Skip to main content

getIncidentsByIds

You can use this method to retrieve information on multiple incidents, by referencing their IDs.

API url: CONTROL_CENTER_APIs_ACCESS_URL/v1.2/jsonrpc/incidents

Parameters

Parameter

Description

Included in request

Type

Values

ids

The IDs of the incidents you want to retrieve information for.

Mandatory

Array of Strings

The list can contain up to 10 IDs.

General parameters

These are common parameters, available across all public API methods:

Parameter

Description

Included in request

Type

Values

id

This parameter adds an identifier to the request, linking it to its corresponding response.

The target replies with the same value in the response, allowing easy call tracking.

Mandatory

String

No additional requirements.

method

The name of the method you are using to send the request.

Mandatory

String

Must be a valid method name.

jsonrpc

The version of JSON-RPC used by the request and the response.

Mandatory

String

The only possible value is 2.0.

params

An object containing the configuration of the request.

Mandatory

Object

No additional requirements.

Return value

Attribute

Type

Description

result

Array of Objects

Details about the incidents referenced in the request.

For information about each object in the array, refer to result.

Objects

result

Attribute

Type

Description

incidentId

String

The internal incident ID, which is included in the URL of the incident details page from GravityZone Control Center.

incidentNumber

Integer

The incident ID displayed in GravityZone Control Center, in the Incidents page, without the # prefix.

incidentType

String

The type of the incident.

Possible values:

  • incident: Endpoint incident from GravityZone Control Center.

  • extendedIncident: Organization incident from GravityZone Control Center.

The value of this field determines what information is included in the details object.

company

Object

Details about the company where the incident was generated.

The object contains the following settings:

  • id (String): The company ID.

  • name (String): The company name.

status

String

The status of the incident.

Possible values:

  • open: The incident has been recently generated and is yet to be investigated.

  • in_progress: The incident is currently under investigation.

  • false_positive: The incident was investigated and confirmed to be a false alarm.

  • closed: The incident was confirmed as valid and is now closed following investigation.

mainAction

String

The incident type, determined by the main action that was taken automatically by the protection technologies when it was detected.

Possible values:

  • reported: Endpoint or Organization incident upon which no action was taken and requires further investigation.

  • partially_blocked: Organization incident in which the automatic actions defined in the policies have been taken only on some entities.

  • blocked: Endpoint incident that was detected and blocked by GravityZone prevention modules.

created

String

The date and time when the incident was detected in the network, in ISO-8601 format.

lastUpdated

String

The date and time when the incident was last updated by GravityZone, in ISO-8601 format.

lastProcessed

String

The date and time when the incident was last processed by GravityZone, in ISO-8601 format.

severityScore

Integer

The severity score assigned to the incident, as reported by the detection technologies.

Possible values: 1 - 100.

incidentLink

String

A URL linking to a web page where the incident details can be viewed in a browser.

assignee

Object

The GravityZone user that is assigned to this incident.

The object contains the following settings:

  • userId (String): The ID of the user.

  • userName (String): The username.

  • companyId (String): The ID of the company the user belongs to.

  • companyName (String): The name of the company the user belongs to.

priority

String

The priority assigned to the incident.

Possible values:

  • unknown

  • low

  • medium

  • high

  • critical

attackTypes

Array of Strings

A list of attack types detected in the incident.

Each String can be, for example:

  • Malware

  • Ransomware

  • Password Stealer

details

Object

Additional information regarding the incident. The information depends on the value assigned to the incidentType attribute.

When incidentType is incident, the details Object contains:

  • detectionName (String): The name of the detection.

  • partOf (Array of Objects): The Organization incidents in which this incident was used for correlating data. For information about each object in the array, refer to partOf (Endpoint and Organization incidents) and contains (Organization incidents).

  • computerId (String): The ID of the endpoint that generated the incident.

  • computerName (String): The name of the endpoint that generated the incident.

  • computerFqdn (String): The FQDN of the endpoint that generated the incident.

  • computerIp (String): The IP of the endpoint that generated the incident. If the endpoint has multiple IPs, the one used to communicate with GravityZone is reported here, not the one used in the attack.

  • computerMacAddresses (Array of Strings): A list of the endpoints' MAC addresses.

  • counters (Object): Counters that reflect how many resources of a certain type are present in the incident. For information on the fields included in this object, refer to counters (Endpoint incidents).

  • triggerNodeId (String): The ID of the node that triggered the incident. This is the root node of the incident graph.

  • nodes (Array of Objects): The list of nodes from the incident graph. For information about each object in the array, refer to nodes (Endpoint incidents).

  • alerts (Array of Objects): The list of alerts from the incident events. For information about each object in the array, refer to alerts (Endpoint incidents).

  • transitions (Array of Objects): These items should be used to build the incident graph. They indicate how nodes connect.

    For information about each object in the array, refer to transitions (Endpoint incidents).

  • mitreTags (Array of Objects): MITRE techniques detected in the attack. For information about each object in the array, refer to mitreTags (Endpoint and Organization incidents).

  • incidentEvolution (Array of Objects): The array is populated only when the Create a separate incident when new activity is detected option is enabled in the Settings tab within the company edit workflow.

    In this case, a new incident is generated whenever new activity is detected on a closed incident. The newly created incident remains open and is continuously updated with related activity until it is closed. If further activity is detected after this incident is closed, another new incident is created. All related incidents generated through this process form the Incident evolution chain.

    For information about each object in the array, refer to incidentEvolution (Endpoint and Organization incidents).

When incidentType is extendedIncident, the details Object contains:

  • partOf (Array of Objects): The Organization incidents in which this incident was used for correlating data. For information about each object in the array, refer to partOf (Endpoint and Organization incidents) and contains (Organization incidents).

  • contains (Array of Objects): The other incidents that were used for correlating data in this incident. For information about each object in the array, refer to partOf (Endpoint and Organization incidents) and contains (Organization incidents).

  • counters (Object): Counters that reflect how many resources of a certain type are present in the incident. For information on the fields included in this object, refer to counters (Organization incidents).

  • mitreTags (Array of Objects): MITRE techniques detected in the attack. For information about each object in the array, refer to mitreTags (Endpoint and Organization incidents).

  • killChainPhases (Array of Strings): The stages of the cyberattack lifecycle, based on the MITRE ATT&CK framework. Each value represents a specific phase the threat actor may have reached during the incident.

    Possible values for each string:

    • initial_access

    • execution

    • persistence

    • privilege_escalation

    • defence_evasion

    • credential_access

    • discovery

    • lateral_movement

    • collection

    • command_and_control

    • exfiltration

    • impact

  • lastKillChainPhase (String): Indicates the most recent stage reached in the cyberattack lifecycle during the incident, based on the MITRE ATT&CK framework. It reflects the furthest progression observed by the system.

    Possible values are identical to those of the killChainPhases strings.

  • cves (Array of Objects): CVEs identified in the attack. For information about each object in the array, refer to cves (Organization incidents).

  • suspectedActors (Array of Objects): Suspected actors that might have done the attack. For information about each object in the array, refer to suspectedActors (Organization incidents).

  • nodes (Array of Objects): The nodes from the incident graph. For information about each object in the array, refer to nodes (Organization incidents).

  • alerts (Array of Objects): The alerts from the incident events. For information about each object in the array, refer to alerts (Organization incidents).

  • incidentEvolution (Array of Objects): The array is populated only when the Create a separate incident when new activity is detected option is enabled in the Settings tab within the company edit workflow.

    In this case, a new incident is generated whenever new activity is detected on a closed incident. The newly created incident remains open and is continuously updated with related activity until it is closed. If further activity is detected after this incident is closed, another new incident is created. All related incidents generated through this process form the Incident evolution chain.

    For information about each object in the array, refer to incidentEvolution (Endpoint and Organization incidents).

  • narrative (Array of String Arrays): A list of paragraphs summarizing the incident, available in the Overview tab of GravityZone Control Center. Each paragraph is represented as an array of phrase strings.

    If no data is available, the narrative is returned as an empty array.

  • reasoning (Array of String Arrays): A list of paragraphs forming the root cause analysis of the incident: a textual explanation of the incident’s origin, summarizing the factors and alerts that led to its occurrence. Each paragraph is represented as an array of phrase strings.

    If no data is available, the reasoning is returned as an empty array.

notes

Array of Objects

A list of notes that were attached to the incident.

Each note contains the following settings:

  • id (String): The note ID.

  • userId (String): The ID of the user that created the note.

  • text (String): The text added to the note.

  • created (String): The date and time when the note was created, in ISO-8601 format.

partOf (Endpoint and Organization incidents) and contains (Organization incidents)

Attribute

Type

Description

incidentId

String

The ID of the incident.

incidentLink

String

A URL that can be used to open the incident in GravityZone Control Center after logging in.

counters (Endpoint incidents)

Attribute

Type

Description

endpoints

Integer

The number of endpoints involved in the incident.

files

Integer

The number of files involved in the incident.

processes

Integer

The number of processes involved in the incident.

domains

Integer

The number of domains involved in the incident.

registries

Integer

The number of registry keys involved in the incident. This applies only to endpoints that use Windows.

events

Integer

The number of system events involved in the incident.

storages

Integer

The number of storage devices involved in the incident.

counters (Organization incidents)

Attribute

Type

Description

endpoints

Integer

The number of endpoints involved in the incident.

servers

Integer

The number of servers involved in the incident.

mobileDevices

Integer

The number of mobile devices involved in the incident.

printers

Integer

The number of printers involved in the incident.

routers

Integer

The number of routers involved in the incident.

IoTs

Integer

The number of Internet-of-Things involved in the incident.

identities

Integer

The number of identities involved in the incident.

emails

Integer

The number of emails involved in the incident.

IPs

Integer

The number of IPs involved in the incident.

domains

Integer

The number of domains involved in the incident.

DNSs

Integer

The number of domain name servers involved in the incident.

DGAs

Integer

The number of domain generation algorithms (DGAs) involved in the incident.

cloudStorages

Integer

The number of cloud storages involved in the incident.

torNodes

Integer

The number of Tor nodes involved in the incident.

externalDrives

Integer

The number of external drives involved in the incident.

externalSources

Integer

The number of external sources involved in the incident.

exfiltratedFiles

Integer

The number of exfiltrated files involved in the incident.

internalIPs

Integer

The number of internal IPs involved in the incident.

internalEmails

Integer

The number of internal emails involved in the incident.

users

Integer

The number of users involved in the incident.

virtualDesktops

Integer

The number of virtual desktops involved in the incident.

containers

Integer

The number of containers (docker, k8s, etc.) involved in the incident.

databases

Integer

The number of databases involved in the incident.

storages

Integer

The number of storages involved in the incident.

office365Instances

Integer

The number of Microsoft 365 (Office 365) instances involved in the incident.

ADInstances

Integer

The number of Active Directory instances involved in the incident.

azureADInstances

Integer

The number of Azure Active Directory instances involved in the incident.

GCPInstances

Integer

The number of Google Cloud Platform instances involved in the incident.

googleWorkspaceInstances

Integer

The number of Google Workspace instances involved in the incident.

atlassianInstances

Integer

The number of Atlassian instances involved in the incident.

atlassianBitbucketProducts

Integer

The number of Atlassian Bitbucket products involved in the incident.

atlassianJiraProducts

Integer

The number of Atlassian Jira products involved in the incident.

atlassianConfluenceProducts

Integer

The number of Atlassian Confluence products involved in the incident.

bitbucketProjects

Integer

The number of Bitbucket projects involved in the incident.

confluenceSpaces

Integer

The number of Confluence spaces involved in the incident.

AWSInstances

Integer

The number of AWS instances involved in the incident.

nodes (Endpoint incidents)

Attribute

Type

Description

id

String

The ID of the node.

name

String

The name of the node.

type

String

The type of the node.

Possible values:

  • endpoint

  • file

  • process_execution

  • virtual_group

  • registry

  • domain

  • container_host

alertIds

Array of Strings

A list of alert IDs. These correlate with the objects from alerts (Endpoint incidents).

details

Object

The details available for the node. The data contained by this object varies based on the value of the type attribute under the same nodes object.

When type is endpoint or container_host, the details Object contains:

  • id (String)

  • name (String)

  • hardwareId (String)

  • ip (String)

  • isContainer (Boolean)

  • isContainerHost (Boolean)

When type is file, the details Object contains:

When type is process_execution, the details Object contains:

When type is registry, the details Object contains:

When type is domain, the details Object contains:

For any other types, the details attribute is not included in the response.

fileProcess (file node) and process (registry or domain node)

Attribute

Type

pid

Integer

name

String

path

String

sandbox (file or process_execution node)

Attribute

Type

status

String

quarantine (file or process_execution node)

Attribute

Type

fileId

String

file (process_execution node)

Attribute

Type

name

String

path

String

md5

String

sha256

String

size

Integer

isExecutable

Boolean

process (process_execution node)

Attribute

Type

Description

pid

Integer

name

String

commandLine

String

userId

String

userName

String

date

String

parent

Object

The Object contains:

  • pid (Integer)

  • name (String)

  • path (String)

killProcess (process_execution node)

Attribute

Type

status

String

errorCode

Integer

registry (registry node)

Attribute

Type

key

String

value

String

data

String

domain (domain node)

Attribute

Type

requestedURL

String

remotePort

Integer

streamType

String

extractedFilename

String

sourceApplication

String

protocol

String

file (domain node)

Attribute

Type

size

Integer

md5

String

sha256

String

nodes (Organization incidents)

Attribute

Type

Description

id

String

The ID of the node.

name

String

The name of the node.

isExternal

Boolean

Indicates if the node is a resource from the client’s network or not.

type

String

The type of the node.

Possible values:

  • endpoint

  • server

  • mobile_device

  • printer

  • router

  • iot

  • user_generic

  • user_aws

  • user_gcp

  • user_ad

  • user_azure_ad

  • user_atlassian

  • aws

  • azure

  • gcp

  • active_directory

  • office_365

  • azure_ad

  • google_workspace

  • atlassian

  • virtual_server_aws

  • container_aws

  • service_aws

  • database_aws

  • storage_aws

  • end_user_computing_aws

  • virtual_server_azure

  • container_azure

  • service_azure

  • database_azure

  • storage_azure

  • end_user_computing_azure

  • virtual_server_gcp

  • container_gcp

  • service_gcp

  • database_gcp

  • storage_gcp

  • end_user_computing_gcp

  • product_atlassian_bitbucket

  • product_atlassian_jira

  • product_atlassian_confluence

  • bitbucket_project

  • confluence_space

  • attacker

  • email

  • ip

  • domain

  • dns

  • dga

  • cloud_storage

  • tor_node

  • external_drive

details

Object

The details available for this node. The data contained by this object varies based on the value of the type field under the same nodes object. For more information, refer to details (Organization incident node).

details (Organization incident node)

Value of type field

Attribute

Type

endpoint

hardwareId

String

ips

Array of Strings

macs

Array of Strings

endpointId

String

server

hardwareId

String

ips

Array of Strings

macs

Array of Strings

endpointId

String

networkServices

Array of Strings

mobile_device

deviceId

String

ip

String

os

String

deviceGroupName

String

phoneNumber

String

router

printer

iot

ip

String

mac

String

attacker

threatGroup

String

email

sender

String

recipients

Array of Strings

subject

String

attachments

Array of Strings

ip

ip

String

domains

Array of Strings

mac

String

domain

domainName

String

ips

Array of Strings

dns

tor_node

ip

String

dga

domainName

String

ip

String

cloud_storage

provider

String

ip

String

external_drive

name

String

mountPath

String

user_generic

emails

Array of Strings

ips

Array of Strings

service

String

user_aws

emails

Array of Strings

ips

Array of Strings

accessKeyId

String

user_gcp

emails

Array of Strings

ips

Array of Strings

sensorIdentifier

String

user_ad

emails

Array of Strings

ips

Array of Strings

domain

String

userSid

String

domainGuid

String

user_azure_ad

emails

Array of Strings

ips

Array of Strings

tenantId

String

riskDetail

String

riskLevel

String

riskState

String

user_atlassian

emails

Array of Strings

ips

Array of Strings

organizationId

String

userId

String

aws

azure

gcp

google_workspace

office_365

azure_ad

atlassian

organizationId

String

virtual_server_aws

container_aws

service_aws

databasse_aws

storage_aws

end_user_computing_aws

virtual_server_azure

container_azure

storage_azure

service_azure

end_user_computing_azure

virtual_server_gcp

container_gcp

service_gcp

database_gcp

storage_gcp

end_user_computing_gcp

id

String

ips

Array of Strings

urls

Array of Strings

product_atlassian_bitbucket

product_atlassian_jira

product_atlassian_confluence

url

String

bitbucket_project

url

String

workspace

String

confluence_space

id

String

key

String

url

String

alerts (Endpoint incidents)

Attribute

Type

Description

id

String

The ID of the alert.

name

String

The name of the alert.

date

String

The date and time when the alert was detected in the network.

detectedBy

Object

The object contains information about who detected the alert:

  • name (String): The name of the technology that detected the threat.

  • class (String): The type of the technology that detected the threat.

resources

Array of Objects

The objects contain information regarding the resources involved in the alert:

  • type (String): The type of the resource.

    Possible values:

    • network

    • registry

    • file

    • process

  • details (Object): The details available for the resource.

    The data contained by this object varies based on the value of the type field under the same resources object. For more information, refer to details (alerts > resources).

extra

Array of Objects

Extra information for the alert. Each object contains:

  • key (String)

  • value (Integer, Boolean, or String)

details (alerts > resources)

Value of type field

Attribute

Type

file

filePath

String

fileSize

Integer

accessType

String

attributeChangeType

String

rawDiskAccessType

String

internalName

String

originalFileName

String

companyName

String

fileDescription

String

productName

String

md5

String

sha256

String

certificateIssuer

String

certificateSigner

String

fileType

String

filePackerName

String

newFilePath

String

network

uri

String

protocol

String

port

Integer

streamType

String

statusCode

Integer

requestMethod

String

requesterMac

String

requesterIp

String

requesterSystemName

String

rawConnectionDestIp

String

rawConnectionSourceIprawConnectionDestPort

Integer

rawConnectionSourcePort

Integer

rawConnectionTransferedIn

Integer

rawConnectionTransferedOut

Integer

rawConnectionDirection

String

rawConnectionReferrer

String

rawConnectionFailStatus

Integer

rawConnectionGuestStatus

Integer

rawConnectionUser

String

rawConnectionLoginStatus

Integer

rawConnectionFilePath

String

domain

String

smbFileName

String

smbTreeName

String

interface

String

expectedProtocol

String

rawConnectionProtocol

String

rawConnectionTransferredFile

String

rawConnectionTransferredFileType

String

rawConnectionTransferredFileSize

Integer

rawConnectionExpectedProtocol

String

rawConnectionAccessType

String

rawConnectionEncryptionType

String

rawConnectionInterface

String

rawConnectionServiceName

String

rawConnectionServicePath

String

httpConnectionMethod

String

httpConnectionHost

String

httpConnectionUri

String

httpConnectionResponseCode

Integer

httpConnectionReferrer

String

winrmConnectionUserAgent

String

winrmConnectionAuthorization

String

smbUser

String

smbHostName

String

smbDomainName

String

smbAccessType

String

smbAuthMethod

String

ldapDistinguishedName

String

ldapGroupDistinguishedName

String

ldapUserDistinguishedName

String

mailAttachments

String

process

pid

Integer

processPath

String

processPathSize

Integer

commandLine

String

parentPid

Integer

parentProcessPath

String

parentProcessCmdLine

String

parentProcessUser

String

user

String

loadedModule

String

loadedModulePid

Integer

processInjectionWriter

String

processInjectionWriterPid

Integer

processInjectionTarget

String

processInjectionTargetPid

Integer

processInjectionSizeofWrite

Integer

processAccessPrivileges

String

parentProcessAccessPrivileges

String

processIntegrityLevel

String

parentProcessIntegrityLevel

String

processPackerName

String

registry

registryKey

String

registryValue

String

registryData

String

registryType

String

registryAccessType

String

alerts (Organization incidents)

Attribute

Type

Description

id

String

The ID of the alert.

name

String

The name of the alert.

date

String

The date and time when the alert was detected in the network, in ISO-8601 format.

sensors

Array of Strings

Sensors that detected the alert.

Possible values:

  • EDR

  • NTSA

  • XDR

  • office_365

  • active_directory

  • azure_active_directory

  • azure

  • aws

  • gcp

  • google_workspace

  • email_security

  • atlassian

tactic

String

The MITRE tactic detected for this alert.

Possible values:

  • initial_access

  • execution

  • persistence

  • privilege_escalation

  • defence_evasion

  • credential_access

  • discovery

  • lateral_movement

  • collection

  • command_and_control

  • exfiltration

  • impact

transitions

Array of Objects

This array contains data used to build the incident graph. It indicates how nodes connect.

Each Object contains:

  • from (String): Node ID.

  • to (String): Node ID.

  • resources (Array of Objects): Resources associated with this transition. For information on the fields included in each of these objects, refer to resources (Organization incident transition)

resources (Organization incident transition)

Attribute

Type

Description

name

String

The name of the resource.

type

String

The type of the resource.

Possible values:

  • generic

  • application

  • key_vault

  • role

  • policy

  • sharing_link

  • file

  • email

  • flow

  • url

  • ssh_key

  • launch_template

  • service_principal

  • user_group

  • automatic_account

  • automatic_account_hook

  • api

  • certificate_authority

  • bucket

  • bitbucket_repository

  • jira_project

  • confluence_page

details

Object

Details for the resource. Schema depends on the type field.

For more information on the fields included in this object, refer to details (Organization incident resource).

details (Organization incident resource)

Value of type field

Attribute

Type (and description)

generic

data

String

application

appAddress

String

ip

String

url

sharing_link

url

String

file

url

String

path

String

size

Integer

md5

String

sha256

String

sensorIdentifier

String

email

id

String

subject

String

userId

String

userTenantId

String

sensorIdentifier

String

receivedOn

String (ISO-8601)

similarityHash

String

sender

Object

Contains the following attributes:

  • name (String)

  • address (String)

toRecipients

Array of Objects

Each Object contains the following attributes:

  • name (String)

  • address (String)

ccRecipients

Array of Objects

Each Object contains the following attributes:

  • name (String)

  • address (String)

bccRecipients

Array of Objects

Each Object contains the following attributes:

  • name (String)

  • address (String)

urls

Array of Strings

attachments

Array of Objects

Each Object contains the following attributes:

  • name (String)

  • fileMd5 (String)

  • fileSha256 (String)

  • size (Integer)

role

service_principal

user_group

automation_account

automation_account_hook

api

id

String

policy

id

String

name

String

resourcePolicyType

String

flow

bitbucket_repository

jira_project

confluence_page

id

String

url

String

ssh_key

sshPublicKey

String

launch_template

id

String

name

String

certificate_authority

id

String

ceritficate

String

transitions (Endpoint incidents)

Attribute

Type

Description

from

String

The ID of the origin node.

to

String

The ID of the destination node.

date

String

The date and time of the transition, in ISO-8601 format.

mitreTags (Endpoint and Organization incidents)

Attribute

Type

Description

category

String

The category the MITRE technique belongs to.

techniques

Array of Objects

The MITRE techniques detected for this category.

Each object contains:

  • id (String): The ID of the MITRE technique (for example, T0800).

  • name (String): The name of the MITRE technique (for example, Program Download).

  • subtechniques (Array of Objects): The MITRE sub-techniques detected for this technique.

    For information on the fields included in each of these objects, refer to subtechniques (mitreTags > techniques).

subtechniques (mitreTags > techniques)

Attribute

Type

Description

id

String

The ID of the MITRE sub-technique (for example, S0603).

name

String

The name of the MITRE sub-technique (for example, Stuxnet).

cves (Organization incidents)

Attribute

Type

Description

id

String

The ID of a CVE (for example, CVE-2024-12345).

suspectedActors (Organization incidents)

Attribute

Type

Description

name

String

The name of the suspected actor.

confidenceScore

Integer

Confidence score for correlating the attack with this actor.

reasons

Array of Objects

Reasons why this attack was correlated with this actor.

Each Object contains:

  • type (String): The type of the reason.

    Possible values:

    • sample

    • url

    • registry

    • mutex

    • wallet

  • value (String): The value for the reason.

    The string format depends on the type field.

incidentEvolution (Endpoint and Organization incidents)

Attribute

Type

Description

incidentId

String

The internal incident ID, which is included in the URL of the incident details page from GravityZone Control Center.

incidentNumber

Integer

The incident ID displayed in GravityZone Control Center, in the Incidents page, without the # prefix.

status

String

The status of the incident.

Possible values:

  • open: The incident has been recently generated and is yet to be investigated.

  • in_progress: The incident is currently under investigation.

  • false_positive: The incident was investigated and confirmed to be a false alarm.

  • closed: The incident was confirmed as valid and is now closed following investigation.

incidentLink

String

A URL linking to a web page where the incident details can be viewed in a browser.

Example

Request:

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "jsonrpc": "2.0",
  "method": "getIncidentsByIds",
  "params": {
    "ids": [
      "6a1b2c3d4e5f67890abcde01",
      "6a1b2c3d4e5f67890abcde02"
    ]
  }
}

Response:

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "jsonrpc": "2.0",
  "result": [
    {
      "incidentId": "6a1b2c3d4e5f67890abcde01",
      "incidentNumber": 101,
      "status": "closed",
      "mainAction": "reported",
      "created": "2026-03-15T15:03:03+00:00",
      "lastUpdated": "2026-03-15T15:03:03+00:00",
      "lastProcessed": "2026-04-10T11:17:51+00:00",
      "severityScore": 48,
      "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde01",
      "assignee": {
        "userId": "5f4e3d2c1b0a987654321fed",
        "userName": "john.smith@example.com",
        "companyId": "5e4d3c2b1a0987654321fedc",
        "companyName": "Acme Corporation"
      },
      "priority": "unknown",
      "attackTypes": [
        "Exfiltration",
        "SpearPhishing",
        "Exploit"
      ],
      "company": {
        "id": "5e4d3c2b1a0987654321fedc",
        "name": "Acme Corporation"
      },
      "incidentType": "extendedIncident",
      "details": {
        "counters": {
          "endpoints": 1,
          "servers": 0,
          "mobileDevices": 0,
          "printers": 0,
          "routers": 0,
          "IoTs": 0,
          "identities": 3,
          "emails": 0,
          "IPs": 2,
          "domains": 0,
          "DNSs": 0,
          "DGAs": 0,
          "cloudStorages": 0,
          "torNodes": 0,
          "externalDrives": 0,
          "externalSources": 3,
          "exfiltratedFiles": 4,
          "internalIPs": 0,
          "internalEmails": 3,
          "users": 3,
          "virtualDesktops": 0,
          "containers": 0,
          "databases": 0,
          "storages": 0,
          "office365Instances": 0,
          "ADInstances": 0,
          "azureADInstances": 1,
          "AWSInstances": 0,
          "GCPInstances": 0,
          "googleWorkspaceInstances": 0,
          "atlassianInstances": 0,
          "atlassianBitbucketProducts": 0,
          "atlassianJiraProducts": 0,
          "atlassianConfluenceProducts": 0,
          "bitbucketProjects": 0,
          "confluenceSpaces": 0
        },
        "incidentEvolution": [
          {
            "incidentId": "6a1b2c3d4e5f67890abcde05",
            "incidentNumber": 105,
            "status": "false_positive",
            "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde05"
          }
        ],
        "contains": [],
        "partOf": [],
        "cves": [],
        "suspectedActors": [],
        "killChainPhases": [
          "initial_access",
          "execution",
          "credential_access",
          "lateral_movement",
          "collection",
          "command_and_control",
          "exfiltration"
        ],
        "lastKillChainPhase": "exfiltration",
        "alerts": [
          {
            "id": "7a1b2c3d4e5f67890abcde01",
            "name": "SuspiciousEmailReceived",
            "date": "2026-03-15T14:57:03+00:00",
            "sensors": [
              "office_365",
              "EDR"
            ],
            "tactic": "initial_access",
            "transitions": [
              {
                "from": "8a1b2c3d4e5f67890abcde01",
                "to": "8a1b2c3d4e5f67890abcde02",
                "resources": [
                  {
                    "name": "Important Update",
                    "type": "email",
                    "details": {
                      "id": "AAMkADNiNWU0YTljLTRiYmEtNGFlMi1iNzRhLWI5NDk4Y2QwOWM1NQBGAAAAAAD3LHfFVxR-TIchBqXPMdrxBwAlFp_8PvdsSKRtFCjiDPaqAAAAAAEMAAAlFp_8PvdsSKRtFCjiDPaqAAAQexample=",
                      "subject": "Important Update",
                      "userId": "alice.johnson@acmecorp.onmicrosoft.com",
                      "userTenantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
                      "sensorIdentifier": "sensor-o365-001",
                      "similarityHash": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
                      "receivedOn": "2026-03-15T14:57:01+00:00",
                      "sender": {
                        "name": "threat-actor@malicious-domain.com",
                        "address": "threat-actor@malicious-domain.com"
                      },
                      "toRecipients": [
                        {
                          "name": "Alice Johnson",
                          "address": "alice.johnson@acmecorp.onmicrosoft.com"
                        }
                      ],
                      "ccRecipients": [],
                      "bccRecipients": [],
                      "urls": [],
                      "attachments": [
                        {
                          "name": "notice.zip",
                          "fileMd5": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
                          "fileSha256": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
                          "size": 33879
                        }
                      ]
                    }
                  }
                ]
              }
            ]
          },
          {
            "id": "7a1b2c3d4e5f67890abcde26",
            "name": "SuspiciousLinkCreated",
            "date": "2026-03-15T14:59:13+00:00",
            "sensors": [
              "office_365"
            ],
            "tactic": "collection",
            "transitions": [
              {
                "from": "8a1b2c3d4e5f67890abcde02",
                "to": "8a1b2c3d4e5f67890abcde01",
                "resources": [
                  {
                    "name": "https://acmecorp-my.sharepoint.com/personal/alice_acmecorp_onmicrosoft_com/Documents/Confidential",
                    "type": "file",
                    "details": {
                      "url": "https://acmecorp-my.sharepoint.com/personal/alice_acmecorp_onmicrosoft_com/Documents/Confidential",
                      "path": null,
                      "size": null,
                      "md5": null,
                      "sha256": null,
                      "sensorIdentifier": "sensor-o365-001"
                    }
                  },
                  {
                    "name": "https://acmecorp-my.sharepoint.com/personal/alice_acmecorp_onmicrosoft_com/Documents/Confidential",
                    "type": "sharing_link",
                    "details": {
                      "url": "https://acmecorp-my.sharepoint.com/personal/alice_acmecorp_onmicrosoft_com/Documents/Confidential"
                    }
                  }
                ]
              }
            ]
          },
          {
            "id": "7a1b2c3d4e5f67890abcde27",
            "name": "SuspiciousAppCreated",
            "date": "2026-03-15T15:01:17+00:00",
            "sensors": [
              "active_directory"
            ],
            "tactic": "credential_access",
            "transitions": [
              {
                "from": "8a1b2c3d4e5f67890abcde02",
                "to": "8a1b2c3d4e5f67890abcde05",
                "resources": [
                  {
                    "name": "Malicious OAuth App",
                    "type": "application",
                    "details": {
                      "appAddress": "https://198.51.100.42/callback",
                      "ip": "198.51.100.42"
                    }
                  }
                ]
              }
            ]
          }
        ],
        "nodes": [
          {
            "id": "8a1b2c3d4e5f67890abcde01",
            "name": "threat-actor@malicious-domain.com",
            "isExternal": false,
            "type": "user_generic",
            "details": {
              "emails": [
                "threat-actor@malicious-domain.com"
              ],
              "ips": [
              ],
              "service": "malicious-domain.com"
            }
          },
          {
            "id": "8a1b2c3d4e5f67890abcde02",
            "name": "alice.johnson@acmecorp.onmicrosoft.com",
            "isExternal": false,
            "type": "user_azure_ad",
            "details": {
              "emails": [
                "alice.johnson@acmecorp.onmicrosoft.com"
              ],
              "ips": [
              ],
              "tenantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
              "riskDetail": "userPerformedSecuredPasswordChange",
              "riskLevel": "high",
              "riskState": "atRisk"
            }
          },
          {
            "id": "8a1b2c3d4e5f67890abcde03",
            "name": "desktop-corp01.acmecorp.local",
            "isExternal": false,
            "type": "endpoint",
            "details": {
              "hardwareId": "12345678-abcd-ef01-2345-6789abcdef01-00AABB112233",
              "ips": [
                "192.168.1.100"
              ],
              "macs": [
                "00AABB112233"
              ],
              "endpointId": "5d4c3b2a190876543210fedc"
            }
          },
          {
            "id": "8a1b2c3d4e5f67890abcde04",
            "name": "198.51.100.42",
            "isExternal": false,
            "type": "ip",
            "details": {
              "ip": "198.51.100.42",
              "domains": [
                "c2-server.malicious-domain.com"
              ],
              "mac": null
            }
          },
          {
            "id": "8a1b2c3d4e5f67890abcde05",
            "name": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
            "isExternal": false,
            "type": "azure_ad",
            "details": {
              "organizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
            }
          }         
        ],
        "mitreTags": [
          {
            "category": "Initial Access",
            "techniques": [
              {
                "name": "Phishing",
                "id": "T1566",
                "subtechniques": [
                  {
                    "name": "Spearphishing Attachment",
                    "id": "T1566.001"
                  }
                ]
              }
            ]
          }   
        ],
        "narrative": [
          [
            "A potential network breach originating from user: threat-actor@malicious-domain.com, has been detected as part of 2 alerts, affecting the following: managed asset: desktop-corp01.acmecorp.local, and user: alice.johnson@acmecorp.onmicrosoft.com."
          ]
        ],
        "reasoning": [
          [
            "The incident was triggered by 2 alerts, involving managed asset: desktop-corp01.acmecorp.local, and user: alice.johnson@acmecorp.onmicrosoft.com, indicating the suspicious email(s) sent by user: threat-actor@malicious-domain.com as the root cause of the incident."
          ]
        ]
      },
      "notes": []
    },
    {
      "incidentId": "6a1b2c3d4e5f67890abcde02",
      "incidentNumber": 102,
      "status": "closed",
      "mainAction": "reported",
      "created": "2026-03-10T13:38:01+00:00",
      "lastUpdated": "2026-03-10T13:38:01+00:00",
      "lastProcessed": "2026-04-10T11:17:08+00:00",
      "severityScore": 47,
      "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde02",
      "assignee": null,
      "priority": "unknown",
      "attackTypes": [
        "Defined by user"
      ],
      "company": {
        "id": "5e4d3c2b1a0987654321fedc",
        "name": "Acme Corporation"
      },
      "incidentType": "incident",
      "details": {
        "detectionName": "Suspicious Registry Access by Service",
        "counters": {
          "endpoints": 1,
          "files": 2,
          "processes": 6,
          "domains": 0,
          "registries": 0,
          "events": 12,
          "storages": 0
        },
        "incidentEvolution": [
          {
            "incidentId": "6a1b2c3d4e5f67890abcde03",
            "incidentNumber": 103,
            "status": "closed",
            "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde03"
          }
        ],
        "computerId": "5d4c3b2a190876543210fed2",
        "computerName": "SERVER-PROD-01",
        "computerFqdn": "server-prod-01.acmecorp.local",
        "computerIp": "192.168.10.50",
        "computerMacAddresses": [
          "00CCDD445566"
        ],
