Skip to main content

Get All Incidents

Get a list of all incidents.

External Documentation

To learn more, visit the Cortex XDR documentation.

Parameters

ParameterDescription
FiltersAn array of filter objects. For further information on filter objects, please refer to Cortex XDR Documentation.For example:
[  {    "field": "incident_id_list",    "operator": "in",    "value": [      "<incident ID>",      "<incident ID>"    ]  }]
Sort FieldSort according to this field.Note: This parameter MUST be used alongside Sort Order parameter.
Sort OrderSort by field, specified in Sort Field according to this order.Note: This parameter MUST be used alongside Sort Field parameter.

Example Output

{
    "reply": {
        "total_count": 1,
        "result_count": 1,
        "incidents": [
            {
                "incident_id": "<incident ID>",
                "incident_name": "test",
                "creation_time": 1577024425126,
                "modification_time": 1577024425126,
                "detection_time": null,
                "status": "resolved_known_issue",
                "severity": "medium",
                "description": "Memory Corruption Exploit generated by XDR Agent",
                "assigned_user_mail": null,
                "assigned_user_pretty_name": null,
                "alert_count": 1,
                "low_severity_alert_count": 0,
                "med_severity_alert_count": 1,
                "high_severity_alert_count": 0,
                "critical_severity_alert_count": 0,
                "user_count": 1,
                "host_count": 1,
                "notes": null,
                "resolve_comment": null,
                "resolved_timestamp": 1577024425126,
                "manual_severity": null,
                "manual_description": "Memory Corruption Exploit generated by XDR Agent",
                "xdr_url": "https://<link to incident>",
                "starred": false,
                "hosts": [
                    "<host ID>"
                ],
                "users": [
                    "test_1",
                    "test_2"
                ],
                "incident_sources": [
                    "XDR Agent",
                    "XDR BIOC"
                ],
                "rule_based_score": 342,
                "manual_score": null,
                "wildfire_hits": 0,
                "alerts_grouping_status": "Enabled",
                "mitre_tactics_ids_and_names": [
                    "TA0004 - Privilege Escalation",
                    "TA0005 - Defense Evasion",
                    "TA0006 - Credential Access"
                ],
                "mitre_techniques_ids_and_names": [
                    "T1001.001 - Data Obfuscation: Junk Data",
                    "T1001.002 - Data Obfuscation: Steganography",
                    "T1001.003 - Data Obfuscation: Protocol Impersonation"
                ],
                "alert_categories": [
                    "Credential Access",
                    "Exploit",
                    "Spyware Detected via Anti-Spyware profile"
                ],
                "original_tags": [
                    "DS:PANW/NGFW",
                    "EG:acme-2",
                    "EG:Acme group",
                    "DS:PANW/XDR Agent"
                ],
                "tags": [
                    "EG:Acme group",
                    "DS:PANW/NGFW",
                    "DS:PANW/XDR Agent",
                    "EG:acme-2"
                ],
                "starred_manually": true
            }
        ],
        "restricted_incident_ids": []
    }
}

Workflow Library Example

Get All Incidents with Cortex Xdr and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop