Skip to main content
GET
/
api
/
v2
/
workspaces
/
{workspaceId}
/
agent
/
tools
/
incidents
/
{source}
/
{incidentId}
/
related-by-entity
Agent tool related incidents
curl --request GET \
  --url https://api.example.com/api/v2/workspaces/{workspaceId}/agent/tools/incidents/{source}/{incidentId}/related-by-entity
{
  "data": {
    "incidents": [
      {
        "creationTime": "2023-11-07T05:31:56Z",
        "number": 123,
        "title": "<string>",
        "description": "<string>",
        "severity": "Informational",
        "status": "Active",
        "id": "<string>",
        "source": "Sentinel",
        "workspaceId": "<string>",
        "classificationComment": "<string>",
        "classification": "BenignPositive"
      }
    ]
  },
  "meta": {
    "requestId": "<string>",
    "timestamp": "<string>"
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt

Use this file to discover all available pages before exploring further.

Path Parameters

workspaceId
string<uuid>
required
source
enum<string>
required
Available options:
Sentinel,
DefenderXDR,
QRadar,
Splunk,
CrowdStrike,
SentinelOne
incidentId
string
required

Query Parameters

EntityKind
string

The entity's kind property as it appears on the incident (e.g. 'Account', 'Host', 'File', 'FileHash', 'Ip', 'Mailbox').

EntityFilter
string

Main matching property of the entity — the hash for File/FileHash, device name or ID for Host, UPN/email/object ID for Account, IP string for Ip. Wrong choices return zero matches; refer to the entity's primary identifier on the incident.

TimeFilteringType
any
required

Time window for related-incident search. Allowed values: ThreeHours, SixHours, TwelveHours, TwentyFourHours, FourtyEightHours, Custom. Default: TwentyFourHours.

Available options:
ThreeHours,
SixHours,
TwelveHours,
TwentyFourHours,
FourtyEightHours,
Custom,
null
StartDate
string<date-time>

UTC start instant for Custom windows. Required when TimeFilteringType is Custom; ignored otherwise.

EndDate
string<date-time>

UTC end instant for Custom windows. Required when TimeFilteringType is Custom; ignored otherwise.

EntityName
string

Display name of the entity being investigated. Surfaced in the audit trail and the result's human-readable summary.

EntityType
enum<string>
required

Internal entity type enum — more granular than EntityKind (e.g. EntityType.Account vs EntityType.User). Use the value present on the entity in the incident.

Available options:
User,
IP,
File,
Process,
Device,
Malware,
CloudApplication,
DomainName,
AzureResource,
FileHash,
RegistryKey,
RegistryValue,
SecurityGroup,
URL,
IoTDevice,
Mailbox,
MailCluster,
MailMessage,
Submission,
SentinelEntities,
DnsResolution,
Registry,
OAuthApplication,
AmazonResource,
BlobContainer,
Blob,
Container,
ContainerRegistry,
ContainerImage,
GoogleCloudResource,
KubernetesCluster,
KubernetesController,
KubernetesNamespace,
KubernetesPod,
KubernetesService,
KubernetesSecret,
KubernetesServiceAccount,
AnalyzedMessage,
DNS,
Unknown

Response

OK

Standard v2 API response envelope for single-item responses.

data
object
meta
object