getIncidentsList

This method retrieves details about Endpoint and Organization incidents for a specified company based on the applied filters.

API url: CONTROL_CENTER_APIs_ACCESS_URL/v1.2/jsonrpc/incidents.

Parameters

Parameter	Description	Included in request	Type	Value requirements
`page`	The page number to return from the complete set of result pages.	Optional	Integer	Default value: `1`. This value must be minimum `1`. Example "page": 2
`perPage`	The number of items returned per page.	Optional	Integer	Possible values: `10` - `10000`. Default value: `1000`. Example "perPage": 2000
`filters`	The criteria used to filter the returned incidents.	Optional	Object	For more information, refer to `filters`. Example "filters": { "companyId": "61827b8036492c2fc0718722", "endpointId": "7f127b8036492c2fc071823d", "status": [ "open", "closed", "in_progress", "false_positive" ], "incidentType": [ "incident", "extendedIncident" ], "mainAction": [ "reported", "blocked", "partially_blocked" ], "priority": [ "unknown", "low", "medium", "high", "critical" ], "assignedUserId": "55127b8036492c2fc0718eea", "startDate": "2025-02-03T08:21:43+00:00", "endDate": "2025-02-04T08:23:43+00:00", "processedStartDate": "2025-02-03T08:21:43+00:00", "processedEndDate": "2025-02-04T08:23:43+00:00" }
`options`	An additional criterion used to filter the returned incidents.	Optional	Object	For more information, refer to `options`. Example "options": { "includeChildCompanies": true, }

General parameters

These are common parameters, available across all public API methods:

Parameter	Description	Included in request	Type	Value requirements
`id`	This parameter adds an identifier to the request, linking it to its corresponding response. The target replies with the same value in the response, allowing easy call tracking.	Mandatory	String	No additional requirements. Example "id": "ad12cb61-52b3-4209-a87a-93a8530d91cb"
`method`	The name of the method you are using to send the request.	Mandatory	String	Must be a valid method name. Example "method": "methodName"
`jsonrpc`	The version of JSON-RPC used by the request and the response.	Mandatory	String	The only possible value is `2.0`. Example "jsonrpc": "2.0"
`params`	An object containing the configuration of the request.	Mandatory	Object	No additional requirements. Example "params": {...}

Objects

`filters`

Parameter	Description	Included in request	Type
`companyId`	The ID of a managed company for which you want to retrieve the incidents. Default value: The ID of the company associated with the API key used for the request. This parameter should consist of exactly 24 hexadecimal characters.	Optional	String
`endpointId`	The ID of the endpoint that should appear among the involved nodes of the incidents returned.	Optional	String
`status`	The statuses used to filter the incidents included in the response. Each array element must be one of the following values: `open`: The incident has been recently generated and is yet to be investigated. `closed`: The incident was confirmed as valid and is now closed following investigation. `in_progress`: The incident is currently under investigation. `false_positive`: The incident was investigated and confirmed to be a false alarm. `closed_mdr_reviewed`: The incident was reviewed and closed by the MDR SOC.	Optional	Array of strings
`priority`	The priorities used to filter the incidents included in the response. Each array element must be one of the following values: `unknown` `low` `medium` `high` `critical`	Optional	Array of strings
`incidentType`	The possible types of the incidents to be returned. The array can contain only the following allowed values: `incident`: Endpoint incident. `extendedIncident`: Organization incident.	Optional	Array of strings
`mainAction`	The main automatic actions performed by the protection technologies at the time of incident detection that the returned incidents must match. Each array element must be one of the following values: `reported`: No action was taken upon the Endpoint or Organization incident, and it requires further investigation. `blocked`: The Endpoint incident was detected and blocked by GravityZone prevention modules. `partially_blocked`: The automatic actions defined in the policies have been taken only on some entities in the Organization incident.	Optional	Array of strings
`assignedUserId`	The ID of the user assigned to the returned incidents.	Optional	String
`startDate`	The date and time after which the returned incidents were last updated. Important You can use this parameter only if `endDate` is also included in the request. The value assigned to this parameter must be earlier than the value of `endDate`.	Optional	String in ISO-8601 format
`endDate`	The date and time before which the returned incidents were last updated. Important You can use this parameter only if `startDate` is also included in the request. The value assigned to this parameter must occur after the value of `startDate`.	Optional	String in ISO-8601 format
`processedStartDate`	The date and time after which the returned incidents were last processed by GravityZone. Important You can use this parameter only if `processedEndDate` is also included in the request. The value assigned to this parameter must be earlier than the value of `processedEndDate`.	Optional	String in ISO-8601 format
`processedEndDate`	The date and time before which the returned incidents were last processed by GravityZone. Important You can use this parameter only if `processedStartDate` is also included in the request. The value assigned to this parameter must occur after the value of `processedStartDate`.	Optional	String in ISO-8601 format

`options`

Parameter	Description	Included in request	Type
`includeChildCompanies`	If set to `true`, the search will also include incidents from all managed companies, recursively.	Optional.	Boolean

Return value

This method returns the result Object containing information about incident items. result contains:

Attribute	Type	Description
`page`	Integer	The number of the page that is currently displayed.
`pagesCount`	Integer	The total number of pages.
`perPage`	Integer	The number of items returned per page.
`total`	Integer	The total number of items.
`items`	Array of Objects	The items that contain information on incidents. For more information, refer to `items`.

Objects

`items`

Each object in the array provides details regarding a specific incident.

Attribute	Type	Description
`incidentId`	String	The internal incident ID, which is included in the URL of the incident details page from GravityZone Control Center.
`incidentNumber`	Integer	The incident ID displayed in GravityZone Control Center, in the Incidents page.
`incidentType`	String	The type of the incident. Possible values: `incident`: Endpoint incident. `extendedIncident`: Organization incident.
`company`	Object	Data regarding the company where the incident occurred. The object contains the following settings: `id` (String): The company ID. `name` (String): The company name.
`status`	String	The status of the incident. Possible values: `open`: The incident has been recently generated and is yet to be investigated. `closed`: The incident was confirmed as valid and is now closed following investigation. `in_progress`: The incident is currently under investigation. `false_positive`: The incident was investigated and confirmed to be a false alarm. `closed_mdr_reviewed`: The incident was reviewed and closed by the MDR SOC.
`mainAction`	String	The main action taken automatically by the protection technologies when the incident was detected. Possible values: `reported`: No action was taken upon the Endpoint or Organization incident, and it requires further investigation. `partially_blocked`: The automatic actions defined in the policies have been taken only on some entities in the Organization incident. `blocked`: The Endpoint incident was detected and blocked by GravityZone prevention modules.
`created`	String	The date and time when the incident was detected in the network, in ISO-8601 format.
`lastUpdated`	String	The date and time when the incident was last updated in GravityZone, in ISO-8601 format.
`lastProcessed`	String	The date and time when the incident was last processed by GravityZone, in ISO-8601 format.
`severityScore`	Integer	The severity score assigned to the incident, as reported by the detection technologies. Possible values: `1` - `100`.
`incidentLink`	String	A URL that can be used to open the incident details in GravityZone Control Center. Note Users need to log in to GravityZone Control Center to access the incident.
`assignee`	String	The user ID of the GravityZone user that is assigned to this incident. This parameter should consist of exactly 24 hexadecimal characters.
`priority`	String	The priority of the incident. Possible values: `unknown` `low` `medium` `high` `critical`
`attackTypes`	Array of strings	A list of attack types detected in the incident. Each String can be, for example: `Credential Access` `Malware` `Ransomware` `Password Stealer`
`details`	Object	Additional information regarding the incident. The information depends on the value assigned to the `incidentType` attribute. For more information, refer to `details`.

`details`

Attribute	Type	Description
Endpoint incidents (`incidentType` is `incident`)
`detectionName`	String	The name of the detection.
`partOf`	Array of objects	The Organization incidents in which this incident was used for correlating data. For more information about each object in the array, review `partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents).
`computerId`	String	The ID of the endpoint that generated the incident.
`computerName`	String	The name of the endpoint that generated the incident.
`computerFqdn`	String	The FQDN of the endpoint that generated the incident.
`computerIp`	String	The IP of the endpoint that generated the incident. If the endpoint has multiple IPs, the one used to communicate with GravityZone will be reported here, not the one used in the attack.
`computerMacAddresses`	Array of strings	A list of the endpoints' MAC addresses.
`counters`	Object	Counters that reflect how many resources of a certain type are present in the incident. For information on the fields included in this object, refer to `counters` (Endpoint and Organization incidents).
`incidentEvolution`	Array of objects	The array is populated only when the Create a separate incident when new activity is detected option is enabled in the Settings tab within the company edit workflow from GravityZone Control Center. In this case, a new incident is generated whenever new activity is detected on a closed incident. The newly created incident remains open and is continuously updated with related activity until it is closed. If further activity is detected after this incident is closed, another new incident is created. All related incidents generated through this process form the Incident evolution chain. For information about each object in the array, refer to `incidentEvolution` (Endpoint and Organization incidents).
Organization incidents (`incidentType` is `extendedIncident`)
`incidentEvolution`	Array of objects	The array is populated only when the Create a separate incident when new activity is detected option is enabled in the Settings tab within the company edit workflow from GravityZone Control Center. In this case, a new incident is generated whenever new activity is detected on a closed incident. The newly created incident remains open and is continuously updated with related activity until it is closed. If further activity is detected after this incident is closed, another new incident is created. All related incidents generated through this process form the Incident evolution chain. For information about each object in the array, refer to `incidentEvolution` (Endpoint and Organization incidents).
`partOf`	Object	The Organization incidents in which this incident was used for correlating data. For information about each object in the array, refer to `partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents).
`contains`	Object	The other incidents that were used for correlating data in this incident. For information about each object in the array, refer to `partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents).
`counters`	Object	Counters that reflect how many resources of a certain type are present in the incident. For information on the fields included in this object, refer to `counters` (Endpoint and Organization incidents).

`partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents)

Attribute	Type	Description
`incidentId`	String	The ID of the incident.
`incidentLink`	String	A URL that can be used to open the incident details in GravityZone Control Center. Note Users need to log in to GravityZone Control Center to access the incident.

`incidentEvolution` (Endpoint and Organization incidents)

Attribute	Type	Description
`incidentId`	String	The internal incident ID, which is included in the URL of the incident details page from GravityZone Control Center.
`incidentNumber`	Integer	The incident ID displayed in GravityZone Control Center, in the Incidents page, without the `#` prefix.
`status`	String	The status of the incident. Possible values: `open`: The incident has been recently generated and is yet to be investigated. `in_progress`: The incident is currently under investigation. `false_positive`: The incident was investigated and confirmed to be a false alarm. `closed`: The incident was confirmed as valid and is now closed following investigation. `closed_mdr_reviewed`: The incident was reviewed and closed by the MDR SOC.
`incidentLink`	String	A URL linking to a web page where the incident details can be viewed in a browser.

`counters` (Endpoint and Organization incidents)

