getIncidentsList

This method returns a companies incident items. It is included in the Incidents API, which provides methods that allow the management of Endpoint and Detection (EDR) features.

API url: CONTROL_CENTER_APIs_ACCESS_URL/v1.2/jsonrpc/incidents

Parameters

Parameter	Description	Included in request	Type	Values
`page`	The number of the page to display from the total number of result pages.	Optional	Integer	No additional requirements. Default value: `1`. Example "page": 2
`perPage`	The number of items to display per page.	Optional	Integer	Possible values: `500` - `10000`. Default value: `1000`. Example "perPage": 2000
`filters`	Indicates what incidents are returned.	Optional	Object	No additional requirements. For more information, refer to `filters`. Example "filters": { "companyId": "61827b8036492c2fc0718722", "endpointId": "7f127b8036492c2fc071823d", "status": ["open", "closed", "in_progress", "false_positive"], "incidentType": ["incident", "extendedIncident"], "mainAction": ["reported", "blocked", "partially_blocked"], "priority": ["unknown", "low", "medium", "high", "critical"], "assignedUserId": "55127b8036492c2fc0718eea", "startDate": "2025-02-03T08:21:43+00:00", "endDate": "2025-02-04T08:23:43+00:00", "processedStartDate": "2025-02-03T08:21:43+00:00", "processedEndDate": "2025-02-04T08:23:43+00:00", },
`options`	Provides additional filtering options for incidents.	Optional	Object	No additional requirements. For more information, refer to `options` Example "options": { "includeChildCompanies": true, }

Objects

`filters`

Parameter	Description	Included in request	Type
`companyId`	The ID of the company for which you want to retrieve the incidents for. Default value: The ID of the company associated with the API key used for the request. The user making the API call must have access to the specified company.	Optional	String
`endpointId`	Only return incidents where this endpoint appear as one of the nodes involved.	Optional	String
`status`	Only return incidents that have this status assigned. Possible values: `open` `closed` `in_progress` `false_positive`	Optional	Array of strings
`priority`	Only return incidents that have this priority assigned. Possible values: `unknown` `low` `medium` `high` `critical`	Optional	Array of strings
`incidentType`	Only return this type of incidents. Possible values: `incident` `extendedIncident`	Optional	Array of strings
`mainAction`	Only return incidents that have had this main action performed. Possible values: `reported` `blocked` `partially_blocked`	Optional	Array of strings
`assignedUserId`	Only return incidents where the owner of this user ID is assigned to.	Optional	String
`startDate`	Retrieve incidents that were last updated after this time and date. You can only use this parameter if `endDate` is also included in the request. The value assigned to the `startDate` parameter must be set before the value assigned to `endDate`.	Optional	String, in ISO-8601 format
`endDate`	Retrieve incidents that were last updated before this time and date. You can only use this parameter if `startDate` is also included in the request. The value assigned to the `startDate` parameter must be set before the value assigned to `endDate`.	Optional	String, in ISO-8601 format
`processedStartDate`	Retrieve incidents that were updated in GravityZone after this time and date. You can only use this parameter if `processedEndDate` is also included in the request. The value assigned to the `processedStartDate` parameter must be set before the value assigned to `processedEndDate`.	Optional	String, in ISO-8601 format
`processedEndDate`	Retrieve incidents that were recorded in GravityZone after this time and date. You can only use this parameter if `processedStartDate` is also included in the request. The value assigned to the `processedStartDate` parameter must be set before the value assigned to `processedEndDate`.	Optional	String, in ISO-8601 format

`options`

Parameter	Description	Included in request	Type
`includeChildCompanies`	If set to `true` the search will also include incidents from all child companies, recursively.	Optional.	Boolean

Return value

This method returns an Object containing information about incidents items. The returned object contains:

Attribute	Type	Description
`page`	Integer	The number of the page that is currently displayed.
`pagesCount`	Integer	The total number of pages.
`perPage`	Integer	The number of items returned per page.
`total`	Integer	The total number of items.
`items`	Array of Objects	An array containing the list of items that contain information on incidents. For more information, refer to `items`.

Objects

`items`

Each object provides details regarding a specific incident.

Attribute	Type	Description
`incidentId`	String	The ID of incident.
`incidentNumber`	Integer	The number of the incident, as shown in the GravityZone console, under the Incidents page.
`incidentType`	String	The type of the incident. Possible values: `incident` - EDR incidents `extendedIncident` - XDR incidents
`company`	Object	This object contains data for the company where the incident was created.
`status`	String	The status of the incident. Possible values: `open` `closed` `in_progress` `false_positive`
`mainAction`	String	The main action that was taken automatically by the protection technologies when the incident was detected. Possible values: Reported - Endpoint and Organization incidents upon which no action was taken and require further investigation. Partially blocked - Organization incidents in which the automatic actions defined in the policies have been taken only on some entities. Blocked - Endpoint incidents that were detected and blocked by GravityZone prevention modules.
`created`	String	The date when the incident was created.
`lastUpdated`	String	The date when the incident was last updated.
`lastProcessed`	String	The date when the incident was last processed in GravityZone.
`severityScore`	Integer	The severity score of the incident.
`incidentLink`	String	A URL that can be used to open the incident in GravityZone. Note Users will need to log to GravityZone to access the incident.
`assignee`	Object	Provides information regarding the user assigned to the incident.
`priority`	Integer	The priority of the incidents. Possible values: `unknown` `low` `medium` `high` `critical`
`attackTypes`	Array of strings	A list of attack type names detected in the incident.
`details`	Object	This object contains additional information regarding the incident. The information provided will depend on the value assigned to the `incidentType` attribute.

`company`

Attribute	Type	Description
`id`	String	The ID of the company where the incident was created.
`name`	String	The name of the company where the incident was created.

`details`

Attribute	Type	Description
EDR incidents (`incidentType` = `incident`)
`detectionName`	String	The name of the detection.
`partOf`	Object	A list of objects that indicates in which extended incidents this incident was used for correlating data. For more information, review `contains` and `partOf`.
`computerId`	String	The ID of the endpoint that generated the incident.
`computerName`	String	The name of the endpoint that generated the incident.
`computerFqdn`	String	The FQDN of the endpoint that generated the incident.
`computerIp`	String	The IP of the endpoint that generated the incident. If the endpoint has multiple IPs, the one used to communicate with GravityZone will be reported here, not the one used in the attack.
`computerMacAddresses`	Array of strings	A list of the endpoints' MAC addresses.
`counters`	Object	A list of counters that reflect how many resources of a certain type were present in the incident. For more information, review `counters`
XDR incidens (`incidentType` = `extendedIncident`)
`contains`	Object	A list of objects that indicates what other incidents were used for correlating data in this incident. For more information, review `counters`.
`partOf`	Object	A list of objects that indicates in which extended incident this incident was used for correlating data. For more information, review `contains` and `partOf`.
`counters`	Object	A map of counters that reflect how many resources of a certain type were present in the incident. For more information, review `counters`.

`contains` and `partOf`

Attribute	Type	Description
`incidentId`	String	The ID of the incident.
`incidentLink`	String	A URL that can be used to open the incident in GravityZone. Note Users will need to log to GravityZone to access the incident.

