Skip to main content
Retrieve incident by incident ID or display ID.
External DocumentationTo learn more, visit the Check Point XDR-XPR documentation.

Parameters

ParameterDescription
Incident IDThe incident ID or display ID of the incident to retrieve.

Example Output

{
	"summary": "Server server1 was detected running a suspicious jal.exe command immediately after IPS detected a RCE attack from 194.200.154.221.",
	"assignee": "12345678-1234-1234-1234-987654321987",
	"tenantId": "12345678-1234-1234-1234-123456789012",
	"display_id": 1,
	"created_at": "2023-01-01T00:00:00.000Z",
	"updated_at": "2023-01-01T00:00:00.000Z",
	"followUp": true,
	"is_prevented": false,
	"status": "new",
	"mitre_tactics": [
		"TA0001",
		"TA0002"
	],
	"mitre_techniques": [
		"T1111",
		"T1112"
	],
	"sensors": [
		"checkpoint_network_security"
	],
	"indicators": [
		{
			"type": "ip",
			"value": "192.168.1.1"
		}
	],
	"assets": [
		{
			"type": "host",
			"value": "server1"
		}
	],
	"insights": [
		{
			"detection_time": "2023-01-01T00:00:00.000Z",
			"summary": "Server server1 was detected running a suspicious jal.exe command immediately after IPS detected a RCE attack from 194.200.154.221.",
			"severity": "informational",
			"confidence": "low",
			"indicators": [
				{
					"type": "ip",
					"value": "192.168.1.1"
				}
			],
			"assets": [
				{
					"type": "host",
					"value": "server1"
				}
			]
		}
	],
	"severity": "informational",
	"confidence": "low",
	"priority": "informational",
	"id": "123456789123456789123456",
	"firstSeen": "2023-01-01T00:00:00.000Z",
	"lastSeen": "2023-01-01T00:00:00.000Z"
}

Workflow Library Example

Get Incident with Check Point Xdr Xpr and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop
I