Skip to main content
List and query incidents. Required license for running the action: Cortex Xpanse Expander
External DocumentationTo learn more, visit the Cortex Xpanse documentation.

Basic Parameters

ParameterDescription
FiltersA list of filters that are applied on the results. For Example:
[{
  “field” : “ip_address”,
  “value” : “127.0.0.1”,
  “operator” : “in”
},
{
“field” : “modification_time”,
“value” : “IncidentFilter_value”,
“operator” : “in”
}]

For more information see Cortex Xpanse documentation.
Sort FieldThe field the results are sorted by.
Sort TypeThe type of sort the results are sorted by.

Advanced Parameters

ParameterDescription
End OffsetThe paginating end offset of the results.
Next Page TokenThe next page token that was returned in the last call.
Return Next Page TokenShould the response include a Next Page Token field for pagination.
Starting OffsetThe paginating starting offset of the results.

Example Output

{
	"reply": {
		"total_count": 0,
		"result_count": 0,
		"incidents": [
			{
				"incident_id": "string",
				"is_blocked": true,
				"incident_name": "string",
				"creation_time": 0,
				"modification_time": 0,
				"detection_time": 0,
				"status": "string",
				"severity": "string",
				"description": "string",
				"assigned_user_mail": "string",
				"assigned_user_pretty_name": "string",
				"alert_count": 0,
				"low_severity_alert_count": 0,
				"med_severity_alert_count": 0,
				"high_severity_alert_count": 0,
				"critical_severity_alert_count": 0,
				"user_count": 0,
				"host_count": 0,
				"notes": "string",
				"resolve_comment": "string",
				"resolved_timestamp": 0,
				"manual_severity": "string",
				"manual_description": "string",
				"xdr_url": "string",
				"starred": true,
				"starred_manually": true,
				"hosts": [
					"string"
				],
				"incident_sources": [
					"string"
				],
				"rule_based_score": 0,
				"manual_score": 0,
				"aggregated_score": 0,
				"alerts_grouping_status": "string",
				"alert_categories": [
					"string"
				],
				"original_tags": [
					"string"
				],
				"tags": [
					"string"
				],
				"xpanse_risk_score": 0,
				"xpanse_risk_explainer": {
					"cves": [
						{
							"cveId": "string",
							"cvssScore": 0,
							"epssScore": 0,
							"matchType": "string",
							"exploitMaturity": "string",
							"reportedExploitInTheWild": true,
							"mostRecentReportedExploitDate": "string",
							"confidence": "string",
							"additionalProp1": {}
						}
					],
					"riskFactors": [
						{
							"attributeId": "string",
							"attributeName": "string",
							"issueTypes": [
								{
									"displayName": "string",
									"issueTypeId": "string",
									"additionalProp1": {}
								}
							],
							"additionalProp1": {}
						}
					],
					"versionMatched": true,
					"additionalProp1": {}
				},
				"cloud_management_status": "string",
				"integration_source": "string",
				"ipv4_addresses": [
					"string"
				],
				"ipv6_addresses": [
					"string"
				],
				"domain_names": [
					"string"
				],
				"port_number": 0,
				"asset_ids": [
					"3fa85f64-5717-4562-b3fc-2c963f66afa6"
				],
				"ip_range_ids": [
					"string"
				],
				"website_ids": [
					"string"
				],
				"service_ids": [
					"string"
				],
				"last_observed": 0,
				"cloud_providers": [
					"string"
				],
				"country_codes": [
					"string"
				],
				"certificate_common_names": [
					"string"
				],
				"certificate_issuers": [
					"string"
				],
				"additionalProp1": {}
			}
		],
		"restricted_incident_ids": [
			"string"
		],
		"additionalProp1": {}
	},
	"additionalProp1": {}
}

Workflow Library Example

List Incidents with Cortex Xpanse and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop