1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ API Reference
    5. Cortex XDR APIs
    6. Incident Management APIs
    7. Get Incidents

    Get Incidents

    Get a list of incidents.

    Synopsis

    URI
    /public_api/v1/incidents/get_incidents/
    HTTP Method
    POST
    Required License
    Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per TB

    Description

    Get a list of incidents filtered by a list of incident IDs, modification time, or creation time.
    • Response is concatenated using AND condition (OR is not supported).
    • Maximum result set size is 100.
    • Offset is the zero-based number of incidents from the start of the result set.

    Request Fields

    The body of this request contains a JSON object with the following fields:
    You can send a request to retrieve either
    all
     or
    filtered
     results.
    Field
    Description
    request_data
    (
    Required
    ) A dictionary containing the API request fields.
    An empty dictionary returns all results.
    filters
    Provides an array of filtered fields. Each JSON object must contain the following keywords:
    • field
      String that identifies the incident field the filter is matching. Filters are based on the following keywords:
      • modification_time
        —Time the incident has been modified.
      • creation_time
        —Incident's creation time.
      • incident_id_list
        —List of incident IDs.
      • description
        —Incident description.
      • alert_sources
        —Source which detected the alert.
      • status
        —Represents the status of the incident.
    • operator
      String that identifies the comparison operator you want to use for this filter. Valid keywords and values are:
      in
      • incident_id_list
        ,
        alert_sources
        ,
        description
        —List of strings
      contains
      • description
        —String
      gte
       /
      lte
      • modification_time
        ,
        creation_time
        —Integer in timestamp epoch milliseconds
      eq
       /
      neq
      • status
    • value
      Value that this filter must match. The contents of this field will differ depending on the incident field that you specified for this filter:
      • description
         - List of strings.
      • incident_sources
         - list of strings.
      • modification_time
        ,
        creation_time
         - Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
      • incident_id_list
        - List of strings. Each item in the list must be an incident ID.
      • starred
         - Boolean value:
        true
         or
        false
        .
      • status
        - Single value, can be one of the following:
        new
        ,
        under_investigation
        ,
        resolved_threat_handled
        ,
        resolved_known_issue
        ,
        resolved_duplicate_incident
        ,
        resolved_false_positive
        ,
        resolved_auto_resolve
    search_from
    Integer representing the starting offset within the query result set from which you want incidents returned.
    Incidents are returned as a zero-based list. Any incident indexed less than this value is not returned in the final result set and defaults to zero.
    search_to
    Integer representing the end offset within the result set after which you do not want incidents returned.
    Incidents in the incident list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all incidents to the end of the list.
    sort
    Identifies the sort order for the result set.
    • field
       - Can be either
      modification_time
       or
      creation_time
      . By default, sort is defined as
      modification_time
      .
      modification_time
       may change during incident iterations, i.e. new alert grouped to the incident or change of assignee, and therefore may return duplicate incidents. Sort by
      creation_time
       to avoid duplications.
    • keyword
       - Can be either
      asc
       (ascending order) or
      desc
       (descending order).
    Request Example
    Request all results:
    curl -X POST https://api-{fqdn}/public_api/v1/incidents/get_incidents/ \
-H "x-xdr-auth-id:{API_KEY_ID}" \
-H "Authorization:{API_KEY}" \
-H "Content-Type:application/json" \
-d '{ 
   "request_data":{}
   }'
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    Request filtered results:
    curl -X POST https://api-{fqdn}/public_api/v1/incidents/get_incidents/ \
    -H "x-xdr-auth-id:{API_KEY_ID}" \
    -H "Authorization:{API_KEY}" \
    -H "Content-Type:application/json" \
    -d '{
           "request_data": {
               "filters": [
                   {
                       "field": "incident_id_list",
                       "operator": "in",
                       "value": ["<incident ID>", "<incident ID>"]
                   }
               ],
               "search_from": 0,
               "search_to": 100,
               "sort": {
                   "field": "creation_time",
                   "keyword": "desc"
               }
           }
    }'
    Code copied to clipboard
    Unable to copy due to lack of browser support.

    Success Response

    Upon success, the HTTP response code is 200. In addition, this API returns a JSON object containing the query status, as well as an array of JSON objects, each of which represents a single incident.
    Field
    Description
    total_count
    Total number of possible results, value is limited to 10,000 (integer).
    result_count
    Number of incidents actually returned as result (integer).
    incidents
    A list of incidents (list).
    Success Response Example
    
{ 
   "reply":{ 
      "total_count":1,
      "result_count":1,
      "incidents":[ 
         { 
            "incident_id":"<incident ID>",
            "incident_name": "test",
            "creation_time":1577024425126,
            "modification_time":1577024425126,
            "detection_time":null,
            "status":"resolved_known_issue",
            "severity":"medium",
            "description":"'Memory Corruption Exploit' generated by XDR Agent",
            "assigned_user_mail":null,
            "assigned_user_pretty_name":null,
            "alert_count":1,
            "low_severity_alert_count":0,
            "med_severity_alert_count":1,
            "high_severity_alert_count":0,
            "user_count":1,
            "host_count":1,
            "notes":null,
            "resolve_comment":null,
            "resolved_timestamp":1577024425126,
            "manual_severity":null,
            "manual_description":null,
            "xdr_url":"https://<link to incident>",
            "starred":false,
            "hosts":[ 
               "<host ID>"
            ],
            "users":[
            "test_1",
            "test_2" 
            ],
            "incident_sources":[ 
               "XDR Agent",
               "XDR BIOC"
            ],
            "rule_based_score":342,
            "manual_score":null,
            "wildfire_hits": 0,
                "alerts_grouping_status": "Enabled",
                "mitre_techniques_ids_and_names": [
                    "TA0004 - Privilege Escalation",
                    "TA0005 - Defense Evasion",
                    "TA0006 - Credential Access"
                ],
                "mitre_tactics_ids_and_names": [
                    "T1001.001 - Data Obfuscation: Junk Data",
                    "T1001.002 - Data Obfuscation: Steganography",
                    "T1001.003 - Data Obfuscation: Protocol Impersonation"
                ],
                "alert_categories": [
                    "Collection",
                    "Credential Access",
                    "File Name"
                ]
			}
      ]
   }
}
    Code copied to clipboard
    Unable to copy due to lack of browser support.

    Error Response

    Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
    Field
    Description
    400
    Bad Request. Got an invalid JSON.
    401
    Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
    402
    Unauthorized access. User does not have the required license type to run this API.
    403
    Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
    500
    Internal server error. A unified status for API communication type errors.
    Error Response Format
    {"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}
    Code copied to clipboard
    Unable to copy due to lack of browser support.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo