Object properties for incidents
The following objects are included in the response for the incidents parameter.
| Name | Supported | Comments |
|---|---|---|
| id | INCIDENTS, DISCOVERY | Unique incident ID. |
| severity | INCIDENTS, DISCOVERY | Incident severity. |
| action | INCIDENTS, DISCOVERY |
AUDITED, QUARANTINED, BLOCKED, ENCRYPTED, RELEASED, ESG_ACTION QUARANTINE_WITH_NOTE, UNSHARE_EXTERNAL, UNSHARE_ALL, UNSHARE_INTERNAL |
| tag | INCIDENTS | The incident tag. For example, my tag. |
| status | INCIDENTS | Incident status. |
| destination | INCIDENTS | Destination of the incident that was created. Email recipient if it is an email incident. |
| details | INCIDENTS | Summary/Subject title of email of incident if it is email channel, Web site if it is web channel. |
| released_incident | INCIDENTS | True/False field that identify if incident was released or not. |
| event_id | INCIDENTS, DISCOVERY | Unique event ID. |
| maximum_matches | INCIDENTS, DISCOVERY | Threshhold number of total matches. |
| transaction_size |
INCIDENTS, DISCOVERY (by ID only) |
Size of the incident forensic. |
| assigned_to |
INCIDENTS, DISCOVERY (by ID only) |
The administrator name assigned to a ticket. For example: admin. |
| analyzed_by |
INCIDENTS, DISCOVERY (by ID only) |
Policy engine which analyzed and created the incident. |
| ignored_incidents | INCIDENTS |
TRUE - means that the incident is not shown in UI report. FALSE - means that the incident is shown in UI report. |
| event_time | INCIDENTS | Time of event. |
| incident_time | INCIDENTS, DISCOVERY | Time of incident. |
| channel |
INCIDENTS, DISCOVERY (by filter only) |
Channel which created the incident. |
| policies | INCIDENTS, DISCOVERY | Which policy was triggered. |
| partition_index | INCIDENTS | Incidents table name. This parameter can be used to perform more effective update incident API requests. |
| detected_by | INCIDENTS | Which machine/protector detected the incident. |
| endpoint_type | INCIDENTS | LAPTOP, DESKTOP, NA |
| violation_triggers |
INCIDENTS, DISCOVERY (by ID only) |
Violation triggered objects. See Violation trigger object properties. |
| file_name | INCIDENTS | Network incident file name that triggered incident creation. |
| file_path | DISCOVERY | Discovery incident file path that triggered incident creation. |
| history |
INCIDENTS, DISCOVERY (by ID only) |
Historical trail of incident. See History array object properties. |
| sources |
INCIDENTS, DISCOVERY (by ID only) |
Transaction source (from where the transaction is originated). |