Incident
These are the API endpoints for managing incidents, including listing, creating, updating, and deleting incidents.
End Points
Get Incident
Create Incident
Update Incident
List Incidents
Delete Incidents
Get Incident
This API is used to fetch the details of a specific incident.
OAuth Scope : incident.READ
Path Parameters
incident_id
integer
(Required)
Unique ID of the incident. It can be taken from the List Incidents API.
Query Parameters
response_type
string
Determines whether the response value should be based on the client or server value. Accepted values are `client` and `server`. Default value is 'server'.
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/incident/3000000438278"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/incident/3000000438278")
.get()
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.build();
Response response = client.newCall(request).execute();
const options = {method: 'GET', headers: {Authorization: 'Bearer REPLACE_BEARER_TOKEN'}};
fetch('http://localhost:8400/api/v2/incident/3000000438278', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
headers = { 'Authorization': "Bearer REPLACE_BEARER_TOKEN" }
conn.request("GET", "/api/v2/incident/3000000438278", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "GET",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/incident/3000000438278",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url http://localhost:8400/api/v2/incident/3000000438278 \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN'
{
"data": {
"actors": [
{
"entity": [
"dev-agent"
]
},
{
"suspect": [
"dev-agent\\n/a"
]
}
],
"notes": [
{
"note": "Incident occurred during server upgrade.",
"added_by": "gokul.sn+test",
"time": "2025-03-31 16:12:17"
}
],
"evidence": [
{
"severity": "information",
"eventid": 40960,
"incident_tab": "evidence",
"formatted_message": "Downgrade Attacks. Subject: Security ID: S-1-5-21-2477490969-972611893-3386141825-500 Account Name: administrator Domain Name: ELANEW2017 Logon ID: 0x8D71B\t9077 ",
"type_of_evidence": "LOG",
"_zl_timestamp": "2025-03-31 16:12:17",
"hosttype": "windows",
"incident_added_by": "gokul.sn+test",
"img_class": "fw-icon fw-icn-login-user",
"log_org_time": "2025-03-31 15:30:00",
"source": "lsasrv",
"message": "Downgrade Attacks. Subject: Security ID: S-1-5-21-2477490969-972611893-3386141825-500 Account Name: administrator Domain Name: ELANEW2017 Logon ID: 0x8D71B\t9077 ",
"type": "security",
"incident_uuid": "5a98433b-ebde-4920-825e-3c00ca5f7ecc_objectidcustom_logs",
"source_ip": "1.4.0.0",
"hostname": "dev-agent",
"is_threshold_incident": false,
"log_obtained_from": "REPORT",
"category": "downgrade attacks",
"username": "n/a",
"incident_time": "2025-03-31 16:12:17"
}
],
"activity": [
{
"activity": "Incident Notes Added",
"description": "Notes added to DOS Attack Incident by gokul.sn+test.",
"time": "2025-03-31 16:12:17"
},
{
"activity": "Incident Updated",
"description": "New evidence added to DOS Attack Incident by gokul.sn+test.",
"time": "2025-03-31 16:12:17"
},
{
"activity": "Incident Created",
"description": "DOS Attack Incident incident has been created successfully by gokul.sn+test.",
"time": "2025-03-31 16:12:17"
}
]
}
}
{
"code": "07001113",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired"
}
{
"error": {
"code": "07001110",
"title": "Bad Request",
"detail": "Something went wrong."
}
}
Create Incident
This API is used to create a new incident.
OAuth Scope : incident.CREATE
Arguments
name
string
(Required)
Unique name of the incident.
description
string
Description of the incident.
severity
string
Severity of the incident. Allowed values - critical, trouble, attention
status
string
Status of the incident. Allowed values - open, in_progress, closed
assignee
integer
Assignee of the incident. It can be taken from the Users metadata API.
due_date
string
Due date of the incident, in ISO 8601 date-time format.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
notes
array
Notes for the incident.
evidence
array
Evidence for the incident. uuids can be taken from the search, report, alert fetch APIs.
source
string
Source of the evidence. Allowed values - search, report, alert
parameters_data='{"field1":"value1","field2":"value2"}';
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/incident"
type: POST
headers: headers_data
content-type: application/json
parameters: parameters_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\"field1\":\"value1\",\"field2\":\"value2\"}");
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/incident")
.post(body)
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.addHeader("content-type", "application/json")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'POST',
headers: {
Authorization: 'Bearer REPLACE_BEARER_TOKEN',
'content-type': 'application/json'
},
body: '{"field1":"value1","field2":"value2"}'
};
fetch('http://localhost:8400/api/v2/incident', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
payload = "{\"field1\":\"value1\",\"field2\":\"value2\"}"
headers = {
'Authorization': "Bearer REPLACE_BEARER_TOKEN",
'content-type': "application/json"
}
conn.request("POST", "/api/v2/incident", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "POST",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/incident",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN",
"content-type": "application/json"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.write(JSON.stringify({field1: 'value1', field2: 'value2'}));
req.end();
curl --request POST \
--url http://localhost:8400/api/v2/incident \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
--header 'content-type: application/json' \
--data '{"field1":"value1","field2":"value2"}'
{
"name": "test",
"description": "test description",
"severity": "trouble",
"status": "open",
"assignee": -1,
"due_date": "2027-10-03 10:30:00",
"notes": [
"adding a test note"
],
"evidence": [
"dd34449f-47ae-433b-94b9-7bfddba1ab0c_objectidcustom_logs"
],
"source": "report"
}
{
"data": {
"incident_id": 3000000438284,
"message": "Incident has been created successfully."
}
}
{
"code": "07001113",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired"
}
{
"error": {
"code": "07001110",
"title": "Bad Request",
"detail": "Something went wrong."
}
}
Update Incident
This API is used to update an existing incident.
OAuth Scope : incidents.update
Arguments
incident_id
integer
(Required)
Unique Id of the incident. It can be taken from the List Incidents API.
name
string
(Required)
Unique name of the incident.
description
string
Description of the incident.
severity
string
Severity of the incident. Allowed values - critical, trouble, attention
status
string
Status of the incident. Allowed values - open, in_progress, closed
assignee
integer
Assignee of the incident. It can be taken from the Users metadata API.
due_date
string
Due date of the incident, in ISO 8601 date-time format.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
notes
array
Notes for the incident.
evidence
array
Evidence for the incident. uuids can be taken from the search, report, alert fetch APIs.
source
string
Source of the evidence. Allowed values - search, report, alert
parameters_data='{"field1":"value1","field2":"value2"}';
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/incident"
type: PUT
headers: headers_data
content-type: application/json
parameters: parameters_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\"field1\":\"value1\",\"field2\":\"value2\"}");
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/incident")
.put(body)
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.addHeader("content-type", "application/json")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'PUT',
headers: {
Authorization: 'Bearer REPLACE_BEARER_TOKEN',
'content-type': 'application/json'
},
body: '{"field1":"value1","field2":"value2"}'
};
fetch('http://localhost:8400/api/v2/incident', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
payload = "{\"field1\":\"value1\",\"field2\":\"value2\"}"
headers = {
'Authorization': "Bearer REPLACE_BEARER_TOKEN",
'content-type': "application/json"
}
conn.request("PUT", "/api/v2/incident", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "PUT",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/incident",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN",
"content-type": "application/json"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.write(JSON.stringify({field1: 'value1', field2: 'value2'}));
req.end();
curl --request PUT \
--url http://localhost:8400/api/v2/incident \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
--header 'content-type: application/json' \
--data '{"field1":"value1","field2":"value2"}'
{
"incident_id": 3000000438278,
"name": "test",
"description": "test description",
"severity": "trouble",
"status": "open",
"assignee": -1,
"due_date": "2027-10-03 10:30:00",
"notes": [
"adding a test note"
],
"evidence": [],
"source": ""
}
{
"data": {
"message": "Incident has been updated successfully."
}
}
{
"code": "07001113",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired"
}
{
"error": {
"code": "07001110",
"title": "Bad Request",
"detail": "Something went wrong."
}
}
List Incidents
This API is used to retrieve a list of incidents.
OAuth Scope : incident.READ
Query Parameters
severity
string
Filters incidents based on severity levels. Allowed values - critical, trouble, attention.
status
string
Filters incidents based on their status. Allowed values - open, in_progress, closed.
created_by
string
Filters incidents based on created users. It can be taken from the Users metadata API.
assignee
integer
Filters incidents based on assignee. It can be taken from the Users metadata API.
from
integer
The starting index of the response range.
limit
integer
The number of incidents to return in the search response.The user can specify the value to the maximum of 100
response_type
string
Determines whether the response value should be based on the client or server value. Accepted values are `client` and `server`. Default value is 'server'.
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/incident"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/incident")
.get()
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.build();
Response response = client.newCall(request).execute();
const options = {method: 'GET', headers: {Authorization: 'Bearer REPLACE_BEARER_TOKEN'}};
fetch('http://localhost:8400/api/v2/incident', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
headers = { 'Authorization': "Bearer REPLACE_BEARER_TOKEN" }
conn.request("GET", "/api/v2/incident", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "GET",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/incident",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url http://localhost:8400/api/v2/incident \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN'
{
"data": [
{
"severity": "Critical",
"created_time": "2025-03-31 16:12:10",
"incident_id": 3000000455681,
"assign_to": -1,
"due_date": "2025-04-02 00:00:00",
"incident_description": "The collection of reports with Downgrade Attacks.",
"incident_name": "DOS Attack Incident",
"created_by": "user001",
"status": "Open"
},
"..."
],
"meta": {
"per_page": 100,
"total_pages": 2,
"total_items": 152
}
}
{
"code": "07001113",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired"
}
{
"error": {
"code": "07001110",
"title": "Bad Request",
"detail": "Something went wrong."
}
}
Delete Incidents
Delete an existing incident.
OAuth Scope : incident.DELETE
Arguments
incident_ids
array
(Required)
List of incident IDs to delete. It can be taken from the List Incidents API
Maximum: 100 incident IDs
Maximum: 100 incident IDs
parameters_data='{"field1":"value1","field2":"value2"}';
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/incident"
type: DELETE
headers: headers_data
content-type: application/json
parameters: parameters_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\"field1\":\"value1\",\"field2\":\"value2\"}");
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/incident")
.delete(body)
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.addHeader("content-type", "application/json")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'DELETE',
headers: {
Authorization: 'Bearer REPLACE_BEARER_TOKEN',
'content-type': 'application/json'
},
body: '{"field1":"value1","field2":"value2"}'
};
fetch('http://localhost:8400/api/v2/incident', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
payload = "{\"field1\":\"value1\",\"field2\":\"value2\"}"
headers = {
'Authorization': "Bearer REPLACE_BEARER_TOKEN",
'content-type': "application/json"
}
conn.request("DELETE", "/api/v2/incident", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "DELETE",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/incident",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN",
"content-type": "application/json"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.write(JSON.stringify({field1: 'value1', field2: 'value2'}));
req.end();
curl --request DELETE \
--url http://localhost:8400/api/v2/incident \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
--header 'content-type: application/json' \
--data '{"field1":"value1","field2":"value2"}'
{
"incident_ids": [
3000000438278
]
}
{
"data": {
"message": "Incident has been deleted successfully."
}
}
{
"code": "07001113",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired"
}
{
"error": {
"code": "07001110",
"title": "Bad Request",
"detail": "Something went wrong."
}
}