Skip to main content
POST
/
api
/
v2
/
incidents
/
across-workspaces
List incidents across workspaces
curl --request POST \
  --url https://api.example.com/api/v2/incidents/across-workspaces \
  --header 'Content-Type: application/json' \
  --data '
{
  "severities": [
    "Informational"
  ],
  "statuses": [
    "Active"
  ],
  "timeFilterSelection": {
    "type": "ThreeHours",
    "customStartUtc": "2023-11-07T05:31:56Z",
    "customEndUtc": "2023-11-07T05:31:56Z"
  },
  "workspacePageTokens": [
    {
      "workspaceId": "<string>",
      "sourceTokens": {}
    }
  ],
  "query": "<string>",
  "isFirstCall": true,
  "sources": [
    "Sentinel"
  ],
  "assigneeIds": [
    "<string>"
  ],
  "assigneeEmails": [
    "<string>"
  ],
  "includeUnassigned": true
}
'
{
  "data": {
    "incidents": [
      {
        "id": "<string>",
        "name": "<string>",
        "title": "<string>",
        "description": "<string>",
        "number": 123,
        "type": "<string>",
        "source": "Sentinel",
        "sourceDisplayName": "<string>",
        "lastModificationTime": "2023-11-07T05:31:56Z",
        "creationTime": "2023-11-07T05:31:56Z",
        "lastActivityTime": "2023-11-07T05:31:56Z",
        "severity": "Informational",
        "classification": "BenignPositive",
        "comment": "<string>",
        "classificationReason": "InaccurateData",
        "classificationComment": "<string>",
        "tactics": [
          "<string>"
        ],
        "ruleIds": [
          "<string>"
        ],
        "alertProductNames": [
          "<string>"
        ],
        "user": {
          "id": "<string>",
          "displayName": "<string>",
          "email": "<string>"
        },
        "isAssigned": true,
        "productId": "<string>",
        "status": "Active",
        "alertsCount": 123,
        "entities": [
          {
            "id": "<string>",
            "type": "User",
            "kind": "<string>",
            "displayName": "<string>",
            "friendlyName": "<string>",
            "fileName": "<string>",
            "hostName": "<string>",
            "accountEntityId": "<string>",
            "deviceId": "<string>",
            "deviceAzureId": "<string>",
            "defenderAtpDeviceId": "<string>",
            "defenderEndpointDeviceId": "<string>",
            "networkMessageId": "<string>",
            "hashAlgorithm": "<string>",
            "aadUserId": "<string>",
            "emailAddress": "<string>",
            "userPrincipalName": "<string>",
            "ipAddress": "<string>",
            "fileHash": "<string>",
            "emailId": "<string>",
            "emailSubject": "<string>"
          }
        ],
        "workspaceName": "<string>",
        "workspaceId": "<string>",
        "isDefenderXDRSourced": true
      }
    ],
    "sourcePageTokens": [
      {
        "workspaceId": "<string>",
        "sourceTokens": {}
      }
    ],
    "moreIncidentsAvailable": true
  },
  "meta": {
    "requestId": "<string>",
    "timestamp": "<string>"
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt

Use this file to discover all available pages before exploring further.

Body

application/json

v2 request for listing incidents across multiple workspaces.

severities
null | enum<string>[]
Available options:
Informational,
Low,
Medium,
High
statuses
null | enum<string>[]
Available options:
Active,
New,
Closed
timeFilterSelection
object

Canonical representation of a global time filter. When Type == Custom, CustomStartUtc and CustomEndUtc must be provided (UTC).

workspacePageTokens
null | object[]
query
null | string
isFirstCall
boolean
sources
null | enum<string>[]
Available options:
Sentinel,
DefenderXDR,
QRadar,
Splunk,
CrowdStrike,
SentinelOne
assigneeIds
null | string[]
assigneeEmails
null | string[]
includeUnassigned
boolean

Response

OK

Standard v2 API response envelope for single-item responses.

data
object

Wraps the result of listing incidents for multiple workspaces in the multi-tenancy mode

meta
object