Update an Incident

Update one or more fields of a specific incident.

Synopsis

URI
/public_api/v1/incidents/update_incident/
HTTP Method
POST
Required License
Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per TB

Description

Update one or more fields of a specific incident. Missing fields are ignored.
Note the following:
  • assigned_user_mail
    field is validated by Cortex XDR to confirm the provided assignee email address belongs to a user that exists in the same Cortex XDR tenant.
  • To unassign an incident pass
    none
    or
    ”assigned_user_mail”: “”
    .
  • To remove a manually set severity pass
    none
    or
    “manual_severity”: “”
    .

Request Fields

The body of this request contains a JSON object with the following fields:
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
incident_id
An integer representing the incident ID you want to update.
update_data
Provides an array of filtered fields. Each JSON object contains the following keywords which define the incident data you want to update:
  • assigned_user_mail
    —Updated email address of the incident assignee.
  • assigned_user_pretty_name
    —Updated full name of the incident assignee. To supply a new value in this field, you must also supply a value for
    assigned_user_mail
    in the same request.
  • manual_severity
    - Administrator-defined severity, one of the following:
    • high
    • medium
    • low
  • status
    - Updated incident status, one of the following:
    • NEW
    • UNDER_INVESTIGATION
    • RESOLVED_THREAT_HANDLED
    • RESOLVED_KNOWN_ISSUE
    • RESOLVED_DUPLICATE
    • RESOLVED_FALSE_POSITIVE
    • RESOLVED_OTHER
  • resolve_comment
    —Descriptive comment explaining the incident change.
Request Example
curl -X POST https://api-{fqdn}/public_api/v1/incidents/update_incident/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "incident_id":"<incident ID>", "update_data":{ "assigned_user_mail":"username@test.com", "assigned_user_pretty_name":"Hello World", "manual_severity":"low", "status":"resolved_other", "resolve_comment":"This incident is resolved" } }'

Success Response

Upon success, the HTTP response code is 200 and the API returns a reply of true.
Field
Description
true
The incident update was successful.

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors. For example,
test@test.com is not a valid Cortex XDR email address.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Recommended For You