curl --request POST \
--url https://api.example.com/api/v2/incidents/across-workspaces \
--header 'Content-Type: application/json' \
--data '
{
"severities": [],
"statuses": [],
"timeFilterSelection": {
"customStartUtc": "2023-11-07T05:31:56Z",
"customEndUtc": "2023-11-07T05:31:56Z"
},
"workspacePageTokens": [
{
"workspaceId": "<string>",
"sourceTokens": {}
}
],
"query": "<string>",
"isFirstCall": true,
"sources": [],
"assigneeIds": [
"<string>"
],
"assigneeEmails": [
"<string>"
],
"includeUnassigned": true
}
'import requests
url = "https://api.example.com/api/v2/incidents/across-workspaces"
payload = {
"severities": [],
"statuses": [],
"timeFilterSelection": {
"customStartUtc": "2023-11-07T05:31:56Z",
"customEndUtc": "2023-11-07T05:31:56Z"
},
"workspacePageTokens": [
{
"workspaceId": "<string>",
"sourceTokens": {}
}
],
"query": "<string>",
"isFirstCall": True,
"sources": [],
"assigneeIds": ["<string>"],
"assigneeEmails": ["<string>"],
"includeUnassigned": True
}
headers = {"Content-Type": "application/json"}
response = requests.post(url, json=payload, headers=headers)
print(response.text)const options = {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
severities: [],
statuses: [],
timeFilterSelection: {customStartUtc: '2023-11-07T05:31:56Z', customEndUtc: '2023-11-07T05:31:56Z'},
workspacePageTokens: [{workspaceId: '<string>', sourceTokens: {}}],
query: '<string>',
isFirstCall: true,
sources: [],
assigneeIds: ['<string>'],
assigneeEmails: ['<string>'],
includeUnassigned: true
})
};
fetch('https://api.example.com/api/v2/incidents/across-workspaces', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api.example.com/api/v2/incidents/across-workspaces",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => json_encode([
'severities' => [
],
'statuses' => [
],
'timeFilterSelection' => [
'customStartUtc' => '2023-11-07T05:31:56Z',
'customEndUtc' => '2023-11-07T05:31:56Z'
],
'workspacePageTokens' => [
[
'workspaceId' => '<string>',
'sourceTokens' => [
]
]
],
'query' => '<string>',
'isFirstCall' => true,
'sources' => [
],
'assigneeIds' => [
'<string>'
],
'assigneeEmails' => [
'<string>'
],
'includeUnassigned' => true
]),
CURLOPT_HTTPHEADER => [
"Content-Type: application/json"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}package main
import (
"fmt"
"strings"
"net/http"
"io"
)
func main() {
url := "https://api.example.com/api/v2/incidents/across-workspaces"
payload := strings.NewReader("{\n \"severities\": [],\n \"statuses\": [],\n \"timeFilterSelection\": {\n \"customStartUtc\": \"2023-11-07T05:31:56Z\",\n \"customEndUtc\": \"2023-11-07T05:31:56Z\"\n },\n \"workspacePageTokens\": [\n {\n \"workspaceId\": \"<string>\",\n \"sourceTokens\": {}\n }\n ],\n \"query\": \"<string>\",\n \"isFirstCall\": true,\n \"sources\": [],\n \"assigneeIds\": [\n \"<string>\"\n ],\n \"assigneeEmails\": [\n \"<string>\"\n ],\n \"includeUnassigned\": true\n}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := io.ReadAll(res.Body)
fmt.Println(string(body))
}HttpResponse<String> response = Unirest.post("https://api.example.com/api/v2/incidents/across-workspaces")
.header("Content-Type", "application/json")
.body("{\n \"severities\": [],\n \"statuses\": [],\n \"timeFilterSelection\": {\n \"customStartUtc\": \"2023-11-07T05:31:56Z\",\n \"customEndUtc\": \"2023-11-07T05:31:56Z\"\n },\n \"workspacePageTokens\": [\n {\n \"workspaceId\": \"<string>\",\n \"sourceTokens\": {}\n }\n ],\n \"query\": \"<string>\",\n \"isFirstCall\": true,\n \"sources\": [],\n \"assigneeIds\": [\n \"<string>\"\n ],\n \"assigneeEmails\": [\n \"<string>\"\n ],\n \"includeUnassigned\": true\n}")
.asString();require 'uri'
require 'net/http'
url = URI("https://api.example.com/api/v2/incidents/across-workspaces")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
request = Net::HTTP::Post.new(url)
request["Content-Type"] = 'application/json'
request.body = "{\n \"severities\": [],\n \"statuses\": [],\n \"timeFilterSelection\": {\n \"customStartUtc\": \"2023-11-07T05:31:56Z\",\n \"customEndUtc\": \"2023-11-07T05:31:56Z\"\n },\n \"workspacePageTokens\": [\n {\n \"workspaceId\": \"<string>\",\n \"sourceTokens\": {}\n }\n ],\n \"query\": \"<string>\",\n \"isFirstCall\": true,\n \"sources\": [],\n \"assigneeIds\": [\n \"<string>\"\n ],\n \"assigneeEmails\": [\n \"<string>\"\n ],\n \"includeUnassigned\": true\n}"
response = http.request(request)
puts response.read_body{
"data": {
"incidents": [
{
"id": "<string>",
"name": "<string>",
"displayId": "<string>",
"title": "<string>",
"description": "<string>",
"number": 123,
"type": "<string>",
"sourceDisplayName": "<string>",
"lastModificationTime": "2023-11-07T05:31:56Z",
"creationTime": "2023-11-07T05:31:56Z",
"lastActivityTime": "2023-11-07T05:31:56Z",
"comment": "<string>",
"classificationComment": "<string>",
"tactics": [
"<string>"
],
"ruleIds": [
"<string>"
],
"alertProductNames": [
"<string>"
],
"user": {
"id": "<string>",
"displayName": "<string>",
"email": "<string>"
},
"isAssigned": true,
"productId": "<string>",
"alertsCount": 123,
"entities": [
{
"id": "<string>",
"kind": "<string>",
"displayName": "<string>",
"friendlyName": "<string>",
"fileName": "<string>",
"hostName": "<string>",
"accountEntityId": "<string>",
"deviceId": "<string>",
"deviceAzureId": "<string>",
"defenderAtpDeviceId": "<string>",
"defenderEndpointDeviceId": "<string>",
"networkMessageId": "<string>",
"hashAlgorithm": "<string>",
"aadUserId": "<string>",
"emailAddress": "<string>",
"userPrincipalName": "<string>",
"ipAddress": "<string>",
"fileHash": "<string>",
"emailId": "<string>",
"emailSubject": "<string>"
}
],
"workspaceName": "<string>",
"workspaceId": "<string>",
"isDefenderXDRSourced": true
}
],
"sourcePageTokens": [
{
"workspaceId": "<string>",
"sourceTokens": {}
}
],
"moreIncidentsAvailable": true
},
"meta": {
"requestId": "<string>",
"timestamp": "<string>"
}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}List incidents across workspaces
curl --request POST \
--url https://api.example.com/api/v2/incidents/across-workspaces \
--header 'Content-Type: application/json' \
--data '
{
"severities": [],
"statuses": [],
"timeFilterSelection": {
"customStartUtc": "2023-11-07T05:31:56Z",
"customEndUtc": "2023-11-07T05:31:56Z"
},
"workspacePageTokens": [
{
"workspaceId": "<string>",
"sourceTokens": {}
}
],
"query": "<string>",
"isFirstCall": true,
"sources": [],
"assigneeIds": [
"<string>"
],
"assigneeEmails": [
"<string>"
],
"includeUnassigned": true
}
'import requests
url = "https://api.example.com/api/v2/incidents/across-workspaces"
payload = {
"severities": [],
"statuses": [],
"timeFilterSelection": {
"customStartUtc": "2023-11-07T05:31:56Z",
"customEndUtc": "2023-11-07T05:31:56Z"
},
"workspacePageTokens": [
{
"workspaceId": "<string>",
"sourceTokens": {}
}
],
"query": "<string>",
"isFirstCall": True,
"sources": [],
"assigneeIds": ["<string>"],
"assigneeEmails": ["<string>"],
"includeUnassigned": True
}
headers = {"Content-Type": "application/json"}
response = requests.post(url, json=payload, headers=headers)
print(response.text)const options = {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
severities: [],
statuses: [],
timeFilterSelection: {customStartUtc: '2023-11-07T05:31:56Z', customEndUtc: '2023-11-07T05:31:56Z'},
workspacePageTokens: [{workspaceId: '<string>', sourceTokens: {}}],
query: '<string>',
isFirstCall: true,
sources: [],
assigneeIds: ['<string>'],
assigneeEmails: ['<string>'],
includeUnassigned: true
})
};
fetch('https://api.example.com/api/v2/incidents/across-workspaces', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api.example.com/api/v2/incidents/across-workspaces",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => json_encode([
'severities' => [
],
'statuses' => [
],
'timeFilterSelection' => [
'customStartUtc' => '2023-11-07T05:31:56Z',
'customEndUtc' => '2023-11-07T05:31:56Z'
],
'workspacePageTokens' => [
[
'workspaceId' => '<string>',
'sourceTokens' => [
]
]
],
'query' => '<string>',
'isFirstCall' => true,
'sources' => [
],
'assigneeIds' => [
'<string>'
],
'assigneeEmails' => [
'<string>'
],
'includeUnassigned' => true
]),
CURLOPT_HTTPHEADER => [
"Content-Type: application/json"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}package main
import (
"fmt"
"strings"
"net/http"
"io"
)
func main() {
url := "https://api.example.com/api/v2/incidents/across-workspaces"
payload := strings.NewReader("{\n \"severities\": [],\n \"statuses\": [],\n \"timeFilterSelection\": {\n \"customStartUtc\": \"2023-11-07T05:31:56Z\",\n \"customEndUtc\": \"2023-11-07T05:31:56Z\"\n },\n \"workspacePageTokens\": [\n {\n \"workspaceId\": \"<string>\",\n \"sourceTokens\": {}\n }\n ],\n \"query\": \"<string>\",\n \"isFirstCall\": true,\n \"sources\": [],\n \"assigneeIds\": [\n \"<string>\"\n ],\n \"assigneeEmails\": [\n \"<string>\"\n ],\n \"includeUnassigned\": true\n}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := io.ReadAll(res.Body)
fmt.Println(string(body))
}HttpResponse<String> response = Unirest.post("https://api.example.com/api/v2/incidents/across-workspaces")
.header("Content-Type", "application/json")
.body("{\n \"severities\": [],\n \"statuses\": [],\n \"timeFilterSelection\": {\n \"customStartUtc\": \"2023-11-07T05:31:56Z\",\n \"customEndUtc\": \"2023-11-07T05:31:56Z\"\n },\n \"workspacePageTokens\": [\n {\n \"workspaceId\": \"<string>\",\n \"sourceTokens\": {}\n }\n ],\n \"query\": \"<string>\",\n \"isFirstCall\": true,\n \"sources\": [],\n \"assigneeIds\": [\n \"<string>\"\n ],\n \"assigneeEmails\": [\n \"<string>\"\n ],\n \"includeUnassigned\": true\n}")
.asString();require 'uri'
require 'net/http'
url = URI("https://api.example.com/api/v2/incidents/across-workspaces")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
request = Net::HTTP::Post.new(url)
request["Content-Type"] = 'application/json'
