Search Incidents - Blink Documentation

Search incidents with optional filtering. Important Note:

This action is not supported in multi tenant environments.

External DocumentationTo learn more, visit the Palo Alto Cortex Xsoar documentation.

Parameters

Parameter	Description
Categories	A comma-separated list of incident categories to filter by.
Details	A string to search and match in incident details.
File Names	A comma-separated list of file names to filter by.
Filter	Select whether to filter by query or by filtering criteria.
Filtering Operation	Select the filtering operation to use with the filtering criteria.
From	The start of the timeframe to search incidents from.
IDs	A comma-separated list of specific incident IDs to include in the response.
Investigations	A comma-separated list of investigation IDs to filter by.
Investigations To Exclude	A comma-separated list of investigation IDs to exclude from the response.
Levels	A comma-separated list of severity levels to filter by.
Name	A comma-separated list of names to filter by.
Page	The page number to return results from. Valid range is `>=0`.
Period	A JSON object that represents the period query. For more information about `Period` please refer to Cortex XSOAR.
Query	Free-text query to search incident fields with.
Reasons	A comma-separated list of reasons to filter by.
Size	The maximum number of incidents to return per page. Defaults to `25`. Maximum value is `10000`.
Sort	An array of sorting criteria. Note: SSorting object must include `field` and `asc` (true/false) and an optional `fieldType`.
Statuses Numbers	A comma-separated list of incident statuses to filter by.
Timeframe	Number of nanoseconds that represents time elapsed between two instants.
To	The end of the timeframe to search incidents until.
Types	A comma-separated list of incident types to filter by.
URLs	A comma-separated list of URL values to filter by.

Example Output

{
	"data": [
		{
			"account": "example",
			"activated": "2020-01-01T12:00:00Z",
			"activatingingUserId": "example",
			"allRead": false,
			"allReadWrite": false,
			"attachment": [
				{
					"description": "example",
					"isTempPath": false,
					"name": "example",
					"path": "example",
					"showMediaFile": false,
					"type": "example"
				}
			],
			"autime": 1682865388000000000,
			"cacheVersn": 0,
			"canvases": [
				"example"
			],
			"category": "example",
			"closeNotes": "example",
			"closeReason": "example",
			"closed": "2020-01-01T12:00:00Z",
			"closingUserId": "example",
			"created": "2020-01-01T12:00:00Z",
			"dbotCreatedBy": "example",
			"dbotCurrentDirtyFields": [
				"example"
			],
			"dbotDirtyFields": [
				"example"
			],
			"dbotMirrorDirection": "example",
			"dbotMirrorId": "example",
			"dbotMirrorInstance": "example",
			"dbotMirrorLastSync": "2020-01-01T12:00:00Z",
			"dbotMirrorTags": [
				"example"
			],
			"details": "example",
			"droppedCount": 0,
			"dueDate": "2020-01-01T12:00:00Z",
			"feedBased": false,
			"hasRole": false,
			"highlight": {
				"additionalProperties": [
					"example"
				]
			},
			"id": "example",
			"investigationId": "example",
			"isDebug": false,
			"isPlayground": false,
			"labels": [
				{
					"type": "example",
					"value": "example"
				}
			],
			"lastJobRunTime": "2020-01-01T12:00:00Z",
			"lastOpen": "2020-01-01T12:00:00Z",
			"linkedCount": 0,
			"linkedIncidents": [
				"example"
			],
			"modified": "2020-01-01T12:00:00Z",
			"name": "example",
			"notifyTime": "2020-01-01T12:00:00Z",
			"numericId": 0,
			"occurred": "2020-01-01T12:00:00Z",
			"openDuration": 0,
			"owner": "example",
			"parent": "example",
			"phase": "example",
			"playbookId": "example",
			"previousAllRead": false,
			"previousAllReadWrite": false,
			"previousRoles": [
				"example"
			],
			"primaryTerm": 0,
			"rawCategory": "example",
			"rawCloseReason": "example",
			"rawJSON": "example",
			"rawName": "example",
			"rawPhase": "example",
			"rawType": "example",
			"reason": "example",
			"reminder": "2020-01-01T12:00:00Z",
			"roles": [
				"example"
			],
			"runStatus": "example",
			"sequenceNumber": 0,
			"severity": 2,
			"sla": 0.1,
			"sortValues": [
				"example"
			],
			"sourceBrand": "example",
			"sourceInstance": "example",
			"status": 2,
			"syncHash": "example",
			"todoTaskIds": [
				"example"
			],
			"type": "example",
			"version": 0,
			"xsoarHasReadOnlyRole": false,
			"xsoarPreviousReadOnlyRoles": [
				"example"
			],
			"xsoarReadOnlyRoles": [
				"example"
			]
		}
	],
	"total": 0
}

Workflow Library Example

Search Incidents with Palo Alto Cortex Xsoar and Send Results Via Email

Preview this Workflow on desktop

Integrations

​Parameters

​Example Output

​Workflow Library Example

Parameters

Example Output

Workflow Library Example