Attribute	Type	Description
Endpoint incidents
`endpoints`	Integer	The number of endpoints involved in the incident.
`files`	Integer	The number of files involved in the incident.
`processes`	Integer	The number of processes involved in the incident.
`domains`	Integer	The number of domains involved in the incident.
`registries`	Integer	The number of registry keys involved in the incident. This applies only to endpoints that use Windows.
`events`	Integer	The number of system events involved in the incident.
`storages`	Integer	The number of storage devices involved in the incident.
Organization incidents
`endpoints`	Integer	The number of endpoints involved in the incident.
`servers`	Integer	The number of servers involved in the incident.
`mobileDevices`	Integer	The number of mobile devices involved in the incident.
`printers`	Integer	The number of printers involved in the incident.
`routers`	Integer	The number of routers involved in the incident.
`IoTs`	Integer	The number of Internet-of-Things involved in the incident.
`identities`	Integer	The number of identities involved in the incident.
`emails`	Integer	The number of emails involved in the incident.
`IPs`	Integer	The number of IPs involved in the incident.
`domains`	Integer	The number of domains involved in the incident.
`DNSs`	Integer	The number of domain name servers involved in the incident.
`DGAs`	Integer	The number of domain generation algorithms (DGAs) involved in the incident.
`cloudStorages`	Integer	The number of cloud storages involved in the incident.
`torNodes`	Integer	The number of Tor nodes involved in the incident.
`externalDrives`	Integer	The number of external drives involved in the incident.
`externalSources`	Integer	The number of external sources involved in the incident.
`exfiltratedFiles`	Integer	The number of exfiltrated files involved in the incident.
`internalIPs`	Integer	The number of internal IPs involved in the incident.
`internalEmails`	Integer	The number of internal emails involved in the incident.
`users`	Integer	The number of users involved in the incident.
`virtualDesktops`	Integer	The number of virtual desktops involved in the incident.
`containers`	Integer	The number of containers (Docker, k8s, etc.) involved in the incident.
`databases`	Integer	The number of databases involved in the incident.
`storages`	Integer	The number of storages involved in the incident.
`office365Instances`	Integer	The number of Microsoft 365 (Office 365) instances involved in the incident.
`ADInstances`	Integer	The number of Active Directory instances involved in the incident.
`azureADInstances`	Integer	The number of Azure Active Directory instances involved in the incident.
`GCPInstances`	Integer	The number of Google Cloud Platform instances involved in the incident.
`googleWorkspaceInstances`	Integer	The number of Google Workspace instances involved in the incident.
`atlassianInstances`	Integer	The number of Atlassian instances involved in the incident.
`atlassianBitbucketProducts`	Integer	The number of Atlassian Bitbucket products involved in the incident.
`atlassianJiraProducts`	Integer	The number of Atlassian Jira products involved in the incident.
`atlassianConfluenceProducts`	Integer	The number of Atlassian Confluence products involved in the incident.
`bitbucketProjects`	Integer	The number of Bitbucket projects involved in the incident.
`confluenceSpaces`	Integer	The number of Confluence spaces involved in the incident.
`AWSInstances`	Integer	The number of AWS instances involved in the incident.

Example

Request

{
    "id": "b1c2d3e4-f5a6-7890-b123-cdef45678901",
    "method": "getIncidentsList",
    "jsonrpc": "2.0",
    "params": {
        "page": 1,
        "perPage": 100,
        "filters": {
            "companyId": "5e4d3c2b1a0987654321fedc",
            "endpointId": "7f127b8036492c2fc071823d",
            "status": [
                "open",
                "closed",
                "in_progress",
                "false_positive"
            ],
            "incidentType": [
                "incident",
                "extendedIncident"
            ],
            "mainAction": [
                "reported",
                "blocked",
                "partially_blocked"
            ],
            "priority": [
                "unknown",
                "low",
                "medium",
                "high",
                "critical"
            ],
            "assignedUserId": "55127b8036492c2fc0718eea",
            "processedStartDate": "2026-03-01T00:00:00+00:00",
            "processedEndDate": "2026-03-31T23:59:59+00:00"
        },
        "options": {
            "includeChildCompanies": true
        }
    }
}

