To learn more, visit the Cortex Xpanse documentation.

Parameters

ParameterDescription
Alerts LimitLimit the amount of returned alerts relating to the incident. Default is set to 1000.
Incident IDThe ID of the incident. Can be obtained by the List Incidents action.

Example Output

{    "reply": {        "incident": {            "incident_id": "string",            "is_blocked": true,            "incident_name": "string",            "creation_time": 0,            "modification_time": 0,            "detection_time": 0,            "status": "string",            "severity": "string",            "description": "string",            "assigned_user_mail": "string",            "assigned_user_pretty_name": "string",            "alert_count": 0,            "low_severity_alert_count": 0,            "med_severity_alert_count": 0,            "high_severity_alert_count": 0,            "critical_severity_alert_count": 0,            "user_count": 0,            "host_count": 0,            "notes": "string",            "resolve_comment": "string",            "resolved_timestamp": 0,            "manual_severity": "string",            "manual_description": "string",            "xdr_url": "string",            "starred": true,            "starred_manually": true,            "hosts": [                "string"            ],            "incident_sources": [                "string"            ],            "rule_based_score": 0,            "manual_score": 0,            "aggregated_score": 0,            "alerts_grouping_status": "string",            "alert_categories": [                "string"            ],            "original_tags": [                "string"            ],            "tags": [                "string"            ],            "xpanse_risk_score": 0,            "xpanse_risk_explainer": {                "cves": [                    {                        "cveId": "string",                        "cvssScore": 0,                        "epssScore": 0,                        "matchType": "string",                        "exploitMaturity": "string",                        "reportedExploitInTheWild": true,                        "mostRecentReportedExploitDate": "string",                        "confidence": "string",                        "additionalProp1": {}                    }                ],                "riskFactors": [                    {                        "attributeId": "string",                        "attributeName": "string",                        "issueTypes": [                            {                                "displayName": "string",                                "issueTypeId": "string",                                "additionalProp1": {}                            }                        ],                        "additionalProp1": {}                    }                ],                "versionMatched": true,                "additionalProp1": {}            },            "cloud_management_status": "string",            "integration_source": "string",            "ipv4_addresses": [                "string"            ],            "ipv6_addresses": [                "string"            ],            "domain_names": [                "string"            ],            "port_number": 0,            "asset_ids": [                "3fa85f64-5717-4562-b3fc-2c963f66afa6"            ],            "ip_range_ids": [                "string"            ],            "website_ids": [                "string"            ],            "service_ids": [                "string"            ],            "last_observed": 0,            "cloud_providers": [                "string"            ],            "country_codes": [                "string"            ],            "certificate_common_names": [                "string"            ],            "certificate_issuers": [                "string"            ],            "additionalProp1": {}        },        "alerts": {            "total_count": 0,            "data": [                {                    "category": "string",                    "project": "string",                    "cloud_provider": "string",                    "resource_sub_type": "string",                    "resource_type": "string",                    "action_country": "string",                    "event_type": "string",                    "is_whitelisted": true,                    "mac": "string",                    "image_name": "string",                    "action_local_ip": "string",                    "action_local_port": "string",                    "action_external_hostname": "string",                    "action_remote_ip": [                        "string"                    ],                    "action_remote_port": 0,                    "matching_service_rule_id": "string",                    "starred": true,                    "external_id": "string",                    "severity": "string",                    "matching_status": "string",                    "end_match_attempt_ts": "string",                    "local_insert_ts": 0,                    "last_modified_ts": 0,                    "case_id": 0,                    "deduplicate_tokens": "string",                    "filter_rule_id": "string",                    "event_id": "string",                    "event_timestamp": 0,                    "action_local_ip_v6": "string",                    "action_remote_ip_v6": "string",                    "alert_type": "string",                    "resolution_status": "string",                    "resolution_comment": "string",                    "dynamic_fields": "string",                    "tags": "string",                    "malicious_urls": "string",                    "asm_alert_categories": "string",                    "last_observed": 0,                    "country_codes": "string",                    "cloud_providers": "string",                    "ipv4_addresses": "string",                    "ipv6_addresses": "string",                    "domain_names": "string",                    "service_ids": "string",                    "website_ids": "string",                    "asset_ids": "string",                    "certificate": {                        "issuerName": "string",                        "subjectName": "string",                        "validNotBefore": 0,                        "validNotAfter": 0,                        "serialNumber": "string",                        "additionalProp1": {}                    },                    "port_protocol": "string",                    "port_number": 0,                    "business_unit_hierarchies": [                        {                            "creation_time": 0,                            "family": "string",                            "family_alias": "string",                            "id": "string",                            "is_active": 0,                            "name": "string",                            "parent_id": "string",                            "update_time": 0,                            "additionalProp1": {}                        }                    ],                    "attack_surface_rule_name": "string",                    "remediation_guidance": "string",                    "attack_surface_rule_id": "string",                    "asset_identifiers": {                        "domain": "string",                        "certificate": {                            "issuerName": "string",                            "subjectName": "string",                            "validNotBefore": 0,                            "validNotAfter": 0,                            "serialNumber": "string",                            "additionalProp1": {}                        },                        "ipv4Address": "string",                        "ipv6Address": "string",                        "httpPath": "string",                        "portNumber": 0,                        "portProtocol": "string",                        "firstObserved": 0,                        "lastObserved": 0,                        "additionalProp1": {}                    },                    "alert_id": "string",                    "detection_timestamp": 0,                    "name": "string",                    "endpoint_id": "string",                    "description": "string",                    "host_ip": "string",                    "host_name": "string",                    "source": "string",                    "action": "string",                    "action_pretty": "string",                    "user_name": "string",                    "events_length": 0,                    "mitre_tactic_id_and_name": "string",                    "mitre_technique_id_and_name": "string",                    "cloud_management_status": "string",                    "additionalProp1": {}                }            ],            "additionalProp1": {}        },        "network_artifacts": {            "total_count": 0,            "data": [                "string"            ],            "additionalProp1": {}        },        "file_artifacts": {            "total_count": 0,            "data": [                "string"            ],            "additionalProp1": {}        },        "additionalProp1": {}    },    "additionalProp1": {}}

Workflow Library Example

Get Incident with Cortex Xpanse and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?

Cortex Xpanse Custom ActionList Incidents