
keywordstring (Enum)Can either be ASC (ascending order) or DESC (descending order).
Can either be ASC (ascending order) or DESC (descending order).
Default:
"desc"Allowed values:"ASC""asc""DESC""desc"
REQUEST
{
"request_data": {
"filters": [
{
"field": "modification_time",
"operator": "in",
"value": "example"
}
],
"search_from": 0,
"search_to": 0,
"sort": {
"field": "creation_time",
"keyword": "ASC"
}
}
}Responses
Successful response
Body
application/json
replyobjectrequired
total_countinteger
result_countinteger
incidentsarray
[incident_idstring
is_blockedboolean
incident_namestring
creation_timeinteger
modification_timeinteger
detection_timeinteger
statusstring
severitystring
descriptionstring
assigned_user_mailstring
assigned_user_pretty_namestring
alert_countinteger
low_severity_alert_countinteger
med_severity_alert_countinteger
high_severity_alert_countinteger
critical_severity_alert_countinteger
user_countinteger
host_countinteger
notesstring
resolve_commentstring
resolved_timestampinteger
manual_severitystring
manual_descriptionstring
xdr_urlstring
starredboolean
starred_manuallyboolean
hostsarray[string]
incident_sourcesarray[string]
rule_based_scoreinteger
manual_scorenumber
aggregated_scoreinteger
alerts_grouping_statusstring
alert_categoriesarray[string]
original_tagsarray[string]
tagsarray[string]
xpanse_risk_scoreinteger
xpanse_risk_explainerobject
cvesarray
riskFactorsarray
versionMatchedboolean
Free-Form objectcloud_management_statusstring
integration_sourcestring
ipv4_addressesarray[string]
ipv6_addressesarray[string]
domain_namesarray[string]
port_numberinteger
asset_idsarray[string]
ip_range_idsarray[string]
website_idsarray[string]
service_idsarray[string]
last_observedinteger
cloud_providersarray[string]
country_codesarray[string]
certificate_common_namesarray[string]
certificate_issuersarray[string]
Free-Form object]
incident_idstring
is_blockedboolean
incident_namestring
creation_timeinteger
modification_timeinteger
detection_timeinteger
statusstring
severitystring
descriptionstring
assigned_user_mailstring
assigned_user_pretty_namestring
alert_countinteger
low_severity_alert_countinteger
med_severity_alert_countinteger
high_severity_alert_countinteger
critical_severity_alert_countinteger
user_countinteger
host_countinteger
notesstring
resolve_commentstring
resolved_timestampinteger
manual_severitystring
manual_descriptionstring
xdr_urlstring
starredboolean
starred_manuallyboolean
hostsarray[string]
incident_sourcesarray[string]
rule_based_scoreinteger
manual_scorenumber
aggregated_scoreinteger
alerts_grouping_statusstring
alert_categoriesarray[string]
original_tagsarray[string]
tagsarray[string]
xpanse_risk_scoreinteger
xpanse_risk_explainerobject
cvesarray
[cveIdstring
cvssScoreinteger
epssScorenumber
matchTypestring
exploitMaturitystring
reportedExploitInTheWildboolean
mostRecentReportedExploitDatestring
confidencestring
Free-Form object]
cveIdstring
cvssScoreinteger
epssScorenumber
matchTypestring
exploitMaturitystring
reportedExploitInTheWildboolean
mostRecentReportedExploitDatestring
confidencestring
riskFactorsarray
[attributeIdstring
attributeNamestring
issueTypesarray
Free-Form object]
attributeIdstring
attributeNamestring
issueTypesarray
[displayNamestring
issueTypeIdstring
Free-Form object]
displayNamestring
issueTypeIdstring
versionMatchedboolean
cloud_management_statusstring
integration_sourcestring
ipv4_addressesarray[string]
ipv6_addressesarray[string]
domain_namesarray[string]
port_numberinteger
asset_idsarray[string]
ip_range_idsarray[string]
website_idsarray[string]
service_idsarray[string]
last_observedinteger
cloud_providersarray[string]
country_codesarray[string]
certificate_common_namesarray[string]
certificate_issuersarray[string]
restricted_incident_idsarray[string]
RESPONSE
{
"reply": {
"total_count": 0,
"result_count": 0,
"incidents": [
{
"incident_id": "example",
"is_blocked": false,
"incident_name": "example",
"creation_time": 0,
"modification_time": 0,
"detection_time": 0,
"status": "example",
"severity": "example",
"description": "example",
"assigned_user_mail": "example",
"assigned_user_pretty_name": "example",
"alert_count": 0,
"low_severity_alert_count": 0,
"med_severity_alert_count": 0,
"high_severity_alert_count": 0,
"critical_severity_alert_count": 0,
"user_count": 0,
"host_count": 0,
"notes": "example",
"resolve_comment": "example",
"resolved_timestamp": 0,
"manual_severity": "example",
"manual_description": "example",
"xdr_url": "example",
"starred": false,
"starred_manually": false,
"hosts": [
"example"
],
"incident_sources": [
"example"
],
"rule_based_score": 0,
"manual_score": 0.1,
"aggregated_score": 0,
"alerts_grouping_status": "example",
"alert_categories": [
"example"
],
"original_tags": [
"example"
],
"tags": [
"example"
],
"xpanse_risk_score": 0,
"xpanse_risk_explainer": {
"cves": [
{
"cveId": "example",
"cvssScore": 0,
"epssScore": 0.1,
"matchType": "example",
"exploitMaturity": "example",
"reportedExploitInTheWild": false,
"mostRecentReportedExploitDate": "example",
"confidence": "example"
}
],
"riskFactors": [
{
"attributeId": "example",
"attributeName": "example",
"issueTypes": [
{
"displayName": "example",
"issueTypeId": "example"
}
]
}
],
"versionMatched": false
},
"cloud_management_status": "example",
"integration_source": "example",
"ipv4_addresses": [
"example"
],
"ipv6_addresses": [
"example"
],
"domain_names": [
"example"
],
"port_number": 0,
"asset_ids": [
"uuid string"
],
"ip_range_ids": [
"example"
],
"website_ids": [
"example"
],
"service_ids": [
"example"
],
"last_observed": 0,
"cloud_providers": [
"example"
],
"country_codes": [
"example"
],
"certificate_common_names": [
"example"
],
"certificate_issuers": [
"example"
]
}
],
"restricted_incident_ids": [
"example"
]
}
}Bad Request. Got an invalid JSON.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}Unauthorized access. User does not have the required license type to run this API.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}Unprocessable Entity
Body
application/json
codeintegerError code
Error code
statusstringError name
Error name
messagestringError message
Error message
errorsobjectErrors
Errors
RESPONSE
{
"code": 0,
"status": "example",
"message": "example",
"errors": {}
}Internal server error. A unified status for API communication type errors.
Body
application/json
replyobjectThe query results upon error.
The query results upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}