Documentation Index
Fetch the complete documentation index at: https://learninghub.blinkops.com/llms.txt
Use this file to discover all available pages before exploring further.
To learn more, visit the Cortex Xpanse documentation.
Parameters
| Parameter | Description |
|---|---|
| Alerts Limit | Limit the amount of returned alerts relating to the incident. Default is set to 1000. |
| Incident ID | The ID of the incident. Can be obtained by the List Incidents action. |
Example Output
{ "reply": { "incident": { "incident_id": "string", "is_blocked": true, "incident_name": "string", "creation_time": 0, "modification_time": 0, "detection_time": 0, "status": "string", "severity": "string", "description": "string", "assigned_user_mail": "string", "assigned_user_pretty_name": "string", "alert_count": 0, "low_severity_alert_count": 0, "med_severity_alert_count": 0, "high_severity_alert_count": 0, "critical_severity_alert_count": 0, "user_count": 0, "host_count": 0, "notes": "string", "resolve_comment": "string", "resolved_timestamp": 0, "manual_severity": "string", "manual_description": "string", "xdr_url": "string", "starred": true, "starred_manually": true, "hosts": [ "string" ], "incident_sources": [ "string" ], "rule_based_score": 0, "manual_score": 0, "aggregated_score": 0, "alerts_grouping_status": "string", "alert_categories": [ "string" ], "original_tags": [ "string" ], "tags": [ "string" ], "xpanse_risk_score": 0, "xpanse_risk_explainer": { "cves": [ { "cveId": "string", "cvssScore": 0, "epssScore": 0, "matchType": "string", "exploitMaturity": "string", "reportedExploitInTheWild": true, "mostRecentReportedExploitDate": "string", "confidence": "string", "additionalProp1": {} } ], "riskFactors": [ { "attributeId": "string", "attributeName": "string", "issueTypes": [ { "displayName": "string", "issueTypeId": "string", "additionalProp1": {} } ], "additionalProp1": {} } ], "versionMatched": true, "additionalProp1": {} }, "cloud_management_status": "string", "integration_source": "string", "ipv4_addresses": [ "string" ], "ipv6_addresses": [ "string" ], "domain_names": [ "string" ], "port_number": 0, "asset_ids": [ "3fa85f64-5717-4562-b3fc-2c963f66afa6" ], "ip_range_ids": [ "string" ], "website_ids": [ "string" ], "service_ids": [ "string" ], "last_observed": 0, "cloud_providers": [ "string" ], "country_codes": [ "string" ], "certificate_common_names": [ "string" ], "certificate_issuers": [ "string" ], "additionalProp1": {} }, "alerts": { "total_count": 0, "data": [ { "category": "string", "project": "string", "cloud_provider": "string", "resource_sub_type": "string", "resource_type": "string", "action_country": "string", "event_type": "string", "is_whitelisted": true, "mac": "string", "image_name": "string", "action_local_ip": "string", "action_local_port": "string", "action_external_hostname": "string", "action_remote_ip": [ "string" ], "action_remote_port": 0, "matching_service_rule_id": "string", "starred": true, "external_id": "string", "severity": "string", "matching_status": "string", "end_match_attempt_ts": "string", "local_insert_ts": 0, "last_modified_ts": 0, "case_id": 0, "deduplicate_tokens": "string", "filter_rule_id": "string", "event_id": "string", "event_timestamp": 0, "action_local_ip_v6": "string", "action_remote_ip_v6": "string", "alert_type": "string", "resolution_status": "string", "resolution_comment": "string", "dynamic_fields": "string", "tags": "string", "malicious_urls": "string", "asm_alert_categories": "string", "last_observed": 0, "country_codes": "string", "cloud_providers": "string", "ipv4_addresses": "string", "ipv6_addresses": "string", "domain_names": "string", "service_ids": "string", "website_ids": "string", "asset_ids": "string", "certificate": { "issuerName": "string", "subjectName": "string", "validNotBefore": 0, "validNotAfter": 0, "serialNumber": "string", "additionalProp1": {} }, "port_protocol": "string", "port_number": 0, "business_unit_hierarchies": [ { "creation_time": 0, "family": "string", "family_alias": "string", "id": "string", "is_active": 0, "name": "string", "parent_id": "string", "update_time": 0, "additionalProp1": {} } ], "attack_surface_rule_name": "string", "remediation_guidance": "string", "attack_surface_rule_id": "string", "asset_identifiers": { "domain": "string", "certificate": { "issuerName": "string", "subjectName": "string", "validNotBefore": 0, "validNotAfter": 0, "serialNumber": "string", "additionalProp1": {} }, "ipv4Address": "string", "ipv6Address": "string", "httpPath": "string", "portNumber": 0, "portProtocol": "string", "firstObserved": 0, "lastObserved": 0, "additionalProp1": {} }, "alert_id": "string", "detection_timestamp": 0, "name": "string", "endpoint_id": "string", "description": "string", "host_ip": "string", "host_name": "string", "source": "string", "action": "string", "action_pretty": "string", "user_name": "string", "events_length": 0, "mitre_tactic_id_and_name": "string", "mitre_technique_id_and_name": "string", "cloud_management_status": "string", "additionalProp1": {} } ], "additionalProp1": {} }, "network_artifacts": { "total_count": 0, "data": [ "string" ], "additionalProp1": {} }, "file_artifacts": { "total_count": 0, "data": [ "string" ], "additionalProp1": {} }, "additionalProp1": {} }, "additionalProp1": {}}
Workflow Library Example
Get Incident with Cortex Xpanse and Send Results Via Email
Preview this Workflow on desktop