Root parameters
The following parameters are shown in the request. For examples of requests, see Request examples for the Get Incidents API.
| Name | Required/ Optional | Supported | Valid values |
|---|---|---|---|
| type | Required | INCIDENTS, DISCOVERY | INCIDENTS DISCOVERY |
| ids |
Required (for by IDs filter) |
INCIDENTS, DISCOVERY |
Comma separated array of incident IDs. Example: [123, 345] The number of provided IDs is limited to 1,000. Error code 400 is returned if this limit is violated. Note: If this parameter is provided, it is used where any provided filters are ignored. |
| sort_by | Optional | INCIDENTS, DISCOVERY | INSERT_DATE |
| from_date |
Required (for not by IDs filter) |
INCIDENTS, DISCOVERY | Date in format “dd/MM/yyyy HH:mm:ss” Example: 12/08/2021 16:00:00 |
| to_date |
Required (for not by IDs filter) |
INCIDENTS, DISCOVERY | Date in format “dd/MM/yyyy HH:mm:ss” Example: 13/08/2021 18:55:00 |
| detected_by | Optional | INCIDENTS, DISCOVERY |
Agent detected the violation. Example: Endpoint Agent, Crawler 100190120a |
| analyzed_by | Optional | INCIDENTS, DISCOVERY |
Policy Engine ID. Example: Policy Engine 100190120a |
| event_id | Optional | INCIDENTS, DISCOVERY |
Event ID number. Example: 5121411628328991975 |
| destination | Optional | INCIDENTS |
Destination. Example: Windows Portable Device (WPD) |
| policies | Optional | INCIDENTS | Policy that triggered the incident. Example: PCI |
| action | Optional | INCIDENTS |
AUDITED QUARANTINED BLOCKED ENCRYPTED RELEASED ESG_ACTION QUARANTINE_WITH_NOTE UNSHARE_EXTERNAL UNSHARE_ALL UNSHARE_INTERNAL |
| source | Optional | INCIDENTS |
Source. Example: DESKTOP-3NG4NN6\\Lenovo |
| status | Optional | INCIDENTS, DISCOVERY |
NEW IN_PROCESS CLOSE FALSE_POSITIVE ESCALATED Note: Also supports a custom status. |
| severity | Optional | INCIDENTS, DISCOVERY | HIGH MEDIUM LOW |
| endpoint_type | Optional | INCIDENTS | LAPTOP DESKTOP NA |
| channel | Optional | INCIDENTS | EMAIL ENDPOINT_EMAIL FTP HTTP HTTPS ENDPOINT_HTTP ENDPOINT_HTTPS ENDPOINT_PRINTING ENDPOINT_APPLICATION ENDPOINT_REMOVABLE_MEDIA ENDPOINT_LAN ENDPOINT_DISCOVERY CASB_REAL_TIME CASB_NEAR_REAL_TIME CASB_DISCOVERY |
| assigned_to | Optional | INCIDENTS, DISCOVERY | The administrator name assigned to a ticket Example: admin |
| tag | Optional | INCIDENTS, DISCOVERY | The Incident tag. Example: my tag |
|
remove_ignored _incidents |
Optional (default is false) |
INCIDENTS, DISCOVERY |
Filter out ignored incidents from the results. TRUE FALSE |