Get Incidents

Cortex Xpanse REST API

post /public_api/v1/incidents/get_incidents/

- The maximum result set size is >100.
- Offset is the zero-based number of incidents from the start of the result set.

Note: You can send a request to retrieve either **all** or **filtered** results.

Required license: **Cortex Xpanse Expander**

Get details for a single incident or a list of incidents filtered by a list of severity or creation time. - The response is concatenated using AND condition (OR is not supported).

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" -H "authorization: {{api_key}}" -H "x-xdr-auth-id: {{api_key_id}}" \ "https://api-}/public_api/v1/incidents/get_incidents/" \ -d '{ "request_data" : { "search_from" : 0, "next_page_token" : "next_page_token", "filters" : [ { "field" : "modification_time", "value" : "IncidentFilter_value", "operator" : "in" }, { "field" : "modification_time", "value" : "IncidentFilter_value", "operator" : "in" } ], "sort" : { "field" : "modification_time", "keyword" : "desc" }, "search_to" : 0, "use_page_token" : true } }'
Request headers
authorization
required
String
api-key
Example: {{api_key}}
x-xdr-auth-id
required
String
api-key-id
Example: {{api_key_id}}
Request
Body
required
If no parameters are included, all results will be returned.
request_data
required
Object
A dictionary containing the API request fields. An empty dictionary returns all results.
filters
optional
Array of objects
Array of filter fields.
field
optional
String (Enum)

Identifies the incident field the filter is matching. Filters are based on the following keywords:

  • alert_sources
  • cloud_management_status
  • creation_time
  • description
  • incident_id_list
  • modification_time
  • status
Allowed values:
modification_time
description
creation_time
alert_sources
incident_id_list
status
cloud_management_status
starred
incident_id
integration_source
operator
optional
String (Enum)
Identifies the comparison operator you want to use for this filter. Valid keywords are:
- in: incident_id_list, alert_sources, cloud_management_status, description - contains: description - gte / lte: modification_time, creation_time: Integer in timestamp epoch milliseconds
- eq / nqe: status
Allowed values:
in
contains
neq
eq
lte
gte
value
optional

Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:

  • alert_sources: String
  • cloud_management_status: String. Values are Managed Cloud, Unmanaged Cloud, and Not Applicable.
  • creation_time: Integer in timestamp epoch milliseconds
  • description: String
  • incident_id_list: List of strings. Each item in the list must be an incident ID.
  • modification_time: Integer in timestamp epoch milliseconds
  • status: Valid values: new, under_investigation, resolved
search_from
optional
Integer
Integer representing the starting offset within the query result set from which you want incidents returned. Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
Integer representing the end offset within the result set after which you do not want incidents returned. Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to >100, which returns all incidents to the end of the list.
sort
optional
Object
Identifies the sort order for the result set. Default sort is defined as creation_time, DESC.
field
optional
String (Enum)
Can be creation_time or severity.
Allowed values:
creation_time
modification_time
incident_id
keyword
optional
String (Enum)
Can either be ASC (ascending order) or DESC (descending order).
Allowed values:
ASC
asc
DESC
desc
use_page_token
optional
Boolean
Use "use_page_token":true in the initial request to paginate the response data. Sort is not supported when using the use_page_token/next_page_token fields.
next_page_token
optional
String
If "use_page_token":true was included in the initial request, the response for that request will include a page token. Use "next_page_token":"string" to pass that page token into the next request to paginate the next set of data.
Responses

Successful response

Body
reply
required
Object
total_count
required
Integer
result_count
required
Integer
incidents
optional
Array of objects
incident_id
optional
String
is_blocked
optional
Boolean
incident_name
optional
String
creation_time
optional
Integer
modification_time
optional
Integer
detection_time
optional
Integer
status
optional
String
severity
optional
String
description
optional
String
assigned_user_mail
optional
String
assigned_user_pretty_name
optional
String
alert_count
optional
Integer
low_severity_alert_count
optional
Integer
med_severity_alert_count
optional
Integer
high_severity_alert_count
optional
Integer
critical_severity_alert_count
optional
Integer
user_count
optional
Integer
host_count
optional
Integer
notes
optional
String
resolve_comment
optional
String
resolved_timestamp
optional
Integer
manual_severity
optional
String
manual_description
optional
String
xdr_url
optional
String
starred
optional
Boolean
starred_manually
optional
Boolean
hosts
optional
Array of strings
incident_sources
optional
Array of strings
rule_based_score
optional
Integer
manual_score
optional
Number
aggregated_score
optional
Integer
alerts_grouping_status
optional
String
alert_categories
optional
Array of strings
original_tags
optional
Array of strings
tags
optional
Array of strings
xpanse_risk_score
optional
Integer
xpanse_risk_explainer
optional
Object
cves
optional
Array of objects
cveId
optional
String
cvssScore
optional
Integer
epssScore
optional
Number
matchType
optional
String
exploitMaturity
optional
String
reportedExploitInTheWild
optional
Boolean
mostRecentReportedExploitDate
optional
String
confidence
optional
String
riskFactors
optional
Array of objects
attributeId
required
String
attributeName
required
String
issueTypes
required
Array of objects
displayName
required
String
issueTypeId
required
String
versionMatched
optional
Boolean
cloud_management_status
optional
String
integration_source
optional
String
ipv4_addresses
optional
Array of strings
ipv6_addresses
optional
Array of strings
domain_names
optional
Array of strings
port_number
optional
Integer
asset_ids
optional
Array of strings (UUID)
format: uuid
ip_range_ids
optional
Array of strings
website_ids
optional
Array of strings
service_ids
optional
Array of strings
last_observed
optional
Integer
cloud_providers
optional
Array of strings
country_codes
optional
Array of strings
certificate_common_names
optional
Array of strings
certificate_issuers
optional
Array of strings
restricted_incident_ids
optional
Array of strings

Bad Request. Got an invalid JSON.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unprocessable Entity

Body
code
optional
Integer
Error code
status
optional
String
Error name
message
optional
String
Error message
errors
optional
Object
Errors

Internal server error. A unified status for API communication type errors.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.