Get Extra Incident Data
Get extra data fields for a specific incidents.
Synopsis
URI | /public_api/v1/incidents/get_incident_extra_data/ |
HTTP Method | POST |
Required License | Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or
Cortex XDR Pro per TB |
Description
Get extra data fields of a
specific incident including alerts and key artifacts.
The
API includes a limit rate of 10 API requests per minute.
Request Fields
The body of this request
contains a JSON object with the following fields:
Field | Description |
---|---|
request_data | ( Required ) A dictionary containing
the API request fields. |
incident_id | ( Required ) The ID of the incident
for which you want to retrieve extra data. |
alerts_limit | Maximum number of related alerts in the incident that
you want to retrieve (default is 1000). |
Request Example
curl -X POST https://api-{fqdn}/public_api/v1/incidents/get_incident_extra_data/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "incident_id":"<incident ID>", "alerts_limit":5 } }'
Success Response
Upon success, the HTTP
response code is 200. In addition, this API returns a JSON object
containing the additional incident information including the alerts,
network artifacts, and file artifacts.
Success Response Example
{ "reply":{ "incident":{ "incident_id":"<incient ID>", "incident_name":test, "creation_time":1603184209710, "modification_time":1603184209710, "detection_time":null, "status":"new", "severity":"high", "description":"generated by PAN NGFW", "assigned_user_mail":null, "assigned_user_pretty_name":null, "alert_count":1, "low_severity_alert_count":0, "med_severity_alert_count":0, "high_severity_alert_count":1, "user_count":0, "host_count":0, "notes":null, "resolve_comment":null, "manual_severity":null, "manual_description":null, "xdr_url":"https://test.xdr.us.paloaltonetworks.com/incident-view/1", "starred":false, "hosts":null, "users":[ ], "incident_sources":[ "PAN NGFW" ], "rule_based_score":342, "manual_score":null ] }, "alerts":{ "total_count":1, "data":[ { "external_id":"<external ID>", "severity":"high", "matching_status":"UNMATCHABLE", "end_match_attempt_ts":null, "local_insert_ts":1603175431, "bioc_indicator":null, "matching_service_rule_id":null, "attempt_counter":null, "bioc_category_enum_key":null, "case_id":1, "is_whitelisted":false, "starred":false, "deduplicate_tokens":"<token value>", "filter_rule_id":null, "mitre_technique_id_and_name":null, "mitre_tactic_id_and_name":null, "agent_version":null, "agent_device_domain":null, "agent_fqdn":null, "agent_os_type":"NO_HOST", "agent_os_sub_type":null, "agent_data_collection_status":null, "mac":null, "agent_is_vdi":null, "agent_install_type":"NA", "agent_host_boot_time":null, "event_sub_type":null, "module_id":null, "association_strength":null, "dst_association_strength":null, "story_id":null, "event_id":null, "event_type":"Network Event", "event_timestamp":null, "actor_process_instance_id":null, "actor_process_image_path":null, "actor_process_image_name":null, "actor_process_command_line":null, "actor_process_signature_status":"N/A", "actor_process_signature_vendor":null, "actor_process_image_sha256":null, "actor_process_image_md5":null, "actor_process_causality_id":null, "actor_causality_id":null, "actor_process_os_pid":null, "actor_thread_thread_id":null, "causality_actor_process_image_name":null, "causality_actor_process_command_line":null, "causality_actor_process_image_path":null, "causality_actor_process_signature_vendor":null, "causality_actor_process_signature_status":"N/A", "causality_actor_causality_id":null, "causality_actor_process_execution_time":null, "causality_actor_process_image_md5":null, "causality_actor_process_image_sha256":null, "action_file_path":null, "action_file_name":null, "action_file_md5":null, "action_file_sha256":null, "action_file_macro_sha256":null, "action_registry_data":null, "action_registry_key_name":null, "action_registry_value_name":null, "action_registry_full_key":null, "action_local_ip":"<IP address>", "action_local_port":<port>, "action_remote_ip":"<IP address>", "action_remote_port":<port>, "action_external_hostname":"<hostname>", "action_country":"UNKNOWN", "action_process_instance_id":null, "action_process_causality_id":null, "action_process_image_name":null, "action_process_image_sha256":null, "action_process_image_command_line":null, "action_process_signature_status":"N/A", "action_process_signature_vendor":null, "os_actor_effective_username":null, "os_actor_process_instance_id":null, "os_actor_process_image_path":null, "os_actor_process_image_name":null, "os_actor_process_command_line":null, "os_actor_process_signature_status":"N/A", "os_actor_process_signature_vendor":null, "os_actor_process_image_sha256":null, "os_actor_process_causality_id":null, "os_actor_causality_id":null, "os_actor_process_os_pid":null, "os_actor_thread_thread_id":null, "fw_app_id":null, "fw_interface_from":null, "fw_interface_to":null, "fw_rule":null, "fw_rule_id":null, "fw_device_name":null, "fw_serial_number":"<serial number>", "fw_url_domain":null, "fw_email_subject":"", "fw_email_sender":null, "fw_email_recipient":null, "fw_app_subcategory":null, "fw_app_category":null, "fw_app_technology":null, "fw_vsys":null, "fw_xff":null, "fw_misc":null, "fw_is_phishing":"N/A", "dst_agent_id":null, "dst_causality_actor_process_execution_time":null, "dns_query_name":null, "dst_action_external_hostname":null, "dst_action_country":null, "dst_action_external_port":null, "alert_id":"1", "detection_timestamp":1603184109000, "name":"sagcalun", "category":"Spyware Detected via Anti-Spyware profile", "endpoint_id":null, "description":"Spyware Phone Home Detection", "host_ip":"<IP address>", "host_name":"<hostname>", "source":"PAN NGFW", "action":"DETECTED_4", "action_pretty":"Detected (Raised An Alert)", "user_name":null, "contains_featured_host": "Yes", "contains_featured_user" "Yes", "contains_featured_ip_address": "Yes" } ] }, "network_artifacts":{ "total_count":2, "data":[ { "type":"DOMAIN", "alert_count":1, "is_manual":false, "network_domain":"<domain name>, "network_remote_ip":"<IP address>", "network_remote_port":<port>, "network_country":"UNKNOWN" }, { "type":"IP", "alert_count":1, "is_manual":false, "network_domain":"<domain name>", "network_remote_ip":"<IP address>", "network_remote_port":<port>, "network_country":"UNKNOWN" } ] }, "file_artifacts":{ "total_count":0, "data":[ ] } } }
Error Response
Upon error,
the reply includes an HTTP response code, an error message, and
additional information describing the error. The HTTP response code
is one of the following:
Field | Description |
---|---|
400 | Bad Request. Got an invalid JSON. |
401 | Unauthorized access. An issue occurred during authentication.
This can indicate an incorrect key, id, or other invalid authentication
parameters. |
402 | Unauthorized access. User does not have the
required license type to run this API. |
403 | Forbidden access. The provided API Key does
not have the required RBAC permissions to run this API. |
500 | Internal server error. A unified status for
API communication type errors. |
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}
Recommended For You
Recommended Videos
Recommended videos not found.