Get incident data including related alerts. Required license for running this action: Cortex Xpanse Expander. Note, This API includes a limit rate of 10 API requests per minute.

External Documentation

To learn more, visit the Cortex Xpanse documentation.

Parameters

ParameterDescription
Alerts LimitLimit the amount of returned alerts relating to the incident. Default is set to 1000.
Incident IDThe ID of the incident. Can be obtained by the List Incidents action.

Example Output

{
	"reply": {
		"incident": {
			"incident_id": "string",
			"is_blocked": true,
			"incident_name": "string",
			"creation_time": 0,
			"modification_time": 0,
			"detection_time": 0,
			"status": "string",
			"severity": "string",
			"description": "string",
			"assigned_user_mail": "string",
			"assigned_user_pretty_name": "string",
			"alert_count": 0,
			"low_severity_alert_count": 0,
			"med_severity_alert_count": 0,
			"high_severity_alert_count": 0,
			"critical_severity_alert_count": 0,
			"user_count": 0,
			"host_count": 0,
			"notes": "string",
			"resolve_comment": "string",
			"resolved_timestamp": 0,
			"manual_severity": "string",
			"manual_description": "string",
			"xdr_url": "string",
			"starred": true,
			"starred_manually": true,
			"hosts": [
				"string"
			],
			"incident_sources": [
				"string"
			],
			"rule_based_score": 0,
			"manual_score": 0,
			"aggregated_score": 0,
			"alerts_grouping_status": "string",
			"alert_categories": [
				"string"
			],
			"original_tags": [
				"string"
			],
			"tags": [
				"string"
			],
			"xpanse_risk_score": 0,
			"xpanse_risk_explainer": {
				"cves": [
					{
						"cveId": "string",
						"cvssScore": 0,
						"epssScore": 0,
						"matchType": "string",
						"exploitMaturity": "string",
						"reportedExploitInTheWild": true,
						"mostRecentReportedExploitDate": "string",
						"confidence": "string",
						"additionalProp1": {}
					}
				],
				"riskFactors": [
					{
						"attributeId": "string",
						"attributeName": "string",
						"issueTypes": [
							{
								"displayName": "string",
								"issueTypeId": "string",
								"additionalProp1": {}
							}
						],
						"additionalProp1": {}
					}
				],
				"versionMatched": true,
				"additionalProp1": {}
			},
			"cloud_management_status": "string",
			"integration_source": "string",
			"ipv4_addresses": [
				"string"
			],
			"ipv6_addresses": [
				"string"
			],
			"domain_names": [
				"string"
			],
			"port_number": 0,
			"asset_ids": [
				"3fa85f64-5717-4562-b3fc-2c963f66afa6"
			],
			"ip_range_ids": [
				"string"
			],
			"website_ids": [
				"string"
			],
			"service_ids": [
				"string"
			],
			"last_observed": 0,
			"cloud_providers": [
				"string"
			],
			"country_codes": [
				"string"
			],
			"certificate_common_names": [
				"string"
			],
			"certificate_issuers": [
				"string"
			],
			"additionalProp1": {}
		},
		"alerts": {
			"total_count": 0,
			"data": [
				{
					"category": "string",
					"project": "string",
					"cloud_provider": "string",
					"resource_sub_type": "string",
					"resource_type": "string",
					"action_country": "string",
					"event_type": "string",
					"is_whitelisted": true,
					"mac": "string",
					"image_name": "string",
					"action_local_ip": "string",
					"action_local_port": "string",
					"action_external_hostname": "string",
					"action_remote_ip": [
						"string"
					],
					"action_remote_port": 0,
					"matching_service_rule_id": "string",
					"starred": true,
					"external_id": "string",
					"severity": "string",
					"matching_status": "string",
					"end_match_attempt_ts": "string",
					"local_insert_ts": 0,
					"last_modified_ts": 0,
					"case_id": 0,
					"deduplicate_tokens": "string",
					"filter_rule_id": "string",
					"event_id": "string",
					"event_timestamp": 0,
					"action_local_ip_v6": "string",
					"action_remote_ip_v6": "string",
					"alert_type": "string",
					"resolution_status": "string",
					"resolution_comment": "string",
					"dynamic_fields": "string",
					"tags": "string",
					"malicious_urls": "string",
					"asm_alert_categories": "string",
					"last_observed": 0,
					"country_codes": "string",
					"cloud_providers": "string",
					"ipv4_addresses": "string",
					"ipv6_addresses": "string",
					"domain_names": "string",
					"service_ids": "string",
					"website_ids": "string",
					"asset_ids": "string",
					"certificate": {
						"issuerName": "string",
						"subjectName": "string",
						"validNotBefore": 0,
						"validNotAfter": 0,
						"serialNumber": "string",
						"additionalProp1": {}
					},
					"port_protocol": "string",
					"port_number": 0,
					"business_unit_hierarchies": [
						{
							"creation_time": 0,
							"family": "string",
							"family_alias": "string",
							"id": "string",
							"is_active": 0,
							"name": "string",
							"parent_id": "string",
							"update_time": 0,
							"additionalProp1": {}
						}
					],
					"attack_surface_rule_name": "string",
					"remediation_guidance": "string",
					"attack_surface_rule_id": "string",
					"asset_identifiers": {
						"domain": "string",
						"certificate": {
							"issuerName": "string",
							"subjectName": "string",
							"validNotBefore": 0,
							"validNotAfter": 0,
							"serialNumber": "string",
							"additionalProp1": {}
						},
						"ipv4Address": "string",
						"ipv6Address": "string",
						"httpPath": "string",
						"portNumber": 0,
						"portProtocol": "string",
						"firstObserved": 0,
						"lastObserved": 0,
						"additionalProp1": {}
					},
					"alert_id": "string",
					"detection_timestamp": 0,
					"name": "string",
					"endpoint_id": "string",
					"description": "string",
					"host_ip": "string",
					"host_name": "string",
					"source": "string",
					"action": "string",
					"action_pretty": "string",
					"user_name": "string",
					"events_length": 0,
					"mitre_tactic_id_and_name": "string",
					"mitre_technique_id_and_name": "string",
					"cloud_management_status": "string",
					"additionalProp1": {}
				}
			],
			"additionalProp1": {}
		},
		"network_artifacts": {
			"total_count": 0,
			"data": [
				"string"
			],
			"additionalProp1": {}
		},
		"file_artifacts": {
			"total_count": 0,
			"data": [
				"string"
			],
			"additionalProp1": {}
		},
		"additionalProp1": {}
	},
	"additionalProp1": {}
}

Workflow Library Example

Get Incident with Cortex Xpanse and Send Results Via Email

Workflow Library

Preview this Workflow on desktop

Was this page helpful?