Get Extra Incident Data
Get extra data fields for a specific incidents.
Synopsis
URI | /public_api/v1/incidents/get_incident_extra_data/ |
HTTP Method | POST |
Required License | Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or
Cortex XDR Pro per TB |
Description
Get extra data fields of a
specific incident including alerts and key artifacts.
The
API includes a limit rate of 10 API requests per minute.
Request Fields
The body of this request
contains a JSON object with the following fields:
Field | Description |
|---|---|
request_data | ( Required ) A dictionary containing
the API request fields. |
incident_id | ( Required ) The ID of the incident
for which you want to retrieve extra data. |
alerts_limit | Maximum number of related alerts in the incident that
you want to retrieve (default is 1000). |
Request Example
curl -X POST https://api-{fqdn}/public_api/v1/incidents/get_incident_extra_data/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "incident_id":"<incident ID>", "alerts_limit":5 } }'
Code copied to clipboard
Unable to copy due to lack of browser support.
Success Response
Upon success, the HTTP
response code is 200. In addition, this API returns a JSON object
containing the additional incident information including the alerts,
network artifacts, and file artifacts.
Success Response Example
{ "reply":{ "incident":{ "incident_id":"<incient ID>", "incident_name":test, "creation_time":1603184209710, "modification_time":1603184209710, "detection_time":null, "status":"new", "severity":"high", "description":"generated by PAN NGFW", "assigned_user_mail":null, "assigned_user_pretty_name":null, "alert_count":1, "low_severity_alert_count":0, "med_severity_alert_count":0, "high_severity_alert_count":1, "user_count":0, "host_count":0, "notes":null, "resolve_comment":null, "manual_severity":null, "manual_description":null, "xdr_url":"https://test.xdr.us.paloaltonetworks.com/incident-view/1", "starred":false, "hosts":null, "users":[ ], "incident_sources":[ "PAN NGFW" ], "rule_based_score":342, "manual_score":null, "wildfire_hits": 0, "alerts_grouping_status": "Enabled", "mitre_techniques_ids_and_names": [ "TA0004 - Privilege Escalation", "TA0005 - Defense Evasion", "TA0006 - Credential Access" ], "mitre_tactics_ids_and_names": [ "T1001.001 - Data Obfuscation: Junk Data", "T1001.002 - Data Obfuscation: Steganography", "T1001.003 - Data Obfuscation: Protocol Impersonation" ], "alert_categories": [ "Collection", "Credential Access", "File Name" ] }, "alerts":{ "total_count":1, "data":[ { "external_id":"<external ID>", "severity":"high", "matching_status":"UNMATCHABLE", "end_match_attempt_ts":null, "local_insert_ts":1603175431, "bioc_indicator":null, "matching_service_rule_id":null, "attempt_counter":null, "bioc_category_enum_key":null, "case_id":1, "is_whitelisted":false, "starred":false, "deduplicate_tokens":"<token value>", "filter_rule_id":null, "mitre_technique_id_and_name":null, "mitre_tactic_id_and_name":null, "agent_version":null, "agent_device_domain":null, "agent_fqdn":null, "agent_os_type":"NO_HOST", "agent_os_sub_type":null, "agent_data_collection_status":null, "mac":null, "agent_is_vdi":null, "agent_install_type":"NA", "agent_host_boot_time":null, "event_sub_type":null, "module_id":null, "association_strength":null, "dst_association_strength":null, "story_id":null, "event_id":null, "event_type":"Network