Root parameters

The following parameters are shown in the request. For examples of requests, see Request examples for the Get Incidents API.

Name Required/ Optional Supported Valid values
type Required INCIDENTS, DISCOVERY INCIDENTS, DISCOVERY
ids

Required

(for by IDs filter)

INCIDENTS, DISCOVERY

Comma separated array of incident IDs. Example: [123, 345]

The number of provided IDs is limited to 1,000. Error code 400 is returned if this limit is violated.

Note: If this parameter is provided, it is used where any provided filters are ignored.

sort_by Optional INCIDENTS, DISCOVERY INSERT_DATE
from_date

Required

(for not by IDs filter)

INCIDENTS, DISCOVERY Date in format “dd/MM/yyyy HH:mm:ss” Example: 12/08/2021 16:00:00
to_date

Required

(for not by IDs filter)

INCIDENTS, DISCOVERY Date in format “dd/MM/yyyy HH:mm:ss” Example: 13/08/2021 18:55:00
detected_by Optional INCIDENTS, DISCOVERY

Agent detected the violation.

Example: Endpoint Agent, Crawler 100190120a

analyzed_by Optional INCIDENTS, DISCOVERY

Policy Engine ID.

Example: Policy Engine 100190120a

event_id Optional INCIDENTS, DISCOVERY

Event ID number.

Example: 5121411628328991975

destination Optional INCIDENTS

Destination.

Example: Windows Portable Device (WPD)

policies Optional INCIDENTS Policy that triggered the incident. Example: PCI
action Optional INCIDENTS

AUDITED, QUARANTINED, BLOCKED, ENCRYPTED, RELEASED, ESG_ACTION

QUARANTINE_WITH_NOTE, UNSHARE_EXTERNAL, UNSHARE_ALL, UNSHARE_INTERNAL

source Optional INCIDENTS

Source.

Example: DESKTOP-3NG4NN6\\Lenovo

status Optional INCIDENTS, DISCOVERY

NEW, IN_PROCESS, CLOSE, FALSE_POSITIVE, ESCALATED

Note: Also supports a custom status.

severity Optional INCIDENTS, DISCOVERY HIGH, MEDIUM, LOW
endpoint_type Optional INCIDENTS LAPTOP, DESKTOP, NA
channel Optional INCIDENTS

EMAIL, ENDPOINT_EMAIL, FTP

HTTP, HTTPS

ENDPOINT_HTTP, ENDPOINT_HTTPS, ENDPOINT_PRINTING, ENDPOINT_APPLICATION, ENDPOINT_REMOVABLE_MEDIA, ENDPOINT_LAN, ENDPOINT_DISCOVERY, CASB_REAL_TIME, CASB_NEAR_REAL_TIME, CASB_DISCOVERY
assigned_to Optional INCIDENTS, DISCOVERY The administrator name assigned to a ticket Example: admin
tag Optional INCIDENTS, DISCOVERY The Incident tag. Example: my tag

remove_ignored

_incidents

Optional

(default is false)

INCIDENTS, DISCOVERY

Filter out ignored incidents from the results. TRUE

FALSE