Response

{
    "id": "b1c2d3e4-f5a6-7890-b123-cdef45678901",
    "jsonrpc": "2.0",
    "result": {
        "total": 2,
        "page": 1,
        "perPage": 100,
        "pagesCount": 1,
        "items": [
            {
                "incidentId": "6a1b2c3d4e5f67890abcde01",
                "incidentNumber": 101,
                "status": "open",
                "mainAction": "reported",
                "created": "2026-03-15T15:03:03+00:00",
                "lastUpdated": "2026-03-16T09:14:22+00:00",
                "lastProcessed": "2026-03-16T09:15:01+00:00",
                "severityScore": 72,
                "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde01",
                "assignee": "55127b8036492c2fc0718eea",
                "priority": "high",
                "attackTypes": [
                    "Credential Access"
                ],
                "company": {
                    "id": "5e4d3c2b1a0987654321fedc",
                    "name": "Acme Corporation"
                },
                "incidentType": "incident",
                "details": {
                    "detectionName": "Suspicious registry access",
                    "counters": {
                        "endpoints": 1,
                        "files": 2,
                        "processes": 6,
                        "domains": 0,
                        "registries": 1,
                        "events": 12,
                        "storages": 0
                    },
                    "incidentEvolution": [
                        {
                            "incidentId": "6a1b2c3d4e5f67890abcde03",
                            "incidentNumber": 103,
                            "status": "in_progress",
                            "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde03"
                        }
                    ],
                    "computerId": "5d4c3b2a190876543210fed2",
                    "computerName": "SERVER-PROD-01",
                    "computerFqdn": "server-prod-01.example.local",
                    "computerIp": "192.0.2.10",
                    "computerMacAddresses": [
                        "00CCDD445566"
                    ],
                    "partOf": [
                        {
                            "incidentId": "6a1b2c3d4e5f67890abcde10",
                            "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde10"
                        }
                    ]
                }
            },
            {
                "incidentId": "6a1b2c3d4e5f67890abcde02",
                "incidentNumber": 102,
                "status": "closed",
                "mainAction": "blocked",
                "created": "2026-03-10T13:38:01+00:00",
                "lastUpdated": "2026-03-11T08:22:11+00:00",
                "lastProcessed": "2026-03-11T08:23:10+00:00",
                "severityScore": 90,
                "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde02",
                "assignee": "55127b8036492c2fc0718eea",
                "priority": "critical",
                "attackTypes": [
                    "Exfiltration",
                    "SpearPhishing"
                ],
                "company": {
                    "id": "5e4d3c2b1a0987654321fedc",
                    "name": "Acme Corporation"
                },
                "incidentType": "extendedIncident",
                "details": {
                    "counters": {
                        "endpoints": 1,
                        "servers": 0,
                        "mobileDevices": 0,
                        "printers": 0,
                        "routers": 0,
                        "IoTs": 0,
                        "identities": 3,
                        "emails": 1,
                        "IPs": 2,
                        "domains": 1,
                        "DNSs": 0,
                        "DGAs": 0,
                        "cloudStorages": 1,
                        "torNodes": 0,
                        "externalDrives": 0,
                        "externalSources": 1,
                        "exfiltratedFiles": 2,
                        "internalIPs": 0,
                        "internalEmails": 1,
                        "users": 2,
                        "virtualDesktops": 0,
                        "containers": 0,
                        "databases": 0,
                        "storages": 0,
                        "office365Instances": 1,
                        "ADInstances": 0,
                        "azureADInstances": 1,
                        "AWSInstances": 0,
                        "GCPInstances": 0,
                        "googleWorkspaceInstances": 0,
                        "atlassianInstances": 0,
                        "atlassianBitbucketProducts": 0,
                        "atlassianJiraProducts": 0,
                        "atlassianConfluenceProducts": 0,
                        "bitbucketProjects": 0,
                        "confluenceSpaces": 0
                    },
                    "incidentEvolution": [
                        {
                            "incidentId": "6a1b2c3d4e5f67890abcde12",
                            "incidentNumber": 112,
                            "status": "false_positive",
                            "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde12"
                        }
                    ],
                    "contains": [
                        {
                            "incidentId": "6a1b2c3d4e5f67890abcde21",
                            "incidentLink": "https://your-gz-console.example.com/#!/incidents/view/6a1b2c3d4e5f67890abcde21"
                        }
                    ],
                    "partOf": [
                    ]
                }
            }
        ]
    }
}

In this section:

getIncidentsList

Parameters

General parameters

Objects

filters

Important

Important

Important

Important

options

Return value

Objects

items

Note

details

partOf (Endpoint and Organization incidents) and contains (Organization incidents)

Note

incidentEvolution (Endpoint and Organization incidents)

counters (Endpoint and Organization incidents)

Example

Search results

`filters`

`options`

`items`

`details`

`partOf` (Endpoint and Organization incidents) and `contains` (Organization incidents)

`incidentEvolution` (Endpoint and Organization incidents)

`counters` (Endpoint and Organization incidents)