> ## Documentation Index > Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt > Use this file to discover all available pages before exploring further. # Bulk update incidents across workspaces ## OpenAPI ````yaml /api-reference/openapi.json post /api/v2/incidents/across-workspaces/bulk-update openapi: 3.1.1 info: title: ContraForce API description: ContraForce platform API for security operations management. version: '2.0' servers: [] security: [] tags: - name: Incidents - name: Gamebooks - name: Data sources - name: Service tickets - name: Investigation - name: agent-tools - name: Cross-workspace incidents - name: Cross-workspace gamebooks - name: Cross-workspace data sources - name: Webhooks - name: Service accounts - name: Users - name: Azure resources paths: /api/v2/incidents/across-workspaces/bulk-update: post: tags: - Cross-workspace incidents summary: Bulk update incidents across workspaces operationId: v2-bulk-update-incidents-across-workspaces requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkUpdateIncidentsRequest' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ApiResponseOfBulkUpdateIncidentResultDto' '400': description: Bad request — validation or parameter binding failed. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '401': description: Unauthorized — missing or invalid Bearer token. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '403': description: Forbidden — insufficient scope or workspace access. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '404': description: Not found — workspace or resource is missing. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '500': description: Internal server error. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' components: schemas: BulkUpdateIncidentsRequest: type: object properties: items: type: - 'null' - array items: $ref: '#/components/schemas/UpdateIncidentRequest' description: v2 request body for the cross-workspace bulk incident update endpoint. ApiResponseOfBulkUpdateIncidentResultDto: type: object properties: data: $ref: '#/components/schemas/BulkUpdateIncidentResultDto' meta: $ref: '#/components/schemas/ResponseMeta' description: Standard v2 API response envelope for single-item responses. ApiProblemDetails: type: object properties: type: type: - 'null' - string title: type: - 'null' - string status: pattern: ^-?(?:0|[1-9]\d*)$ type: - 'null' - integer - string format: int32 detail: type: - 'null' - string instance: type: - 'null' - string code: type: - 'null' - string requestId: type: - 'null' - string timestamp: type: - 'null' - string target: type: - 'null' - string errors: type: - 'null' - object additionalProperties: type: array items: type: string description: >- API extension of ProblemDetails that surfaces the stable error code, trace identifier, timestamp, optional target, and optional field-keyed validation error map alongside the RFC 7807 members. UpdateIncidentRequest: required: - id type: object properties: id: type: - 'null' - string status: oneOf: - type: 'null' - $ref: '#/components/schemas/Status' user: $ref: '#/components/schemas/UserSummary' workspace: type: - 'null' - string description: >- Indicates the workspace that the incident is related to in case of multi-workspace environments removeAssignee: type: boolean description: |- If UserId is set to null but this is set to true, the incident will be unassigned, otherwise it will stay assigned to the current user comment: type: - 'null' - string classification: oneOf: - type: 'null' - $ref: '#/components/schemas/Classification' classificationReason: oneOf: - type: 'null' - $ref: '#/components/schemas/ClassificationReason' incidentSource: $ref: '#/components/schemas/IncidentSource' description: >- The source system that contains the incident like Sentinel, Defender ..etc BulkUpdateIncidentResultDto: type: object properties: accepted: type: - 'null' - array items: type: string description: >- Incident IDs the caller is authorized to update. These are scheduled for async processing. forbidden: type: - 'null' - array items: $ref: '#/components/schemas/ForbiddenBulkUpdateIncidentDto' description: >- Incidents the caller is not authorized to update, grouped with the reason. description: >- Outcome of a bulk incident update request after per-incident authorization. ResponseMeta: type: object properties: requestId: type: - 'null' - string timestamp: type: - 'null' - string Status: enum: - Active - New - Closed UserSummary: type: object properties: id: type: - 'null' - string displayName: type: - 'null' - string email: type: - 'null' - string description: >- Represents a light version of the user object, that is used to add reference to a specific user in a foriegn entities Classification: enum: - BenignPositive - FalsePositive - TruePositive - Undetermined - InformationalExpectedActivity - Unknown - NonIssue - PolicyViolation - QradarFalsePositive - Undefined - Suspicious - null ClassificationReason: enum: - InaccurateData - IncorrectAlertLogic - SuspiciousActivity - SuspiciousButExpected - Unknown - Apt - Malware - SecurityPersonnel - SecurityTesting - UnwantedSoftware - Other - MultistagedAttack - CompromisedUser - Phishing - MaliciousUserActivity - NotMalicious - NoEnoughDataToValidate - ConfirmedUserActivity - LineOfBusinessApplication - null IncidentSource: enum: - Sentinel - DefenderXDR - QRadar - Splunk - CrowdStrike - SentinelOne ForbiddenBulkUpdateIncidentDto: type: object properties: incidentId: type: - 'null' - string workspaceId: type: - 'null' - string reason: type: - 'null' - string description: Per-incident rejection detail for a bulk update. ````