> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# New Incident

Triggers a workflow on every new incident that matches the filter.

**Endpoint**: `/public_api/v1/incidents/get_incidents`

<Note>
  Workflows with this trigger check for new events **every 5 minutes by default**. You can adjust this interval in the Trigger settings.
</Note>

## Parameters

<div className="integrations-table">
  | Parameter | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
  | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  | Filters   | A comma separated list of filter objects. For further information on `filter objects`, please refer to [Cortex XDR Documentation](https://cortex-panw.stoplight.io/docs/cortex-xdr/branches/main/a61eadc13dd54-get-all-incidents).<br /><br />For example:<br /><pre><code>\{<br />  "field": "incident\_id\_list",<br />  "operator": "in",<br />  "value": \[<br />    "incident\_id",<br />    "incident\_id"<br />  ]<br />}<br />,<br />\{<br />  "field": "description",<br />  "operator": "contains",<br />  "value": "memory"<br />}</code></pre><br />**Note**: You don't need to wrap the list with `[]`. |
</div>

## Sample Event

```json theme={"dark"}
{
	"incident_id": "<incident ID>",
	"incident_name": "test",
	"creation_time": 1577024425126,
	"modification_time": 1577024425126,
	"detection_time": null,
	"status": "resolved_known_issue",
	"severity": "medium",
	"description": "Memory Corruption Exploit generated by XDR Agent",
	"assigned_user_mail": null,
	"assigned_user_pretty_name": null,
	"alert_count": 1,
	"low_severity_alert_count": 0,
	"med_severity_alert_count": 1,
	"high_severity_alert_count": 0,
	"critical_severity_alert_count": 0,
	"user_count": 1,
	"host_count": 1,
	"notes": null,
	"resolve_comment": null,
	"resolved_timestamp": 1577024425126,
	"manual_severity": null,
	"manual_description": "Memory Corruption Exploit generated by XDR Agent",
	"xdr_url": "https://<link to incident>",
	"starred": false,
	"hosts": [
		"<host ID>"
	],
	"users": [
		"test_1",
		"test_2"
	],
	"incident_sources": [
		"XDR Agent",
		"XDR BIOC"
	],
	"rule_based_score": 342,
	"manual_score": null,
	"wildfire_hits": 0,
	"alerts_grouping_status": "Enabled",
	"mitre_tactics_ids_and_names": [
		"TA0004 - Privilege Escalation",
		"TA0005 - Defense Evasion",
		"TA0006 - Credential Access"
	],
	"mitre_techniques_ids_and_names": [
		"T1001.001 - Data Obfuscation: Junk Data",
		"T1001.002 - Data Obfuscation: Steganography",
		"T1001.003 - Data Obfuscation: Protocol Impersonation"
	],
	"alert_categories": [
		"Credential Access",
		"Exploit",
		"Spyware Detected via Anti-Spyware profile"
	],
	"original_tags": [
		"DS:PANW/NGFW",
		"EG:acme-2",
		"EG:Acme group",
		"DS:PANW/XDR Agent"
	],
	"tags": [
		"EG:Acme group",
		"DS:PANW/NGFW",
		"DS:PANW/XDR Agent",
		"EG:acme-2"
	],
	"starred_manually": true
}
```