Event", "event_timestamp":null, "actor_process_instance_id":null, "actor_process_image_path":null, "actor_process_image_name":null, "actor_process_command_line":null, "actor_process_signature_status":"N/A", "actor_process_signature_vendor":null, "actor_process_image_sha256":null, "actor_process_image_md5":null, "actor_process_causality_id":null, "actor_causality_id":null, "actor_process_os_pid":null, "actor_thread_thread_id":null, "causality_actor_process_image_name":null, "causality_actor_process_command_line":null, "causality_actor_process_image_path":null, "causality_actor_process_signature_vendor":null, "causality_actor_process_signature_status":"N/A", "causality_actor_causality_id":null, "causality_actor_process_execution_time":null, "causality_actor_process_image_md5":null, "causality_actor_process_image_sha256":null, "action_file_path":null, "action_file_name":null, "action_file_md5":null, "action_file_sha256":null, "action_file_macro_sha256":null, "action_registry_data":null, "action_registry_key_name":null, "action_registry_value_name":null, "action_registry_full_key":null, "action_local_ip":"<IP address>", "action_local_port":<port>, "action_remote_ip":"<IP address>", "action_remote_port":<port>, "action_external_hostname":"<hostname>", "action_country":"UNKNOWN", "action_process_instance_id":null, "action_process_causality_id":null, "action_process_image_name":null, "action_process_image_sha256":null, "action_process_image_command_line":null, "action_process_signature_status":"N/A", "action_process_signature_vendor":null, "os_actor_effective_username":null, "os_actor_process_instance_id":null, "os_actor_process_image_path":null, "os_actor_process_image_name":null, "os_actor_process_command_line":null, "os_actor_process_signature_status":"N/A", "os_actor_process_signature_vendor":null, "os_actor_process_image_sha256":null, "os_actor_process_causality_id":null, "os_actor_causality_id":null, "os_actor_process_os_pid":null, "os_actor_thread_thread_id":null, "fw_app_id":null, "fw_interface_from":null, "fw_interface_to":null, "fw_rule":null, "fw_rule_id":null, "fw_device_name":null, "fw_serial_number":"<serial number>", "fw_url_domain":null, "fw_email_subject":"", "fw_email_sender":null, "fw_email_recipient":null, "fw_app_subcategory":null, "fw_app_category":null, "fw_app_technology":null, "fw_vsys":null, "fw_xff":null, "fw_misc":null, "fw_is_phishing":"N/A", "dst_agent_id":null, "dst_causality_actor_process_execution_time":null, "dns_query_name":null, "dst_action_external_hostname":null, "dst_action_country":null, "dst_action_external_port":null, "alert_id":"1", "detection_timestamp":1603184109000, "name":"sagcalun", "category":"Spyware Detected via Anti-Spyware profile", "endpoint_id":null, "description":"Spyware Phone Home Detection", "host_ip":"<IP address>", "host_name":"<hostname>", "source":"PAN NGFW", "action":"DETECTED_4", "action_pretty":"Detected (Raised An Alert)", "user_name":null, "contains_featured_host": "Yes", "contains_featured_user" "Yes", "contains_featured_ip_address": "Yes" } ] }, "network_artifacts":{ "total_count":2, "data":[ { "type":"DOMAIN", "alert_count":1, "is_manual":false, "network_domain":"<domain name>, "network_remote_ip":"<IP address>", "network_remote_port":<port>, "network_country":"UNKNOWN" }, { "type":"IP", "alert_count":1, "is_manual":false, "network_domain":"<domain name>", "network_remote_ip":"<IP address>", "network_remote_port":<port>, "network_country":"UNKNOWN" } ] }, "file_artifacts":{ "total_count":0, "data":[ ] } } }
Code copied to clipboard
Unable to copy due to lack of browser support.
Error Response
Upon error,
the reply includes an HTTP response code, an error message, and
additional information describing the error. The HTTP response code
is one of the following:
Field | Description |
|---|---|
400 | Bad Request. Got an invalid JSON. |
401 | Unauthorized access. An issue occurred during authentication.
This can indicate an incorrect key, id, or other invalid authentication
parameters. |
402 | Unauthorized access. User does not have the
required license type to run this API. |
403 | Forbidden access. The provided API Key does
not have the required RBAC permissions to run this API. |
500 | Internal server error. A unified status for
API communication type errors. |
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}
Code copied to clipboard
Unable to copy due to lack of browser support.
Recommended For You
Recommended Videos
Recommended videos not found.
