Viewing a list of incidents

Name

Data type

Mandatory

Description

Value example

page

number

No

The page number. Starts with 1. The page size is 100 entries.

If the value is not specified or set to a value below 1, the 1 value is used.

1

id

string

No

The incident id.

If multiple values are specified, a list is formed to which the OR logical operator is applied.

If no incident with a specified id is found, this id value is ignored.

If no id value is specified, all incidents for the specified tenants are returned.

00000000-0000-0000-0000-000000000000

tenantID

string

Yes

The tenant id.

If multiple values are specified, a list is formed to which the OR logical operator is applied.

If the user does not have the Read right for any of the specified tenants, the query fails.

00000000-0000-0000-0000-000000000000

name

string

No

The incident name, in the Perl Compatible Regular Expression (PCRE) format.

If no name value is specified, all incidents for the specified tenants are returned.

incident

^My incident$

timestampField

string

No

The incident data field used to filter the list of incidents. Use the from and to values to specify the time interval.

createdAt

updatedAt

statusChangedAt

from

string

No

The start of the time interval used to filter the list of incidents, in RFC3339 format. Use the timestampField value to specify the incident data field.

2021-09-06T00:00:00Z

2021-09-06T00:00:00.000Z

2021-09-06T00:00:00Z+00:00

to

string

No

The end of the time interval used to filter the list of incidents, in RFC3339 format. Use the timestampField value to specify the incident data field.

2021-09-06T00:00:00Z

2021-09-06T00:00:00.000Z

2021-09-06T00:00:00Z+00:00

status

string

No

The incident status.

If multiple values are specified, a list is formed to which the OR logical operator is applied.

new

inProgress

hold

closed

withAffected

bool

No

Specifies whether to include detailed data about assets and accounts related to the alerts.

/xdr/api/v1/incidents?withAffected

/xdr/api/v1/incidents?withAffected=123

withHistory

bool

No

Specifies whether to include data about changes made to the incidents.

/xdr/api/v1/incidents?withHistory

/xdr/api/v1/incidents?withHistory=123

{

"Total": 0,

"Incidents": [

{

"ID": 0,

"InternalID": "881dee1f-380d-4366-a2d8-094e0af4c3f6",

"TenantID": "string",

"Name": "string",

"Assets": [

{

"Data": {},

"ID": "string",

"IsAttacker": true,

"IsVictim": true,

"KSCServer": "string",

"Name": "string",

"Type": "host",

"HostInfo": {

"ID": "string",

"TenantID": "string",

"DisplayName": "string",

"AssetSource": "string",

"CreatedAt": 0,

"IsDeleted": true,

"IpAddress": [

"string"

],

"Fqdn": [

"string"

],

"MacAddress": [

"string"

],

"DirectCategories": [

"string"

],

"Weight": "low",

"CiiCategory": "notCII",

"OS": "string",

"OSVersion": "string",

"Sources": [

"ksc"

],

"LastVisible": 0,

"Products": [

{

"ProductVersion": "string",

"ProductName": "string"

}

],

"KSC": {

"GroupID": 0,

"GroupName": "string",

"StatusMask": [

0

],

"StatusID": 0,

"RtProtectionState": 0,

"EncryptionState": 0,

"AntiSpamStatus": 0,

"EmailAvStatus": 0,

"DlpStatus": 0,

"EdrStatus": 0,

"LastAvBasesUpdate": 0,

"LastInfoUpdate": 0,

"LastUpdate": 0,

"LastSystemStart": 0,

"VirtualServerID": 0

},

"KICS": {

"status": "string",

"risks": [

{

"ID": 0,

"Name": "string",

"Category": "string",

"Description": "string",

"DescriptionURL": "string",

"Severity": 0,

"Cvss": 0

}

],

"serverIP": "string",

"connectorID": 0,

"deviceID": 0,

"hardware": {

"Model": "string",

"Version": "string",

"Vendor": "string"

},

"software": {

"Model": "string",

"Version": "string",

"Vendor": "string"

}

}

},

"UserInfo": {

"osmpId": "string",

"tenantID": "string",

"tenantName": "string",

"domain": "string",

"cn": "string",

"displayName": "string",

"distinguishedName": "string",

"mail": "string",

"mailNickname": "string",

"mobile": "string",

"objectSID": "string",

"samAccountName": "string",

"samAccountType": "string",

"telephoneNumber": "string",

"userPrincipalName": "string",

"isArchived": true,

"memberOf": [

"string"

],

"title": "string",

"division": "string",

"department": "string",

"manager": "string",

"location": "string",

"company": "string",

"streetAddress": "string",

"physicalDeliveryOfficeName": "string",

"managedObjects": [

"string"

],

"userAccountControl": "string",

"whenCreated": 0,

"whenChanged": 0,

"accountExpires": 0,

"badPasswordTime": 0

}

}

],

"AlertIDs": [

"string"

],

"Assignee": {

"ID": "string",

"Name": "string"

},

"CreatedAt": "2024-01-16T09:56:29.939Z",

"DetectionTechnologies": [

"string"

],

"FirstEventTime": "2024-01-16T09:56:29.939Z",

"LastEventTime": "2024-01-16T09:56:29.939Z",

"MITRETactics": [

{

"ID": "string"

}

],

"MITRETechniques": [

{

"ID": "string"

}

],

"Observables": [

{

"Details": "string",

"Type": "ip",

"Value": "string"

}

],

"Rules": [

{

"Confidence": "high",

"Custom": true,

"ID": "string",

"Name": "string",

"Severity": "critical",

"Type": "string"

}

],

"Severity": "critical",

"ExternalRef": "string",

"Status": "open",

"StatusChangedAt": "2024-01-16T09:56:29.939Z",

"StatusResolution": "truePositive",

"UpdatedAt": "2024-01-16T09:56:29.939Z",

"Description": "string",

"SignOfCreation": "auto",

"Priority": "low"

"HistoryRecords": [

{

"entityID": "string",

"entityKind": "Alert",

"tenantID": "string",

"type": "alertAssigned",

"createdAt": "2024-03-12T11:11:58.864Z",

"params": {}

}

]

}

]

}

HTTP code

Description

message field value

details field value

400

The timestampField value is invalid.

invalid timestamp field

400

The from value is invalid.

cannot parse from

variable

400

The to value is invalid.

cannot parse to

variable

400

The id value is not in the UUID format.

403

The user does not have the required right in the Alerts and incidents functional area in any of the specified tenants.

access denied

500

Any other internal errors.

variable

variable