getIncident

You can use this method to retrieve information regarding a specific incident, by referencing it's ID.

API url: CONTROL_CENTER_APIs_ACCESS_URL/v1.2/jsonrpc/incidents

Parameters

Parameter	Description	Included in request	Type	Values
`id`	The ID of the incident you want to retrieve information for. This ID is included in the URL of the incident details page from GravityZone Control Center.	Mandatory	String	No additional requirements. Example "id": "67dd30dd4a842ebbbb0b6af3"

Parameter

Description

Included in request

Type

Values

id

The ID of the incident you want to retrieve information for.

This ID is included in the URL of the incident details page from GravityZone Control Center.

Mandatory

String

No additional requirements.

General parameters

These are common parameters, available across all public API methods:

Parameter	Description	Included in request	Type	Values
`id`	This parameter adds an identifier to the request, linking it to its corresponding response. The target replies with the same value in the response, allowing easy call tracking.	Mandatory	String	No additional requirements. Example "id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"
`method`	The name of the method you are using to send the request.	Mandatory	String	Must be a valid method name. Example "method": "methodName"
`jsonrpc`	The version of JSON-RPC used by the request and the response.	Mandatory	String	The only possible value is `2.0`. Example "jsonrpc": "2.0"
`params`	An object containing the configuration of the request.	Mandatory	Object	No additional requirements. Example "params": {...}

Return value

Attribute	Type	Description
`result`	Object	Details about the incident referenced in the request. For more information, refer to `result`.

Objects

`result`

Attribute	Type	Description
`incidentId`	String	The internal incident ID, which is included in the URL of the incident details page from GravityZone Control Center.
`incidentNumber`	Integer	The incident ID displayed in GravityZone Control Center, in the Incidents page, without the `#` prefix.
`incidentType`	String	The type of the incident. Possible values: `incident`: Endpoint incident from GravityZone Control Center. `extendedIncident`: Organization incident from GravityZone Control Center. The value of this field determines what information is included in the `details` object.
`company`	Object	Details about the company where the incident was generated. The object contains the following settings: `id` (String): The company ID. `name` (String): The company name.
`status`	String	The status of the incident. Possible values: `open`: The incident has been recently generated and is yet to be investigated. `in_progress`: The incident is currently under investigation. `false_positive`: The incident was investigated and confirmed to be a false alarm. `closed`: The incident was confirmed as valid and is now closed following investigation.
`mainAction`	String	The incident type, determined by the main action that was taken automatically by the protection technologies when it was detected. Possible values: `reported`: Endpoint or Organization incident upon which no action was taken and requires further investigation. `partially_blocked`: Organization incident in which the automatic actions defined in the policies have been taken only on some entities. `blocked`: Endpoint incident that was detected and blocked by GravityZone prevention modules.
`created`	String	The date and time when the incident was detected in the network, in ISO-8601 format.
`lastUpdated`	String	The date and time when the incident was last updated by GravityZone, in ISO-8601 format.
`lastProcessed`	String	The date and time when the incident was last processed by GravityZone, in ISO-8601 format.
`severityScore`	Integer	The severity score assigned to the incident, as reported by the detection technologies. Possible values: `1` - `100`.
`incidentLink`	String	A URL linking to a web page where the incident details can be viewed in a browser.
`assignee`	Object	The GravityZone user that is assigned to this incident. The object contains the following settings: `userId` (String): The ID of the user. `userName` (String): The username. `companyId` (String): The ID of the company the user belongs to. `companyName` (String): The name of the company the user belongs to.
`priority`	String	The priority assigned to the incident. Possible values: `unknown` `low` `medium` `high` `critical`
`attackTypes`	Array of Strings	A list of attack types detected in the incident. Each String can be, for example: `Malware` `Ransomware` `Password Stealer`
`details`	Object	Additional information regarding the incident. The information depends on the value assigned to the `incidentType` attribute. When `incidentType` is `incident`, the `details` Object contains: `detectionName` (String): The name of the detection. `partOf` (Array of Objects): The Organization incidents in which this incident was used for correlating data. For information about each object in the array, refer to `partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents). `computerId` (String): The ID of the endpoint that generated the incident. `computerName` (String): The name of the endpoint that generated the incident. `computerFqdn` (String): The FQDN of the endpoint that generated the incident. `computerIp` (String): The IP of the endpoint that generated the incident. If the endpoint has multiple IPs, the one used to communicate with GravityZone is reported here, not the one used in the attack. `computerMacAddresses` (Array of Strings): A list of the endpoints' MAC addresses. `counters` (Object): Counters that reflect how many resources of a certain type are present in the incident. For information on the fields included in this object, refer to `counters` (Endpoint incidents). `triggerNodeId` (String): The ID of the node that triggered the incident. This is the root node of the incident graph. `nodes` (Array of Objects): The list of nodes from the incident graph. For information about each object in the array, refer to `nodes` (Endpoint incidents). `alerts` (Array of Objects): The list of alerts from the incident events. For information about each object in the array, refer to `alerts` (Endpoint incidents). `transitions` (Array of Objects): These items should be used to build the incident graph. They indicate how nodes connect. For information about each object in the array, refer to `transitions` (Endpoint incidents). `mitreTags` (Array of Objects): MITRE techniques detected in the attack. For information about each object in the array, refer to `mitreTags` (Endpoint and Organization incidents). `incidentEvolution` (Array of Objects): The array is populated only when the Create a separate incident when new activity is detected option is enabled in the Settings tab within the company edit workflow. In this case, a new incident is generated whenever new activity is detected on a closed incident. The newly created incident remains open and is continuously updated with related activity until it is closed. If further activity is detected after this incident is closed, another new incident is created. All related incidents generated through this process form the Incident evolution chain. For information about each object in the array, refer to `incidentEvolution` (Endpoint and Organization incidents). When `incidentType` is `extendedIncident`, the `details` Object contains: `partOf` (Array of Objects): The Organization incidents in which this incident was used for correlating data. For information about each object in the array, refer to `partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents). `contains` (Array of Objects): The other incidents that were used for correlating data in this incident. For information about each object in the array, refer to `partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents). `counters` (Object): Counters that reflect how many resources of a certain type are present in the incident. For information on the fields included in this object, refer to `counters` (Organization incidents). `mitreTags` (Array of Objects): MITRE techniques detected in the attack. For information about each object in the array, refer to `mitreTags` (Endpoint and Organization incidents). `killChainPhases` (Array of Strings): The stages of the cyberattack lifecycle, based on the MITRE ATT&CK framework. Each value represents a specific phase the threat actor may have reached during the incident. Possible values for each string: `initial_access` `execution` `persistence` `privilege_escalation` `defence_evasion` `credential_access` `discovery` `lateral_movement` `collection` `command_and_control` `exfiltration` `impact` `lastKillChainPhase` (String): Indicates the most recent stage reached in the cyberattack lifecycle during the incident, based on the MITRE ATT&CK framework. It reflects the furthest progression observed by the system. Possible values are identical to those of the `killChainPhases` strings. `cves` (Array of Objects): CVEs identified in the attack. For information about each object in the array, refer to `cves` (Organization incidents). `suspectedActors` (Array of Objects): Suspected actors that might have done the attack. For information about each object in the array, refer to `suspectedActors` (Organization incidents). `nodes` (Array of Objects): The nodes from the incident graph. For information about each object in the array, refer to `nodes` (Organization incidents). `alerts` (Array of Objects): The alerts from the incident events. For information about each object in the array, refer to `alerts` (Organization incidents). `incidentEvolution` (Array of Objects): The array is populated only when the Create a separate incident when new activity is detected option is enabled in the Settings tab within the company edit workflow. In this case, a new incident is generated whenever new activity is detected on a closed incident. The newly created incident remains open and is continuously updated with related activity until it is closed. If further activity is detected after this incident is closed, another new incident is created. All related incidents generated through this process form the Incident evolution chain. For information about each object in the array, refer to `incidentEvolution` (Endpoint and Organization incidents). `narrative` (Array of String Arrays): A list of paragraphs summarizing the incident, available in the Overview tab of GravityZone Control Center. Each paragraph is represented as an array of phrase strings. If no data is available, the `narrative` is returned as an empty array. `reasoning` (Array of String Arrays): A list of paragraphs forming the root cause analysis of the incident: a textual explanation of the incident’s origin, summarizing the factors and alerts that led to its occurrence. Each paragraph is represented as an array of phrase strings. If no data is available, the `reasoning` is returned as an empty array.
`notes`	Array of Objects	A list of notes that were attached to the incident. Each note contains the following settings: `id` (String): The note ID. `userId` (String): The ID of the user that created the note. `text` (String): The text added to the note. `created` (String): The date and time when the note was created, in ISO-8601 format.

`partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents)

Attribute	Type	Description
`incidentId`	String	The ID of the incident.
`incidentLink`	String	A URL that can be used to open the incident in GravityZone Control Center after logging in.

`counters` (Endpoint incidents)

Attribute	Type	Description
`endpoints`	Integer	The number of endpoints involved in the incident.
`files`	Integer	The number of files involved in the incident.
`processes`	Integer	The number of processes involved in the incident.
`domains`	Integer	The number of domains involved in the incident.
`registries`	Integer	The number of registry keys involved in the incident. This applies only to endpoints that use Windows.
`events`	Integer	The number of system events involved in the incident.
`storages`	Integer	The number of storage devices involved in the incident.

`counters` (Organization incidents)

Attribute	Type	Description
`endpoints`	Integer	The number of endpoints involved in the incident.
`servers`	Integer	The number of servers involved in the incident.
`mobileDevices`	Integer	The number of mobile devices involved in the incident.
`printers`	Integer	The number of printers involved in the incident.
`routers`	Integer	The number of routers involved in the incident.
`IoTs`	Integer	The number of Internet-of-Things involved in the incident.
`identities`	Integer	The number of identities involved in the incident.
`emails`	Integer	The number of emails involved in the incident.
`IPs`	Integer	The number of IPs involved in the incident.
`domains`	Integer	The number of domains involved in the incident.
`DNSs`	Integer	The number of domain name servers involved in the incident.
`DGAs`	Integer	The number of domain generation algorithms (DGAs) involved in the incident.
`cloudStorages`	Integer	The number of cloud storages involved in the incident.
`torNodes`	Integer	The number of Tor nodes involved in the incident.
`externalDrives`	Integer	The number of external drives involved in the incident.
`externalSources`	Integer	The number of external sources involved in the incident.
`exfiltratedFiles`	Integer	The number of exfiltrated files involved in the incident.
`internalIPs`	Integer	The number of internal IPs involved in the incident.
`internalEmails`	Integer	The number of internal emails involved in the incident.
`users`	Integer	The number of users involved in the incident.
`virtualDesktops`	Integer	The number of virtual desktops involved in the incident.
`containers`	Integer	The number of containers (docker, k8s, etc.) involved in the incident.
`databases`	Integer	The number of databases involved in the incident.
`storages`	Integer	The number of storages involved in the incident.
`office365Instances`	Integer	The number of Microsoft 365 (Office 365) instances involved in the incident.
`ADInstances`	Integer	The number of Active Directory instances involved in the incident.
`azureADInstances`	Integer	The number of Azure Active Directory instances involved in the incident.
`GCPInstances`	Integer	The number of Google Cloud Platform instances involved in the incident.
`googleWorkspaceInstances`	Integer	The number of Google Workspace instances involved in the incident.
`atlassianInstances`	Integer	The number of Atlassian instances involved in the incident.
`atlassianBitbucketProducts`	Integer	The number of Atlassian Bitbucket products involved in the incident.
`atlassianJiraProducts`	Integer	The number of Atlassian Jira products involved in the incident.
`atlassianConfluenceProducts`	Integer	The number of Atlassian Confluence products involved in the incident.
`bitbucketProjects`	Integer	The number of Bitbucket projects involved in the incident.
`confluenceSpaces`	Integer	The number of Confluence spaces involved in the incident.
`AWSInstances`	Integer	The number of AWS instances involved in the incident.