        "partOf": [
          {
            "incidentId": "6a1b2c3d4e5f67890abcde01",
            "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde01"
          },
          {
            "incidentId": "6a1b2c3d4e5f67890abcde05",
            "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde05"
          }
        ],
        "alerts": [
          {
            "id": "9a1b2c3d4e5f67890abcde01",
            "name": "SystemInformationRegistryDiscovery",
            "date": "2026-03-10T13:37:50+00:00",
            "detectedBy": {
              "name": "SystemInformationRegistryDiscovery",
              "class": "EDR Detection"
            },
            "resources": [
              {
                "type": "process",
                "details": {
                  "pid": 9688,
                  "processPath": "c:\\program files\\acme\\monitoring-agent\\monitoragent.exe",
                  "processPathSize": 111376,
                  "commandLine": "\"C:\\Program Files\\Acme\\monitoring-agent\\monitoragent.exe\" -n svc",
                  "parentPid": 7280,
                  "parentProcessPath": "c:\\windows\\system32\\services.exe",
                  "parentProcessCmdline": "c:\\windows\\system32\\services.exe",
                  "parentProcessUser": "NT AUTHORITY\\SYSTEM",
                  "user": "SERVER-PROD-01\\svc-monitor",
                  "loadedModule": null,
                  "loadedModulePid": null,
                  "processInjectionWriter": null,
                  "processInjectionWriterPid": null,
                  "processInjectionTarget": null,
                  "processInjectionTargetPid": null,
                  "processInjectionSizeofWrite": null,
                  "processAccessPrivileges": "elevated",
                  "parentProcessAccessPrivileges": "elevated",
                  "processIntegrityLevel": "high",
                  "parentProcessIntegrityLevel": "system",
                  "processPackerName": null
                }
              },
              {
                "type": "registry",
                "details": {
                  "registryKey": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
                  "registryValue": "CurrentBuild",
                  "registryData": "19045",
                  "registryType": "REG_SZ",
                  "registryAccessType": "QUERY"
                }
              }
            ],
            "extra": [
              {
                "key": "extraInfo1",
                "value": "Operation Channel: normal\nProcess PE VersionInfo and Certification Information: \n\nOriginal File Name: monitoragent.exe\nInternal Name: monitoragent\nFile Description: Acme Monitoring Agent Service\nCompany Name: Acme Corporation\nFile Version: 3.5.1.10247\nProduct Name: Acme Monitoring Agent\nProduct Version: 3.5.1 build-10247\nLegal Copyright: Copyright 2020-2026 Acme Corporation\nCertificate Serial: 0aabbccddee11223344556677889900\nCertificate Signer: Acme Corporation\nCertificate Issuer: DigiCert, Inc.\n\nWorking Directory: c:\\windows\\system32\\"
              }
            ]
          }
        ],
        "nodes": [
          {
            "id": "9b1b2c3d4e5f67890abcde01",
            "name": "collector-parent.exe",
            "type": "process_execution",
            "details": {
              "file": {
                "name": "collector-parent.exe",
                "path": "c:\\tools\\data-collector\\collector-parent.exe",
                "md5": "e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0",
                "sha256": "e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6",
                "size": 198656,
                "isExecutable": true
              },
              "process": {
                "pid": 10080,
                "parent": {
                  "pid": 9688,
                  "name": "monitoragent.exe",
                  "path": "c:\\program files\\acme\\monitoring-agent\\monitoragent.exe"
                },
                "commandLine": "\"C:\\tools\\data-collector\\collector-parent.exe\"",
                "userId": "S-1-5-21-1234567890-123456789-1234567890-1002",
                "userName": "SERVER-PROD-01\\svc-monitor",
                "date": "2026-03-10T13:37:40+00:00",
                "name": "collector-parent.exe"
              },
              "sandbox": null,
              "quarantine": null,
              "killProcess": null
            },
            "alertIds": [
              "9a1b2c3d4e5f67890abcde02"
            ]
          },
          {
            "id": "9b1b2c3d4e5f67890abcde07",
            "name": "collector-output.txt",
            "type": "file",
            "details": {
              "name": "collector-output.txt",
              "path": "c:\\tools\\data-collector\\collector-output.txt",
              "md5": "c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4",
              "sha256": "c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0",
              "size": 3,
              "isExecutable": false,
              "fileProcess": {
                "pid": 10156,
                "name": "collector-worker.exe",
                "path": "c:\\tools\\data-collector\\collector-worker.exe"
              },
              "sandbox": null,
              "quarantine": null
            },
            "alertIds": []
          },
          {
            "id": "9b1b2c3d4e5f67890abcde09",
            "name": "SERVER-PROD-01",
            "type": "endpoint",
            "details": {
              "id": "5d4c3b2a190876543210fed2",
              "name": "SERVER-PROD-01",
              "hardwareId": "aabbccdd-1122-3344-5566-778899aabbcc",
              "ip": "192.168.10.50",
              "isContainer": false,
              "isContainerHost": false
            },
            "alertIds": []
          }
        ],
        "triggerNodeId": "9b1b2c3d4e5f67890abcde01",
        "transitions": [
          {
            "from": "9b1b2c3d4e5f67890abcde01",
            "to": "9b1b2c3d4e5f67890abcde02",
            "date": "2026-03-10T13:37:40+00:00"
          }
        ],
        "mitreTags": [
        ]
      },
      "notes": []
    }
  ]
}
In this section: