Get Extra Incident Data

Get extra data fields for a specific incidents.

Synopsis

URI
/public_api/v1/incidents/get_incident_extra_data/
HTTP Method
POST
Required License
Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per TB

Description

Get extra data fields of a specific incident including alerts and key artifacts.
The API includes a limit rate of 10 API requests per minute.

Request Fields

The body of this request contains a JSON object with the following fields:
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
incident_id
(
Required
) The ID of the incident for which you want to retrieve extra data.
alerts_limit
Maximum number of related alerts in the incident that you want to retrieve (default is 1000).
Request Example
curl -X POST https://api-{fqdn}/public_api/v1/incidents/get_incident_extra_data/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "incident_id":"<incident ID>", "alerts_limit":5 } }'
Code copied to clipboard
Unable to copy due to lack of browser support.

Success Response

Upon success, the HTTP response code is 200. In addition, this API returns a JSON object containing the additional incident information including the alerts, network artifacts, and file artifacts.
Success Response Example
{ "reply":{ "incident":{ "incident_id":"<incient ID>", "incident_name":test, "creation_time":1603184209710, "modification_time":1603184209710, "detection_time":null, "status":"new", "severity":"high", "description":"generated by PAN NGFW", "assigned_user_mail":null, "assigned_user_pretty_name":null, "alert_count":1, "low_severity_alert_count":0, "med_severity_alert_count":0, "high_severity_alert_count":1, "user_count":0, "host_count":0, "notes":null, "resolve_comment":null, "manual_severity":null, "manual_description":null, "xdr_url":"https://test.xdr.us.paloaltonetworks.com/incident-view/1", "starred":false, "hosts":null, "users":[ ], "incident_sources":[ "PAN NGFW" ], "rule_based_score":342, "manual_score":null, "wildfire_hits": 0, "alerts_grouping_status": "Enabled", "mitre_techniques_ids_and_names": [ "TA0004 - Privilege Escalation", "TA0005 - Defense Evasion", "TA0006 - Credential Access" ], "mitre_tactics_ids_and_names": [ "T1001.001 - Data Obfuscation: Junk Data", "T1001.002 - Data Obfuscation: Steganography", "T1001.003 - Data Obfuscation: Protocol Impersonation" ], "alert_categories": [ "Collection", "Credential Access", "File Name" ] }, "alerts":{ "total_count":1, "data":[ { "external_id":"<external ID>", "severity":"high", "matching_status":"UNMATCHABLE", "end_match_attempt_ts":null, "local_insert_ts":1603175431, "bioc_indicator":null, "matching_service_rule_id":null, "attempt_counter":null, "bioc_category_enum_key":null, "case_id":1, "is_whitelisted":false, "starred":false, "deduplicate_tokens":"<token value>", "filter_rule_id":null, "mitre_technique_id_and_name":null, "mitre_tactic_id_and_name":null, "agent_version":null, "agent_device_domain":null, "agent_fqdn":null, "agent_os_type":"NO_HOST", "agent_os_sub_type":null, "agent_data_collection_status":null, "mac":null, "agent_is_vdi":null, "agent_install_type":"NA", "agent_host_boot_time":null, "event_sub_type":null, "module_id":null, "association_strength":null, "dst_association_strength":null, "story_id":null, "event_id":null, "event_type":"Network Event", "event_timestamp":null, "actor_process_instance_id":null, "actor_process_image_path":null, "actor_process_image_name":null, "actor_process_command_line":null, "actor_process_signature_status":"N/A", "actor_process_signature_vendor":null, "actor_process_image_sha256":null, "actor_process_image_md5":null, "actor_process_causality_id":null, "actor_causality_id":null, "actor_process_os_pid":null, "actor_thread_thread_id":null, "causality_actor_process_image_name":null, "causality_actor_process_command_line":null, "causality_actor_process_image_path":null, "causality_actor_process_signature_vendor":null, "causality_actor_process_signature_status":"N/A", "causality_actor_causality_id":null, "causality_actor_process_execution_time":null, "causality_actor_process_image_md5":null, "causality_actor_process_image_sha256":null, "action_file_path":null, "action_file_name":null, "action_file_md5":null, "action_file_sha256":null, "action_file_macro_sha256":null, "action_registry_data":null, "action_registry_key_name":null, "action_registry_value_name":null, "action_registry_full_key":null, "action_local_ip":"<IP address>", "action_local_port":<port>, "action_remote_ip":"<IP address>", "action_remote_port":<port>, "action_external_hostname":"<hostname>", "action_country":"UNKNOWN", "action_process_instance_id":null, "action_process_causality_id":null, "action_process_image_name":null, "action_process_image_sha256":null, "action_process_image_command_line":null, "action_process_signature_status":"N/A", "action_process_signature_vendor":null, "os_actor_effective_username":null, "os_actor_process_instance_id":null, "os_actor_process_image_path":null, "os_actor_process_image_name":null, "os_actor_process_command_line":null, "os_actor_process_signature_status":"N/A", "os_actor_process_signature_vendor":null, "os_actor_process_image_sha256":null, "os_actor_process_causality_id":null, "os_actor_causality_id":null, "os_actor_process_os_pid":null, "os_actor_thread_thread_id":null, "fw_app_id":null, "fw_interface_from":null, "fw_interface_to":null, "fw_rule":null, "fw_rule_id":null, "fw_device_name":null, "fw_serial_number":"<serial number>", "fw_url_domain":null, "fw_email_subject":"", "fw_email_sender":null, "fw_email_recipient":null, "fw_app_subcategory":null, "fw_app_category":null, "fw_app_technology":null, "fw_vsys":null, "fw_xff":null, "fw_misc":null, "fw_is_phishing":"N/A", "dst_agent_id":null, "dst_causality_actor_process_execution_time":null, "dns_query_name":null, "dst_action_external_hostname":null, "dst_action_country":null, "dst_action_external_port":null, "alert_id":"1", "detection_timestamp":1603184109000, "name":"sagcalun", "category":"Spyware Detected via Anti-Spyware profile", "endpoint_id":null, "description":"Spyware Phone Home Detection", "host_ip":"<IP address>", "host_name":"<hostname>", "source":"PAN NGFW", "action":"DETECTED_4", "action_pretty":"Detected (Raised An Alert)", "user_name":null, "contains_featured_host": "Yes", "contains_featured_user" "Yes", "contains_featured_ip_address": "Yes" } ] }, "network_artifacts":{ "total_count":2, "data":[ { "type":"DOMAIN", "alert_count":1, "is_manual":false, "network_domain":"<domain name>, "network_remote_ip":"<IP address>", "network_remote_port":<port>, "network_country":"UNKNOWN" }, { "type":"IP", "alert_count":1, "is_manual":false, "network_domain":"<domain name>", "network_remote_ip":"<IP address>", "network_remote_port":<port>, "network_country":"UNKNOWN" } ] }, "file_artifacts":{ "total_count":0, "data":[ ] } } }
Code copied to clipboard
Unable to copy due to lack of browser support.

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}
Code copied to clipboard
Unable to copy due to lack of browser support.

Recommended For You