`nodes` (Endpoint incidents)

Attribute	Type	Description
`id`	String	The ID of the node.
`name`	String	The name of the node.
`type`	String	The type of the node. Possible values: `endpoint` `file` `process_execution` `virtual_group` `registry` `domain` `container_host`
`alertIds`	Array of Strings	A list of alert IDs. These correlate with the objects from `alerts` (Endpoint incidents).
`details`	Object	The details available for the node. The data contained by this object varies based on the value of the `type` attribute under the same `nodes` object. When `type` is `endpoint` or `container_host`, the `details` Object contains: `id` (String) `name` (String) `hardwareId` (String) `ip` (String) `isContainer` (Boolean) `isContainerHost` (Boolean) When `type` is `file`, the `details` Object contains: `name` (String) `path` (String) `md5` (String) `sha256` (String) `size` (Integer) `isExecutable` (Boolean) `fileProcess` (Object): For information on the fields included in this object, refer to `fileProcess` (`file` node) and `process` (`registry` or `domain` node). `sandbox` (Object): For information on the fields included in this object, refer to `sandbox` (`file` or `process_execution` node). `quarantine` (Object): For information on the fields included in this object, refer to `quarantine` (`file` or `process_execution` node). When `type` is `process_execution`, the `details` Object contains: `file` (Object): For information on the fields included in this object, refer to `file` (`process_execution` node). `process` (Object): For information on the fields included in this object, refer to `process` (`process_execution` node). `sandbox` (Object): For information on the fields included in this object, refer to `sandbox` (`file` or `process_execution` node). `quarantine` (Object): For information on the fields included in this object, refer to `quarantine` (`file` or `process_execution` node). `killProcess` (Object): For information on the fields included in this object, refer to `killProcess` (`process_execution` node). When `type` is `registry`, the `details` Object contains: `registry` (Object): For information on the fields included in this object, refer to `registry` (`registry` node). `process` (Object): For information on the fields included in this object, refer to `fileProcess` (`file` node) and `process` (`registry` or `domain` node). When `type` is `domain`, the `details` Object contains: `domain` (Object): For information on the fields included in this object, refer to `domain` (`domain` node). `process` (Object): For information on the fields included in this object, refer to `fileProcess` (`file` node) and `process` (`registry` or `domain` node). `file` (Object): For information on the fields included in this object, refer to `file` (`domain` node). For any other types, the `details` attribute is not included in the response.

`fileProcess` (`file` node) and `process` (`registry` or `domain` node)

Attribute	Type
`pid`	Integer
`name`	String
`path`	String

`sandbox` (`file` or `process_execution` node)

Attribute	Type
`status`	String

`quarantine` (`file` or `process_execution` node)

Attribute	Type
`fileId`	String

`file` (`process_execution` node)

Attribute	Type
`name`	String
`path`	String
`md5`	String
`sha256`	String
`size`	Integer
`isExecutable`	Boolean

`process` (`process_execution` node)

Attribute	Type	Description
`pid`	Integer
`name`	String
`commandLine`	String
`userId`	String
`userName`	String
`date`	String
`parent`	Object	The Object contains: `pid` (Integer) `name` (String) `path` (String)

`killProcess` (`process_execution` node)

Attribute	Type
`status`	String
`errorCode`	Integer

`registry` (`registry` node)

Attribute	Type
`key`	String
`value`	String
`data`	String

`domain` (`domain` node)

Attribute	Type
`requestedURL`	String
`remotePort`	Integer
`streamType`	String
`extractedFilename`	String
`sourceApplication`	String
`protocol`	String

`file` (`domain` node)

Attribute	Type
`size`	Integer
`md5`	String
`sha256`	String

`nodes` (Organization incidents)

Attribute	Type	Description
`id`	String	The ID of the node.
`name`	String	The name of the node.
`isExternal`	Boolean	Indicates if the node is a resource from the client’s network or not.
`type`	String	The type of the node. Possible values: `endpoint` `server` `mobile_device` `printer` `router` `iot` `user_generic` `user_aws` `user_gcp` `user_ad` `user_azure_ad` `user_atlassian` `aws` `azure` `gcp` `active_directory` `office_365` `azure_ad` `google_workspace` `atlassian` `virtual_server_aws` `container_aws` `service_aws` `database_aws` `storage_aws` `end_user_computing_aws` `virtual_server_azure` `container_azure` `service_azure` `database_azure` `storage_azure` `end_user_computing_azure` `virtual_server_gcp` `container_gcp` `service_gcp` `database_gcp` `storage_gcp` `end_user_computing_gcp` `product_atlassian_bitbucket` `product_atlassian_jira` `product_atlassian_confluence` `bitbucket_project` `confluence_space` `attacker` `email` `ip` `domain` `dns` `dga` `cloud_storage` `tor_node` `external_drive`
`details`	Object	The details available for this node. The data contained by this object varies based on the value of the `type` field under the same `nodes` object. For more information, refer to `details` (Organization incident node).

`details` (Organization incident node)

Value of `type` field	Attribute	Type
`endpoint`	`hardwareId`	String
	`ips`	Array of Strings
	`macs`	Array of Strings
	`endpointId`	String
`server`	`hardwareId`	String
	`ips`	Array of Strings
	`macs`	Array of Strings
	`endpointId`	String
	`networkServices`	Array of Strings
`mobile_device`	`deviceId`	String
	`ip`	String
	`os`	String
	`deviceGroupName`	String
	`phoneNumber`	String
`router` `printer` `iot`	`ip`	String
`router` `printer` `iot`	`mac`	String
`attacker`	`threatGroup`	String
`email`	`sender`	String
	`recipients`	Array of Strings
	`subject`	String
	`attachments`	Array of Strings
`ip`	`ip`	String
	`domains`	Array of Strings
	`mac`	String
`domain`	`domainName`	String
`domain`	`ips`	Array of Strings
`dns` `tor_node`	`ip`	String
`dga`	`domainName`	String
`dga`	`ip`	String
`cloud_storage`	`provider`	String
`cloud_storage`	`ip`	String
`external_drive`	`name`	String
`external_drive`	`mountPath`	String
`user_generic`	`emails`	Array of Strings
	`ips`	Array of Strings
	`service`	String
`user_aws`	`emails`	Array of Strings
	`ips`	Array of Strings
	`accessKeyId`	String
`user_gcp`	`emails`	Array of Strings
	`ips`	Array of Strings
	`sensorIdentifier`	String
`user_ad`	`emails`	Array of Strings
	`ips`	Array of Strings
	`domain`	String
	`userSid`	String
	`domainGuid`	String
`user_azure_ad`	`emails`	Array of Strings
	`ips`	Array of Strings
	`tenantId`	String
	`riskDetail`	String
	`riskLevel`	String
	`riskState`	String
`user_atlassian`	`emails`	Array of Strings
	`ips`	Array of Strings
	`organizationId`	String
	`userId`	String
`aws` `azure` `gcp` `google_workspace` `office_365` `azure_ad` `atlassian`	`organizationId`	String
`virtual_server_aws` `container_aws` `service_aws` `databasse_aws` `storage_aws` `end_user_computing_aws` `virtual_server_azure` `container_azure` `storage_azure` `service_azure` `end_user_computing_azure` `virtual_server_gcp` `container_gcp` `service_gcp` `database_gcp` `storage_gcp` `end_user_computing_gcp`	`id`	String
	`ips`	Array of Strings
	`urls`	Array of Strings
`product_atlassian_bitbucket` `product_atlassian_jira` `product_atlassian_confluence`	`url`	String
`bitbucket_project`	`url`	String
`bitbucket_project`	`workspace`	String
`confluence_space`	`id`	String
	`key`	String
	`url`	String

`alerts` (Endpoint incidents)

Attribute	Type	Description
`id`	String	The ID of the alert.
`name`	String	The name of the alert.
`date`	String	The date and time when the alert was detected in the network.
`detectedBy`	Object	The object contains information about who detected the alert: `name` (String): The name of the technology that detected the threat. `class` (String): The type of the technology that detected the threat.
`resources`	Array of Objects	The objects contain information regarding the resources involved in the alert: `type` (String): The type of the resource. Possible values: `network` `registry` `file` `process` `details` (Object): The details available for the resource. The data contained by this object varies based on the value of the `type` field under the same `resources` object. For more information, refer to `details` (`alerts` > `resources`).
`extra`	Array of Objects	Extra information for the alert. Each object contains: `key` (String) `value` (Integer, Boolean, or String)

`details` (`alerts` > `resources`)

Value of `type` field	Attribute	Type
`file`	`filePath`	String
	`fileSize`	Integer
	`accessType`	String
	`attributeChangeType`	String
	`rawDiskAccessType`	String
	`internalName`	String
	`originalFileName`	String
	`companyName`	String
	`fileDescription`	String
	`productName`	String
	`md5`	String
	`sha256`	String
	`certificateIssuer`	String
	`certificateSigner`	String
	`fileType`	String
	`filePackerName`	String
	`newFilePath`	String
`network`	`uri`	String
	`protocol`	String
	`port`	Integer
	`streamType`	String
	`statusCode`	Integer
	`requestMethod`	String
	`requesterMac`	String
	`requesterIp`	String
	`requesterSystemName`	String
	`rawConnectionDestIp`	String
	`rawConnectionSourceIprawConnectionDestPort`	Integer
	`rawConnectionSourcePort`	Integer
	`rawConnectionTransferedIn`	Integer
	`rawConnectionTransferedOut`	Integer
	`rawConnectionDirection`	String
	`rawConnectionReferrer`	String
	`rawConnectionFailStatus`	Integer
	`rawConnectionGuestStatus`	Integer
	`rawConnectionUser`	String
	`rawConnectionLoginStatus`	Integer
	`rawConnectionFilePath`	String
	`domain`	String
	`smbFileName`	String
	`smbTreeName`	String
	`interface`	String
	`expectedProtocol`	String
	`rawConnectionProtocol`	String
	`rawConnectionTransferredFile`	String
	`rawConnectionTransferredFileType`	String
	`rawConnectionTransferredFileSize`	Integer
	`rawConnectionExpectedProtocol`	String
	`rawConnectionAccessType`	String
	`rawConnectionEncryptionType`	String
	`rawConnectionInterface`	String
	`rawConnectionServiceName`	String
	`rawConnectionServicePath`	String
	`httpConnectionMethod`	String
	`httpConnectionHost`	String
	`httpConnectionUri`	String
	`httpConnectionResponseCode`	Integer
	`httpConnectionReferrer`	String
	`winrmConnectionUserAgent`	String
	`winrmConnectionAuthorization`	String
	`smbUser`	String
	`smbHostName`	String
	`smbDomainName`	String
	`smbAccessType`	String
	`smbAuthMethod`	String
	`ldapDistinguishedName`	String
	`ldapGroupDistinguishedName`	String
	`ldapUserDistinguishedName`	String
	`mailAttachments`	String
`process`	`pid`	Integer
	`processPath`	String
	`processPathSize`	Integer
	`commandLine`	String
	`parentPid`	Integer
	`parentProcessPath`	String
	`parentProcessCmdLine`	String
	`parentProcessUser`	String
	`user`	String
	`loadedModule`	String
	`loadedModulePid`	Integer
	`processInjectionWriter`	String
	`processInjectionWriterPid`	Integer
	`processInjectionTarget`	String
	`processInjectionTargetPid`	Integer
	`processInjectionSizeofWrite`	Integer
	`processAccessPrivileges`	String
	`parentProcessAccessPrivileges`	String
	`processIntegrityLevel`	String
	`parentProcessIntegrityLevel`	String
	`processPackerName`	String
`registry`	`registryKey`	String
	`registryValue`	String
	`registryData`	String
	`registryType`	String
	`registryAccessType`	String

`alerts` (Organization incidents)

Attribute	Type	Description
`id`	String	The ID of the alert.
`name`	String	The name of the alert.
`date`	String	The date and time when the alert was detected in the network, in ISO-8601 format.
`sensors`	Array of Strings	Sensors that detected the alert. Possible values: `EDR` `NTSA` `XDR` `office_365` `active_directory` `azure_active_directory` `azure` `aws` `gcp` `google_workspace` `email_security` `atlassian`
`tactic`	String	The MITRE tactic detected for this alert. Possible values: `initial_access` `execution` `persistence` `privilege_escalation` `defence_evasion` `credential_access` `discovery` `lateral_movement` `collection` `command_and_control` `exfiltration` `impact`
`transitions`	Array of Objects	This array contains data used to build the incident graph. It indicates how nodes connect. Each Object contains: `from` (String): Node ID. `to` (String): Node ID. `resources` (Array of Objects): Resources associated with this transition. For information on the fields included in each of these objects, refer to `resources` (Organization incident transition)

`resources` (Organization incident transition)

Attribute	Type	Description
`name`	String	The name of the resource.
`type`	String	The type of the resource. Possible values: `generic` `application` `key_vault` `role` `policy` `sharing_link` `file` `email` `flow` `url` `ssh_key` `launch_template` `service_principal` `user_group` `automatic_account` `automatic_account_hook` `api` `certificate_authority` `bucket` `bitbucket_repository` `jira_project` `confluence_page`
`details`	Object	Details for the resource. Schema depends on the `type` field. For more information on the fields included in this object, refer to `details` (Organization incident resource).

Attribute

Type

Description

name

String

The name of the resource.

type

String

The type of the resource.

Possible values:

generic
application
key_vault
role
policy
sharing_link
file
email
flow
url
ssh_key
launch_template
service_principal
user_group
automatic_account
automatic_account_hook
api
certificate_authority
bucket
bitbucket_repository
jira_project
confluence_page

details

Object

Details for the resource. Schema depends on the type field.

For more information on the fields included in this object, refer to details (Organization incident resource).

details (Organization incident resource)

Value of `type` field	Attribute	Type (and description)
`generic`	`data`	String
`application`	`appAddress`	String
`application`	`ip`	String
`url` `sharing_link`	`url`	String
`file`	`url`	String
	`path`	String
	`size`	Integer
	`md5`	String
	`sha256`	String
	`sensorIdentifier`	String
`email`	`id`	String
	`subject`	String
	`userId`	String
	`userTenantId`	String
	`sensorIdentifier`	String
	`receivedOn`	String (ISO-8601)
	`similarityHash`	String
	`sender`	Object Contains the following attributes: `name` (String) `address` (String)
	`toRecipients`	Array of Objects Each Object contains the following attributes: `name` (String) `address` (String)
	`ccRecipients`	Array of Objects Each Object contains the following attributes: `name` (String) `address` (String)
	`bccRecipients`	Array of Objects Each Object contains the following attributes: `name` (String) `address` (String)
	`urls`	Array of Strings
	`attachments`	Array of Objects Each Object contains the following attributes: `name` (String) `fileMd5` (String) `fileSha256` (String) `size` (Integer)
`role` `service_principal` `user_group` `automation_account` `automation_account_hook` `api`	`id`	String
`policy`	`id`	String
	`name`	String
	`resourcePolicyType`	String
`flow` `bitbucket_repository` `jira_project` `confluence_page`	`id`	String
	`url`	String
`ssh_key`	`sshPublicKey`	String
`launch_template`	`id`	String
`launch_template`	`name`	String
`certificate_authority`	`id`	String
`certificate_authority`	`ceritficate`	String

`transitions` (Endpoint incidents)

Attribute	Type	Description
`from`	String	The ID of the origin node.
`to`	String	The ID of the destination node.
`date`	String	The date and time of the transition, in ISO-8601 format.

`mitreTags` (Endpoint and Organization incidents)

Attribute	Type	Description
`category`	String	The category the MITRE technique belongs to.
`techniques`	Array of Objects	The MITRE techniques detected for this category. Each object contains: `id` (String): The ID of the MITRE technique (for example, `T0800`). `name` (String): The name of the MITRE technique (for example, `Program Download`). `subtechniques` (Array of Objects): The MITRE sub-techniques detected for this technique. For information on the fields included in each of these objects, refer to `subtechniques` (`mitreTags` > `techniques`).

Attribute

Type

Description

category

String

The category the MITRE technique belongs to.

techniques

Array of Objects

The MITRE techniques detected for this category.

Each object contains:

id (String): The ID of the MITRE technique (for example, T0800).
name (String): The name of the MITRE technique (for example, Program Download).
subtechniques (Array of Objects): The MITRE sub-techniques detected for this technique.
For information on the fields included in each of these objects, refer to subtechniques (mitreTags > techniques).

`subtechniques` (`mitreTags` > `techniques`)

Attribute	Type	Description
`id`	String	The ID of the MITRE sub-technique (for example, `S0603`).
`name`	String	The name of the MITRE sub-technique (for example, `Stuxnet`).

`cves` (Organization incidents)

Attribute	Type	Description
`id`	String	The ID of a CVE (for example, `CVE-2024-12345`).

`suspectedActors` (Organization incidents)

Attribute	Type	Description
`name`	String	The name of the suspected actor.
`confidenceScore`	Integer	Confidence score for correlating the attack with this actor.
`reasons`	Array of Objects	Reasons why this attack was correlated with this actor. Each Object contains: `type` (String): The type of the reason. Possible values: `sample` `url` `registry` `mutex` `wallet` `value` (String): The value for the reason. The string format depends on the `type` field.

Attribute

Type

Description

name

String

The name of the suspected actor.

confidenceScore

Integer

Confidence score for correlating the attack with this actor.

reasons

Array of Objects

Reasons why this attack was correlated with this actor.

Each Object contains:

type (String): The type of the reason.
Possible values:
- sample
- url
- registry
- mutex
- wallet
value (String): The value for the reason.
The string format depends on the type field.

`incidentEvolution` (Endpoint and Organization incidents)

Attribute	Type	Description
`incidentId`	String	The internal incident ID, which is included in the URL of the incident details page from GravityZone Control Center.
`incidentNumber`	Integer	The incident ID displayed in GravityZone Control Center, in the Incidents page, without the `#` prefix.
`status`	String	The status of the incident. Possible values: `open`: The incident has been recently generated and is yet to be investigated. `in_progress`: The incident is currently under investigation. `false_positive`: The incident was investigated and confirmed to be a false alarm. `closed`: The incident was confirmed as valid and is now closed following investigation.
`incidentLink`	String	A URL linking to a web page where the incident details can be viewed in a browser.

Examples

Request:

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "jsonrpc": "2.0",
  "method": "getIncident",
  "params": {
    "id": "6a1b2c3d4e5f67890abcdef0"
  }
}

Response:

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "jsonrpc": "2.0",
  "result": {
    "incidentId": "6a1b2c3d4e5f67890abcdef0",
    "incidentNumber": 42,
    "status": "open",
    "mainAction": "reported",
    "created": "2026-04-16T07:41:37+00:00",
    "lastUpdated": "2026-04-16T07:41:42+00:00",
    "lastProcessed": "2026-04-16T07:41:54+00:00",
    "severityScore": 29,
    "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcdef0",
    "assignee": {
      "userId": "5f4e3d2c1b0a987654321fed",
      "userName": "john.smith@example.com",
      "companyId": "5e4d3c2b1a0987654321fedc",
      "companyName": "Acme Corporation"
    },
    "priority": "unknown",
    "attackTypes": [
      "Defined by user"
    ],
    "company": {
      "id": "5e4d3c2b1a0987654321fedc",
      "name": "Acme Corporation"
    },
    "incidentType": "incident",
    "details": {
      "detectionName": "Suspicious PowerShell Execution",
      "counters": {
        "endpoints": 1,
        "files": 1,
        "processes": 3,
        "domains": 0,
        "registries": 0,
        "events": 7,
        "storages": 0
      },
      "incidentEvolution": [],
      "computerId": "5d4c3b2a190876543210fedc",
      "computerName": "DESKTOP-WORK01",
      "computerFqdn": "desktop-work01.acme.local",
      "computerIp": "192.168.1.100",
      "computerMacAddresses": [
        "00AABB112233"
      ],
      "partOf": [],
      "alerts": [
        {
          "id": "6b2c3d4e5f6a78901bcdef01",
          "name": "File Access Anomaly",
          "date": "2026-04-16T07:41:27+00:00",
          "detectedBy": {
            "name": "File Access Anomaly",
            "class": "user_detection"
          },
          "resources": [
            {
              "type": "process",
              "details": {
                "pid": 2080,
                "processPath": "c:\\windows\\explorer.exe",
                "processPathSize": 6089584,
                "commandLine": "",
                "parentPid": 5380,
                "parentProcessPath": "c:\\windows\\system32\\userinit.exe",
                "parentProcessCmdline": "c:\\windows\\system32\\userinit.exe",
                "parentProcessUser": "DESKTOP-WORK01\\jsmith",
                "user": "DESKTOP-WORK01\\jsmith",
                "loadedModule": null,
                "loadedModulePid": null,
                "processInjectionWriter": null,
                "processInjectionWriterPid": null,
                "processInjectionTarget": null,
                "processInjectionTargetPid": null,
                "processInjectionSizeofWrite": null,
                "processAccessPrivileges": "restricted",
                "parentProcessAccessPrivileges": "restricted",
                "processIntegrityLevel": "medium",
                "parentProcessIntegrityLevel": "medium",
                "processPackerName": null
              }
            },
            {
              "type": "file",
              "details": {
                "filePath": "c:\\users\\jsmith\\appdata\\roaming\\microsoft\\windows\\recent\\quarterly-report.docx.lnk",
                "fileSize": 625,
                "accessType": "DELETE",
                "attributeChangeType": null,
                "rawDiskAccessType": null,
                "internalName": "quarterly-report.docx.lnk",
                "originalFileName": "quarterly-report.docx.lnk",
                "companyName": null,
                "fileDescription": "Shortcut",
                "productName": null,
                "md5": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
                "sha256": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
                "certificateIssuer": null,
                "certificateSigner": null,
                "fileType": "lnk",
                "filePackerName": null,
                "newFilePath": null
              }
            }
          ],
          "extra": [
            {
              "key": "extraInfo1",
              "value": "Operation Channel: normal\nProcess PE VersionInfo and Certification Information: \n\nOriginal File Name: EXPLORER.EXE\nInternal Name: explorer\nFile Description: Windows Explorer\nCompany Name: Microsoft Corporation\nFile Version: 10.0.19041.6456 (WinBuild.160101.0800)\nProduct Name: Microsoft Windows Operating System\nProduct Version: 10.0.19041.6456\nLegal Copyright: Microsoft Corporation. All rights reserved.\nCertificate Serial: 3300000aabbccddee0000000000001\nCertificate Signer: Microsoft Corporation\nCertificate Issuer: Microsoft Corporation\n"
            }
          ]
        }
      ],
      "nodes": [
        {
          "id": "6c3d4e5f6a7b89012cdef002",
          "name": "cmd.exe",
          "type": "process_execution",
          "details": {
            "file": {
              "name": "cmd.exe",
              "path": "c:\\windows\\system32\\cmd.exe",
              "md5": "b2c3d4e5f60718293a4b5c6d7e8f90a1",
              "sha256": "b2c3d4e5f60718293a4b5c6d7e8f90a1b2c3d4e5f60718293a4b5c6d7e8f90a1",
              "size": 289792,
              "isExecutable": true
            },
            "process": {
              "pid": 4856,
              "parent": {
                "pid": 2080,
                "name": "explorer.exe",
                "path": "c:\\windows\\explorer.exe"
              },
              "commandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c dir C:\\Users\\jsmith\\Documents",
              "userId": "S-1-5-21-1234567890-123456789-1234567890-1001",
              "userName": "DESKTOP-WORK01\\jsmith",
              "date": "2026-04-16T07:41:26+00:00",
              "name": "cmd.exe"
            },
            "sandbox": null,
            "quarantine": null,
            "killProcess": null
          },
          "alertIds": [
            "6b2c3d4e5f6a78901bcdef02",
            "6b2c3d4e5f6a78901bcdef03"
          ]
        },
        {
          "id": "6c3d4e5f6a7b89012cdef004",
          "name": "DESKTOP-WORK01",
          "type": "endpoint",
          "details": {
            "id": "5d4c3b2a190876543210fedc",
            "name": "DESKTOP-WORK01",
            "hardwareId": "12345678-abcd-ef01-2345-6789abcdef01-00AABB112233",
            "ip": "192.168.1.100",
            "isContainer": false,
            "isContainerHost": false
          },
          "alertIds": []
        },
        {
          "id": "6c3d4e5f6a7b89012cdef005",
          "name": "quarterly-report.docx.lnk",
          "type": "file",
          "details": {
            "name": "quarterly-report.docx.lnk",
            "path": "c:\\users\\jsmith\\appdata\\roaming\\microsoft\\windows\\recent\\quarterly-report.docx.lnk",
            "md5": "d4e5f60718293a4b5c6d7e8f90a1b2c3",
            "sha256": "d4e5f60718293a4b5c6d7e8f90a1b2c3d4e5f60718293a4b5c6d7e8f90a1b2c3",
            "size": 625,
            "isExecutable": false,
            "fileProcess": {
              "pid": 2080,
              "name": "explorer.exe",
              "path": "c:\\windows\\explorer.exe"
            },
            "sandbox": null,
            "quarantine": null
          },
          "alertIds": [
            "6b2c3d4e5f6a78901bcdef01"
          ]
        }
      ],
      "triggerNodeId": "6c3d4e5f6a7b89012cdef002",
      "transitions": [
        {
          "from": "6c3d4e5f6a7b89012cdef001",
          "to": "6c3d4e5f6a7b89012cdef002",
          "date": "2026-03-26T13:31:23+00:00"
        },
        {
          "from": "6c3d4e5f6a7b89012cdef001",
          "to": "6c3d4e5f6a7b89012cdef005",
          "date": "2026-03-26T13:31:23+00:00"
        }
      ],
      "mitreTags": [
        {
          "category": "Execution",
          "techniques": [
            {
              "name": "Command and Scripting Interpreter",
              "id": "T1059",
              "subtechniques": []
            },
            {
              "name": "User Execution",
              "id": "T1204",
              "subtechniques": []
            },
            {
              "name": "Native API",
              "id": "T1106",
              "subtechniques": []
            }
          ]
        },
        {
          "category": "Discovery",
          "techniques": [
            {
              "name": "File and Directory Discovery",
              "id": "T1083",
              "subtechniques": []
            }
          ]
        }
      ]
    },
    "notes": []
  }
}

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "jsonrpc": "2.0",
  "result": {
    "incidentId": "6a1b2c3d4e5f67890abcde01",
    "incidentNumber": 101,
    "status": "closed",
    "mainAction": "reported",
    "created": "2026-03-15T15:03:03+00:00",
    "lastUpdated": "2026-03-15T15:03:03+00:00",
    "lastProcessed": "2026-04-10T11:17:51+00:00",
    "severityScore": 48,
    "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde01",
    "assignee": {
      "userId": "5f4e3d2c1b0a987654321fed",
      "userName": "john.smith@example.com",
      "companyId": "5e4d3c2b1a0987654321fedc",
      "companyName": "Acme Corporation"
    },
    "priority": "unknown",
    "attackTypes": [
      "Exfiltration",
      "SpearPhishing",
      "Exploit"
    ],
    "company": {
      "id": "5e4d3c2b1a0987654321fedc",
      "name": "Acme Corporation"
    },
    "incidentType": "extendedIncident",
    "details": {
      "counters": {
        "endpoints": 1,
        "servers": 0,
        "mobileDevices": 0,
        "printers": 0,
        "routers": 0,
        "IoTs": 0,
        "identities": 3,
        "emails": 0,
        "IPs": 2,
        "domains": 0,
        "DNSs": 0,
        "DGAs": 0,
        "cloudStorages": 0,
        "torNodes": 0,
        "externalDrives": 0,
        "externalSources": 3,
        "exfiltratedFiles": 4,
        "internalIPs": 0,
        "internalEmails": 3,
        "users": 3,
        "virtualDesktops": 0,
        "containers": 0,
        "databases": 0,
        "storages": 0,
        "office365Instances": 0,
        "ADInstances": 0,
        "azureADInstances": 1,
        "AWSInstances": 0,
        "GCPInstances": 0,
        "googleWorkspaceInstances": 0,
        "atlassianInstances": 0,
        "atlassianBitbucketProducts": 0,
        "atlassianJiraProducts": 0,
        "atlassianConfluenceProducts": 0,
        "bitbucketProjects": 0,
        "confluenceSpaces": 0
      },
      "incidentEvolution": [
        {
          "incidentId": "6a1b2c3d4e5f67890abcde05",
          "incidentNumber": 105,
          "status": "false_positive",
          "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde05"
        },
        {
          "incidentId": "6a1b2c3d4e5f67890abcde13",
          "incidentNumber": 113,
          "status": "false_positive",
          "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde13"
        }
      ],
      "contains": [],
      "partOf": [],
      "cves": [],
      "suspectedActors": [],
      "killChainPhases": [
        "initial_access",
        "execution",
        "credential_access",
        "lateral_movement",
        "collection",
        "command_and_control",
        "exfiltration"
      ],
      "lastKillChainPhase": "exfiltration",
      "alerts": [
        {
          "id": "7a1b2c3d4e5f67890abcde01",
          "name": "SuspiciousEmailReceived",
          "date": "2026-03-15T14:57:03+00:00",
          "sensors": [
            "office_365",
            "EDR"
          ],
          "tactic": "initial_access",
          "transitions": [
            {
              "from": "8a1b2c3d4e5f67890abcde01",
              "to": "8a1b2c3d4e5f67890abcde02",
              "resources": [
                {
                  "name": "Important Update",
                  "type": "email",
                  "details": {
                    "id": "AAMkADNiNWU0YTljLTRiYmEtNGFlMi1iNzRhLWI5NDk4Y2QwOWM1NQBGAAAAAAD3LHfFVxR-TIchBqXPMdrxBwAlFp_8PvdsSKRtFCjiDPaqAAAAAAEMAAAlFp_8PvdsSKRtFCjiDPaqAAAQexample=",
                    "subject": "Important Update",
                    "userId": "alice.johnson@acmecorp.onmicrosoft.com",
                    "userTenantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
                    "sensorIdentifier": "sensor-o365-001",
                    "similarityHash": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
                    "receivedOn": "2026-03-15T14:57:01+00:00",
                    "sender": {
                      "name": "threat-actor@malicious-domain.com",
                      "address": "threat-actor@malicious-domain.com"
                    },
                    "toRecipients": [
                      {
                        "name": "Alice Johnson",
                        "address": "alice.johnson@acmecorp.onmicrosoft.com"
                      }
                    ],
                    "ccRecipients": [],
                    "bccRecipients": [],
                    "urls": [],
                    "attachments": [
                      {
                        "name": "notice.zip",
                        "fileMd5": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
                        "fileSha256": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
                        "size": 33879
                      }
                    ]
                  }
                }
              ]
            }
          ]
        },
        {
          "id": "7a1b2c3d4e5f67890abcde26",
          "name": "SuspiciousLinkCreated",
          "date": "2026-03-15T14:59:13+00:00",
          "sensors": [
            "office_365"
          ],
          "tactic": "collection",
          "transitions": [
            {
              "from": "8a1b2c3d4e5f67890abcde02",
              "to": "8a1b2c3d4e5f67890abcde01",
              "resources": [
                {
                  "name": "https://acmecorp-my.sharepoint.com/personal/alice_acmecorp_onmicrosoft_com/Documents/Confidential",
                  "type": "file",
                  "details": {
                    "url": "https://acmecorp-my.sharepoint.com/personal/alice_acmecorp_onmicrosoft_com/Documents/Confidential",
                    "path": null,
                    "size": null,
                    "md5": null,
                    "sha256": null,
                    "sensorIdentifier": "sensor-o365-001"
                  }
                },
                {
                  "name": "https://acmecorp-my.sharepoint.com/personal/alice_acmecorp_onmicrosoft_com/Documents/Confidential",
                  "type": "sharing_link",
                  "details": {
                    "url": "https://acmecorp-my.sharepoint.com/personal/alice_acmecorp_onmicrosoft_com/Documents/Confidential"
                  }
                }
              ]
            }
          ]
        },
        {
          "id": "7a1b2c3d4e5f67890abcde27",
          "name": "SuspiciousAppCreated",
          "date": "2026-03-15T15:01:17+00:00",
          "sensors": [
            "active_directory"
          ],
          "tactic": "credential_access",
          "transitions": [
            {
              "from": "8a1b2c3d4e5f67890abcde02",
              "to": "8a1b2c3d4e5f67890abcde05",
              "resources": [
                {
                  "name": "Malicious OAuth App",
                  "type": "application",
                  "details": {
                    "appAddress": "https://198.51.100.42/callback",
                    "ip": "198.51.100.42"
                  }
                }
              ]
            }
          ]
        }
      ],
      "nodes": [
        {
          "id": "8a1b2c3d4e5f67890abcde01",
          "name": "threat-actor@malicious-domain.com",
          "isExternal": false,
          "type": "user_generic",
          "details": {
            "emails": [
              "threat-actor@malicious-domain.com"
            ],
            "ips": [],
            "service": "malicious-domain.com"
          }
        },
        {
          "id": "8a1b2c3d4e5f67890abcde02",
          "name": "alice.johnson@acmecorp.onmicrosoft.com",
          "isExternal": false,
          "type": "user_azure_ad",
          "details": {
            "emails": [
              "alice.johnson@acmecorp.onmicrosoft.com"
            ],
            "ips": [],
            "tenantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
            "riskDetail": "userPerformedSecuredPasswordChange",
            "riskLevel": "high",
            "riskState": "atRisk"
          }
        },
        {
          "id": "8a1b2c3d4e5f67890abcde03",
          "name": "desktop-corp01.acmecorp.local",
          "isExternal": false,
          "type": "endpoint",
          "details": {
            "hardwareId": "12345678-abcd-ef01-2345-6789abcdef01-00AABB112233",
            "ips": [
              "192.168.1.100"
            ],
            "macs": [
              "00AABB112233"
            ],
            "endpointId": "5d4c3b2a190876543210fedc"
          }
        },
        {
          "id": "8a1b2c3d4e5f67890abcde04",
          "name": "198.51.100.42",
          "isExternal": false,
          "type": "ip",
          "details": {
            "ip": "198.51.100.42",
            "domains": [
              "c2-server.malicious-domain.com"
            ],
            "mac": null
          }
        },
        {
          "id": "8a1b2c3d4e5f67890abcde05",
          "name": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
          "isExternal": false,
          "type": "azure_ad",
          "details": {
            "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
          }
        }
      ],
      "mitreTags": [
        {
          "category": "Initial Access",
          "techniques": [
            {
              "name": "Phishing",
              "id": "T1566",
              "subtechniques": [
                {
                  "name": "Spearphishing Attachment",
                  "id": "T1566.001"
                }
              ]
            }
          ]
        }
      ],
      "narrative": [
        [
          "A potential network breach originating from user: threat-actor@malicious-domain.com, has been detected as part of 2 alerts, affecting the following: managed asset: desktop-corp01.acmecorp.local, and user: alice.johnson@acmecorp.onmicrosoft.com. "
        ],
        [
          "Lateral Movement originating from user: alice.johnson@acmecorp.onmicrosoft.com, has been detected in your network as part of alert: SuspiciousAppInvite, affecting the following: user: ceo@acmecorp.onmicrosoft.com. ",
          "Credentials may have been compromised on Azure AD instance: a1b2c3d4-e5f6-7890-abcd-ef1234567890, based on alert SuspiciousAppCreated, originating from user: alice.johnson@acmecorp.onmicrosoft.com. ",
          "Multiple communication attempts to external ip: 198.51.100.42 have been detected as part of 2 alerts, originating from managed asset: desktop-corp01.acmecorp.local. ",
          "Sensitive data may have been exfiltrated to external ip: 203.0.113.50, based on 4 alerts, originating from 2 users. "
        ]
      ],
      "reasoning": [
        [
          "The incident was triggered by 2 alerts, involving managed asset: desktop-corp01.acmecorp.local, and user: alice.johnson@acmecorp.onmicrosoft.com, indicating the suspicious email(s) sent by user: threat-actor@malicious-domain.com as the root cause of the incident. "
        ]
      ]
    },
    "notes": []
  }
}