`counters`

Attribute	Type	Description
EDR incidents
`endpoints`	Integer	The number of endpoints involved in the incident.
`files`	Integer	The number of files involved in the incident.
`processes`	Integer	The number of processes involved in the incident.
`domains`	Integer	The number of domains involved in the incident.
`registries`	Integer	The number of registry keys involved in the incident. This applies only to endpoints that use Windows.
`events`	Integer	The number of system events involved in the incident.
`storages`	Integer	The number of storage devices involved in the incident.
XDR incidents
`endpoints`	Integer	The number of endpoints involved in the incident.
`servers`	Integer	The number of servers involved in the incident.
`mobileDevices`	Integer	The number of mobile devices involved in the incident.
`printers`	Integer	The number of printers involved in the incident.
`routers`	Integer	The number of routers involved in the incident.
`IoTs`	Integer	The number of Internet-of-Things involved in the incident.
`identities`	Integer	The number of identities involved in the incident.
`emails`	Integer	The number of emails involved in the incident.
`IPs`	Integer	The number of IPs involved in the incident.
`domains`	Integer	The number of domains involved in the incident.
`DNSs`	Integer	The number of domain name servers involved in the incident.
`DGAs`	Integer	The number of domain generation algorithms (DGAs) involved in the incident.
`cloudStorages`	Integer	The number of cloud storages involved in the incident.
`torNodes`	Integer	The number of Tor nodes involved in the incident.
`externalDrives`	Integer	The number of external drives involved in the incident.
`externalSources`	Integer	The number of external sources involved in the incident.
`exfiltratedFiles`	Integer	The number of exfiltrated files involved in the incident.
`internalIPs`	Integer	The number of internal IPs involved in the incident.
`internalEmails`	Integer	The number of internal emails involved in the incident.
`users`	Integer	The number of users involved in the incident.
`virtualDesktops`	Integer	The number of virtual desktops involved in the incident.
`containers`	Integer	The number of containers (docker, k8s, etc.) involved in the incident.
`databases`	Integer	The number of databases involved in the incident.
`storages`	Integer	The number of storages involved in the incident.
`office365Instances`	Integer	The number of Office 365 instances involved in the incident.
`ADInstances`	Integer	The number of Active Directory instances involved in the incident.
`azureADInstances`	Integer	The number of Azure Active Directory instances involved in the incident.
`GCPInstances`	Integer	The number of Google Cloud Platform instances involved in the incident.
`googleWorkspaceInstances`	Integer	The number of Google Workspaces instances involved in the incident.
`atlassianInstances`	Integer	The number of Atlassian instances involved in the incident.
`atlassianBitbucketProducts`	Integer	The number of Atlasian Bitbucket products involved in the incident.
`atlassianJiraProducts`	Integer	The number of Atlassian Jira producs involved in the incident.
`atlassianConfluenceProducts`	Integer	The number of Atlassian Confluence producs involved in the incident.
`bitbucketProjects`	Integer	The number of Bitbucket projects involved in the incident.
`confluenceSpaces`	Integer	The number of Confluence spaces involved in the incident.

Example

Request

{
    "id": "1231",
    "method": "getIncidentsList",
    "jsonrpc": "2.0",
    "params": {
        "page": 1,
        "perPage": 1000,
        "filters": {
            "companyId": "61827b8036492c2fc0718722",
            "endpointId": "7f127b8036492c2fc071823d",
            "status": ["open", "closed", "in_progress", "false_positive"],
            "incidentType": ["incident", "extendedIncident"],
            "mainAction": ["reported", "blocked", "partially_blocked"],
            "priority": ["unknown", "low", "medium", "high", "critical"],
            "assignedUserId": "55127b8036492c2fc0718eea",
            "startDate": "2025-02-03T08:21:43+00:00",
            "endDate": "2025-02-04T08:23:43+00:00",
            "processedStartDate": "2025-02-03T08:21:43+00:00",
            "processedEndDate": "2025-02-04T08:23:43+00:00",
        },
        "options": {
            "includeChildCompanies": true,
        }
    }
}

Response

{
    "id": "1231",
    "jsonrpc": "2.0",
    "result": {
        "total": 2,
        "page": 1,
        "perPage": 1000,
        "pagesCount": 1,
        "items": [
            {
                "incidentId": "67a0bcb2b436ba781b692ab2",
                "incidentNumber": 14,
                "incidentType": "incident",
                "company": {
                    "id": "67a092e00cb1855d900d5792",
                    "name": "Bitdefender"
                },
                "status": "open",
                "mainAction": "reported",
                "created": "2025-02-03T12:55:13+00:00",
                "lastUpdated": "2025-02-03T12:59:50+00:00",
                "lastProcessed": "2025-02-03T13:00:14+00:00",
                "severityScore": 59,
                "incidentLink": "https://cloud.gravityzone.bitdefender.com/#!/incidents/view/67a0bcb2b436ba781b692ab2",
                "assignee": "55127b8036492c2fc0718eea",
                "priority": "unknown",
                "attackTypes": [
                    "Other"
                ],
                "details": {
                    "detectionName": "URL.Phishing",
                    "partOf": [
                        {
                            "incidentId": "67a0b256a2757f87d3fd93ea",
                            "incidentLink": "https://cloud.gravityzone.bitdefender.com/#!/incidents/view/67a0b256a2757f87d3fd93ea"
                        }
                    ],
                    "computerId": "67a0a0ee7a338e369211f8b6",
                    "computerName": "JB-EP3",
                    "computerFqdn": "jb-ep3",
                    "computerIp": "10.17.44.33"
                    "computerMacAddresses": ["46dd327ae0cc"],
                    "counters": {
                        "endpoints": 1,
                        "files": 7,
                        "processes": 10,
                        "domains": 0,
                        "registries": 2,
                        "events": 30,
                        "storages": 0
                    },
                }
            },
            {
                "incidentId": "67a0b256a2757f87d3fd93ea",
                "incidentNumber": 10,
                "incidentType": "extendedIncident",
                "company": {
                    "id": "67a092e00cb1855d900d5792",
                    "name": "Bitdefender"
                },
                "status": "open",
                "mainAction": "partially_blocked",
                "created": "2025-02-03T12:10:15+00:00",
                "lastUpdated": "2025-02-03T12:55:01+00:00",
                "lastProcessed": "2025-02-03T13:00:14+00:00",
                "severityScore": 82,
                "incidentLink": "https://cloud.gravityzone.bitdefender.com/#!/incidents/view/67a0b256a2757f87d3fd93ea",
                "assignee": "55127b8036492c2fc0718eea",
                "priority": "low",
                "attackTypes": [
                    "Exploit"
                ],
                "details": {
                    "contains": [],
                    "partOf": [],
                    "counters": {
                        "endpoints": 8,
                        "servers": 7,
                        "mobileDevices": 17,
                        "printers": 15,
                        "routers": 4,
                        "IoTs": 8,
                        "identities": 0,
                        "emails": 3,
                        "IPs": 19,
                        "domains": 5,
                        "DNS": 8,
                        "DGAs": 8,
                        "cloudStorages": 9,
                        "torNodes": 6,
                        "externalDrives": 15,
                        "externalSources": 8,
                        "exfiltratedFiles": 0,
                        "internalIPs": 0,
                        "internalEmails": 0,
                        "users": 0,
                        "virtualDesktops": 0,
                        "containers": 0,
                        "databases": 0,
                        "storages": 0,
                        "office365Instances": 0,
                        "ADInstances": 0,
                        "azureADInstances": 0,
                        "AWSInstances": 0,
                        "GCPInstances": 0,
                        "googleWorkspaceInstances": 0,
                        "atlassianInstances": 0,
                        "atlassianBitbucketProducts": 0,
                        "atlassianJiraProducts": 0,
                        "atlassianConfluenceProducts": 0,
                        "bitbucketProjects": 0,
                        "confluenceSpaces": 0
                    }
                }
            }            
        ]
    }
}

In this section:

getIncidentsList

Parameters

Objects

filters

options

Return value

Objects

items

Note

company

details

contains and partOf

Note

counters

Example

Search results

`filters`

`options`

`items`

`company`

`details`

`contains` and `partOf`

`counters`