Object properties for incidents
The following objects are included in the response for the incidents parameter.
Name | Supported | Description |
---|---|---|
id | INCIDENTS, DISCOVERY | Unique incident ID. |
severity | INCIDENTS, DISCOVERY | Incident severity. |
action | INCIDENTS, DISCOVERY |
AUDITED, QUARANTINED, BLOCKED, ENCRYPTED, RELEASED, ESG_ACTION QUARANTINE_WITH_NOTE, UNSHARE_EXTERNAL, UNSHARE_ALL, UNSHARE_INTERNAL |
tag | INCIDENTS | The incident tag. For example, my tag. |
status | INCIDENTS | Incident status. |
destination | INCIDENTS | Destination of the incident that was created. Email recipient if it is an email incident. |
details | INCIDENTS | Summary/Subject title of email of incident if it is email channel, Web site if it is web channel. |
released_incident | INCIDENTS | True/False field that identify if incident was released or not. |
event_id | INCIDENTS, DISCOVERY | Unique event ID. |
maximum_matches | INCIDENTS, DISCOVERY | Threshold number of total matches. |
transaction_size |
INCIDENTS, DISCOVERY (by ID only) |
Size of the incident forensic. |
assigned_to |
INCIDENTS, DISCOVERY (by ID only) |
The administrator name assigned to a ticket. For example: admin. |
analyzed_by |
INCIDENTS, DISCOVERY (by ID only) |
Policy engine which analyzed and created the incident. |
ignored_incidents | INCIDENTS |
TRUE - means that the incident is not shown in UI report. FALSE - means that the incident is shown in UI report. |
event_time | INCIDENTS | Time of event. |
incident_time | INCIDENTS, DISCOVERY | Time of incident. |
channel |
INCIDENTS, DISCOVERY (by filter only) |
Channel which created the incident. |
policies | INCIDENTS, DISCOVERY | Which policy was triggered. |
partition_index | INCIDENTS | Incidents table name. This parameter can be used to perform more effective update incident API requests. |
detected_by | INCIDENTS | Which machine/protector detected the incident. |
endpoint_type | INCIDENTS | LAPTOP, DESKTOP, NA |
violation_triggers |
INCIDENTS, DISCOVERY (by ID only) |
Violation triggered objects. See Violation trigger object properties. |
file_name | INCIDENTS | Network incident file name that triggered incident creation. |
file_path | DISCOVERY | Discovery incident file path that triggered incident creation. |
history |
INCIDENTS, DISCOVERY (by ID only) |
Historical trail of incident. See History array object properties. |
sources |
INCIDENTS, DISCOVERY (by ID only) |
Transaction source (from where the transaction is originated). |