List Incidents
Retrieves all incidents. Note: Retrieves only actions that were created after 01-01-2023.
External Documentation
To learn more, visit the Check Point XDR-XPR documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Date From | The start date of the time frame by default is 7 days ago. |
| Date Until | The end date of the time frame by default is today. |
| Filter By | The field to filter by. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Limit | The number of results to return, max is 1000. |
| Offset | The number of some incidents to skip. |
Example Output
{
"summary": "Server server1 was detected running a suspicious jal.exe command immediately after IPS detected a RCE attack from 194.200.154.221.",
"assignee": "12345678-1234-1234-1234-987654321987",
"tenantId": "12345678-1234-1234-1234-123456789012",
"display_id": 1,
"created_at": "2023-01-01T00:00:00.000Z",
"updated_at": "2023-01-01T00:00:00.000Z",
"followUp": true,
"is_prevented": false,
"status": "new",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1111",
"T1112"
],
"sensors": [
"checkpoint_network_security"
],
"indicators": [
{
"type": "ip",
"value": "192.168.1.1"
}
],
"assets": [
{
"type": "host",
"value": "server1"
}
],
"insights": [
{
"detection_time": "2023-01-01T00:00:00.000Z",
"summary": "Server server1 was detected running a suspicious jal.exe command immediately after IPS detected a RCE attack from 194.200.154.221.",
"severity": "informational",
"confidence": "low",
"indicators": [
{
"type": "ip",
"value": "192.168.1.1"
}
],
"assets": [
{
"type": "host",
"value": "server1"
}
]
}
],
"severity": "informational",
"confidence": "low",
"priority": "informational",
"id": "123456789123456789123456",
"firstSeen": "2023-01-01T00:00:00.000Z",
"lastSeen": "2023-01-01T00:00:00.000Z"
}
Workflow Library Example
List Incidents with Check Point Xdr Xpr and Send Results Via Email
Preview this Workflow on desktop