Get Incident
Retrieve incident by incident ID or display ID.
External Documentation
To learn more, visit the Check Point XDR-XPR documentation.
Parameters
| Parameter | Description |
|---|---|
| Incident ID | The incident ID or display ID of the incident to retrieve. |
Example Output
{
"summary": "Server server1 was detected running a suspicious jal.exe command immediately after IPS detected a RCE attack from 194.200.154.221.",
"assignee": "12345678-1234-1234-1234-987654321987",
"tenantId": "12345678-1234-1234-1234-123456789012",
"display_id": 1,
"created_at": "2023-01-01T00:00:00.000Z",
"updated_at": "2023-01-01T00:00:00.000Z",
"followUp": true,
"is_prevented": false,
"status": "new",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1111",
"T1112"
],
"sensors": [
"checkpoint_network_security"
],
"indicators": [
{
"type": "ip",
"value": "192.168.1.1"
}
],
"assets": [
{
"type": "host",
"value": "server1"
}
],
"insights": [
{
"detection_time": "2023-01-01T00:00:00.000Z",
"summary": "Server server1 was detected running a suspicious jal.exe command immediately after IPS detected a RCE attack from 194.200.154.221.",
"severity": "informational",
"confidence": "low",
"indicators": [
{
"type": "ip",
"value": "192.168.1.1"
}
],
"assets": [
{
"type": "host",
"value": "server1"
}
]
}
],
"severity": "informational",
"confidence": "low",
"priority": "informational",
"id": "123456789123456789123456",
"firstSeen": "2023-01-01T00:00:00.000Z",
"lastSeen": "2023-01-01T00:00:00.000Z"
}
Workflow Library Example
Get Incident with Check Point Xdr Xpr and Send Results Via Email
Preview this Workflow on desktop