In this section:

getIncident

Parameters

General parameters

Return value

Objects

result

partOf (Endpoint and Organization incidents) and contains (Organization incidents)

counters (Endpoint incidents)

counters (Organization incidents)

nodes (Endpoint incidents)

fileProcess (file node) and process (registry or domain node)

sandbox (file or process_execution node)

quarantine (file or process_execution node)

file (process_execution node)

process (process_execution node)

killProcess (process_execution node)

registry (registry node)

domain (domain node)

file (domain node)

nodes (Organization incidents)

details (Organization incident node)

alerts (Endpoint incidents)

details (alerts > resources)

alerts (Organization incidents)

resources (Organization incident transition)

transitions (Endpoint incidents)

mitreTags (Endpoint and Organization incidents)

subtechniques (mitreTags > techniques)

cves (Organization incidents)

suspectedActors (Organization incidents)

incidentEvolution (Endpoint and Organization incidents)

Examples

Search results

`result`

`partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents)

`counters` (Endpoint incidents)

`counters` (Organization incidents)

`nodes` (Endpoint incidents)

`fileProcess` (`file` node) and `process` (`registry` or `domain` node)

`sandbox` (`file` or `process_execution` node)

`quarantine` (`file` or `process_execution` node)

`file` (`process_execution` node)

`process` (`process_execution` node)

`killProcess` (`process_execution` node)

`registry` (`registry` node)

`domain` (`domain` node)

`file` (`domain` node)

`nodes` (Organization incidents)

`details` (Organization incident node)

`alerts` (Endpoint incidents)

`details` (`alerts` > `resources`)

`alerts` (Organization incidents)

`resources` (Organization incident transition)

`transitions` (Endpoint incidents)

`mitreTags` (Endpoint and Organization incidents)

`subtechniques` (`mitreTags` > `techniques`)

`cves` (Organization incidents)

`suspectedActors` (Organization incidents)

`incidentEvolution` (Endpoint and Organization incidents)