request.body = "{\n \"severities\": [],\n \"statuses\": [],\n \"timeFilterSelection\": {\n \"customStartUtc\": \"2023-11-07T05:31:56Z\",\n \"customEndUtc\": \"2023-11-07T05:31:56Z\"\n },\n \"workspacePageTokens\": [\n {\n \"workspaceId\": \"<string>\",\n \"sourceTokens\": {}\n }\n ],\n \"query\": \"<string>\",\n \"isFirstCall\": true,\n \"sources\": [],\n \"assigneeIds\": [\n \"<string>\"\n ],\n \"assigneeEmails\": [\n \"<string>\"\n ],\n \"includeUnassigned\": true\n}"
response = http.request(request)
puts response.read_body{
"data": {
"incidents": [
{
"id": "<string>",
"name": "<string>",
"displayId": "<string>",
"title": "<string>",
"description": "<string>",
"number": 123,
"type": "<string>",
"sourceDisplayName": "<string>",
"lastModificationTime": "2023-11-07T05:31:56Z",
"creationTime": "2023-11-07T05:31:56Z",
"lastActivityTime": "2023-11-07T05:31:56Z",
"comment": "<string>",
"classificationComment": "<string>",
"tactics": [
"<string>"
],
"ruleIds": [
"<string>"
],
"alertProductNames": [
"<string>"
],
"user": {
"id": "<string>",
"displayName": "<string>",
"email": "<string>"
},
"isAssigned": true,
"productId": "<string>",
"alertsCount": 123,
"entities": [
{
"id": "<string>",
"kind": "<string>",
"displayName": "<string>",
"friendlyName": "<string>",
"fileName": "<string>",
"hostName": "<string>",
"accountEntityId": "<string>",
"deviceId": "<string>",
"deviceAzureId": "<string>",
"defenderAtpDeviceId": "<string>",
"defenderEndpointDeviceId": "<string>",
"networkMessageId": "<string>",
"hashAlgorithm": "<string>",
"aadUserId": "<string>",
"emailAddress": "<string>",
"userPrincipalName": "<string>",
"ipAddress": "<string>",
"fileHash": "<string>",
"emailId": "<string>",
"emailSubject": "<string>"
}
],
"workspaceName": "<string>",
"workspaceId": "<string>",
"isDefenderXDRSourced": true
}
],
"sourcePageTokens": [
{
"workspaceId": "<string>",
"sourceTokens": {}
}
],
"moreIncidentsAvailable": true
},
"meta": {
"requestId": "<string>",
"timestamp": "<string>"
}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}Body
v2 request for listing incidents across multiple workspaces.
Filter incidents to only the listed severities. Empty list returns all severities.
Informational, Low, Medium, High Filter incidents to only the listed statuses. Empty list returns all statuses.
Active, New, Closed Time window for incident creation. Defaults to the last 24 hours.
Show child attributes
Show child attributes
Opaque pagination tokens echoed from the previous response's SourcePageTokens.
Leave empty on the first call. See type-level remarks for the pagination protocol.
Show child attributes
Show child attributes
Free-text search applied across incident title/description fields. Empty matches all.
true for the initial request; false when echoing
List<WorkspaceSourcePageTokens> ListIncidentsAcrossWorkspacesRequest.WorkspacePageTokens back for subsequent pages. See type-level
remarks for the pagination protocol.
Filter incidents to only the listed sources (e.g. Sentinel, DefenderXDR, CrowdStrike). Empty list returns all sources the caller has access to.
Sentinel, DefenderXDR, QRadar, Splunk, CrowdStrike, SentinelOne Filter incidents assigned to any of the listed ContraForce user IDs.
Filter incidents assigned to any of the listed user email addresses.
When true, include incidents that have no assignee alongside any
matches from List<string> ListIncidentsAcrossWorkspacesRequest.AssigneeIds / List<string> ListIncidentsAcrossWorkspacesRequest.AssigneeEmails.