Root parameters
The following parameters are shown in the request. For examples of requests, see Request examples for the Get Incidents API.
| Name | Required/ Optional | Supported | Valid values |
|---|---|---|---|
| type | Required | INCIDENTS, DISCOVERY | INCIDENTS, DISCOVERY |
| ids |
Required (for by IDs filter) |
INCIDENTS, DISCOVERY |
Comma separated array of incident IDs. Example: [123, 345] The number of provided IDs is limited to 1,000. Error code 400 is returned if this limit is violated. Note: If this parameter is provided, it is used where any provided filters are ignored. |
| sort_by | Optional | INCIDENTS, DISCOVERY | INSERT_DATE |
| from_date |
Required (for not by IDs filter) |
INCIDENTS, DISCOVERY | Date in format “dd/MM/yyyy HH:mm:ss” Example: 12/08/2021 16:00:00 |
| to_date |
Required (for not by IDs filter) |
INCIDENTS, DISCOVERY | Date in format “dd/MM/yyyy HH:mm:ss” Example: 13/08/2021 18:55:00 |
| detected_by | Optional | INCIDENTS, DISCOVERY |
Agent detected the violation. Example: Endpoint Agent, Crawler 100190120a |
| analyzed_by | Optional | INCIDENTS, DISCOVERY |
Policy Engine ID. Example: Policy Engine 100190120a |
| event_id | Optional | INCIDENTS, DISCOVERY |
Event ID number. Example: 5121411628328991975 |
| destination | Optional | INCIDENTS |
Destination. Example: Windows Portable Device (WPD) |
| policies | Optional | INCIDENTS | Policy that triggered the incident. Example: PCI |
| action | Optional | INCIDENTS |
AUDITED, QUARANTINED, BLOCKED, ENCRYPTED, RELEASED, ESG_ACTION QUARANTINE_WITH_NOTE, UNSHARE_EXTERNAL, UNSHARE_ALL, UNSHARE_INTERNAL |
| source | Optional | INCIDENTS |
Source. Example: DESKTOP-3NG4NN6\\Lenovo |
| status | Optional | INCIDENTS, DISCOVERY |
NEW, IN_PROCESS, CLOSE, FALSE_POSITIVE, ESCALATED Note: Also supports a custom status. |
| severity | Optional | INCIDENTS, DISCOVERY | HIGH, MEDIUM, LOW |
| endpoint_type | Optional | INCIDENTS | LAPTOP, DESKTOP, NA |
| channel | Optional | INCIDENTS | EMAIL, ENDPOINT_EMAIL, FTP HTTP, HTTPS ENDPOINT_HTTP, ENDPOINT_HTTPS, ENDPOINT_PRINTING, ENDPOINT_APPLICATION, ENDPOINT_REMOVABLE_MEDIA, ENDPOINT_LAN, ENDPOINT_DISCOVERY, CASB_REAL_TIME, CASB_NEAR_REAL_TIME, CASB_DISCOVERY |
| assigned_to | Optional | INCIDENTS, DISCOVERY | The administrator name assigned to a ticket Example: admin |
| tag | Optional | INCIDENTS, DISCOVERY | The Incident tag. Example: my tag |
|
remove_ignored _incidents |
Optional (default is false) |
INCIDENTS, DISCOVERY |
Filter out ignored incidents from the results. TRUE FALSE |