Skip to main content
POST
/
api
/
v2
/
incidents
/
across-workspaces
List incidents across workspaces
curl --request POST \
  --url https://api.example.com/api/v2/incidents/across-workspaces \
  --header 'Content-Type: application/json' \
  --data '
{
  "severities": [],
  "statuses": [],
  "timeFilterSelection": {
    "customStartUtc": "2023-11-07T05:31:56Z",
    "customEndUtc": "2023-11-07T05:31:56Z"
  },
  "workspacePageTokens": [
    {
      "workspaceId": "<string>",
      "sourceTokens": {}
    }
  ],
  "query": "<string>",
  "isFirstCall": true,
  "sources": [],
  "assigneeIds": [
    "<string>"
  ],
  "assigneeEmails": [
    "<string>"
  ],
  "includeUnassigned": true
}
'
import requests

url = "https://api.example.com/api/v2/incidents/across-workspaces"

payload = {
"severities": [],
"statuses": [],
"timeFilterSelection": {
"customStartUtc": "2023-11-07T05:31:56Z",
"customEndUtc": "2023-11-07T05:31:56Z"
},
"workspacePageTokens": [
{
"workspaceId": "<string>",
"sourceTokens": {}
}
],
"query": "<string>",
"isFirstCall": True,
"sources": [],
"assigneeIds": ["<string>"],
"assigneeEmails": ["<string>"],
"includeUnassigned": True
}
headers = {"Content-Type": "application/json"}

response = requests.post(url, json=payload, headers=headers)

print(response.text)
const options = {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
severities: [],
statuses: [],
timeFilterSelection: {customStartUtc: '2023-11-07T05:31:56Z', customEndUtc: '2023-11-07T05:31:56Z'},
workspacePageTokens: [{workspaceId: '<string>', sourceTokens: {}}],
query: '<string>',
isFirstCall: true,
sources: [],
assigneeIds: ['<string>'],
assigneeEmails: ['<string>'],
includeUnassigned: true
})
};

fetch('https://api.example.com/api/v2/incidents/across-workspaces', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));
<?php

$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_URL => "https://api.example.com/api/v2/incidents/across-workspaces",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => json_encode([
'severities' => [

],
'statuses' => [

],
'timeFilterSelection' => [
'customStartUtc' => '2023-11-07T05:31:56Z',
'customEndUtc' => '2023-11-07T05:31:56Z'
],
'workspacePageTokens' => [
[
'workspaceId' => '<string>',
'sourceTokens' => [

]
]
],
'query' => '<string>',
'isFirstCall' => true,
'sources' => [

],
'assigneeIds' => [
'<string>'
],
'assigneeEmails' => [
'<string>'
],
'includeUnassigned' => true
]),
CURLOPT_HTTPHEADER => [
"Content-Type: application/json"
],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
package main

import (
"fmt"
"strings"
"net/http"
"io"
)

func main() {

url := "https://api.example.com/api/v2/incidents/across-workspaces"

payload := strings.NewReader("{\n \"severities\": [],\n \"statuses\": [],\n \"timeFilterSelection\": {\n \"customStartUtc\": \"2023-11-07T05:31:56Z\",\n \"customEndUtc\": \"2023-11-07T05:31:56Z\"\n },\n \"workspacePageTokens\": [\n {\n \"workspaceId\": \"<string>\",\n \"sourceTokens\": {}\n }\n ],\n \"query\": \"<string>\",\n \"isFirstCall\": true,\n \"sources\": [],\n \"assigneeIds\": [\n \"<string>\"\n ],\n \"assigneeEmails\": [\n \"<string>\"\n ],\n \"includeUnassigned\": true\n}")

req, _ := http.NewRequest("POST", url, payload)

req.Header.Add("Content-Type", "application/json")

res, _ := http.DefaultClient.Do(req)

defer res.Body.Close()
body, _ := io.ReadAll(res.Body)

fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://api.example.com/api/v2/incidents/across-workspaces")
.header("Content-Type", "application/json")
.body("{\n \"severities\": [],\n \"statuses\": [],\n \"timeFilterSelection\": {\n \"customStartUtc\": \"2023-11-07T05:31:56Z\",\n \"customEndUtc\": \"2023-11-07T05:31:56Z\"\n },\n \"workspacePageTokens\": [\n {\n \"workspaceId\": \"<string>\",\n \"sourceTokens\": {}\n }\n ],\n \"query\": \"<string>\",\n \"isFirstCall\": true,\n \"sources\": [],\n \"assigneeIds\": [\n \"<string>\"\n ],\n \"assigneeEmails\": [\n \"<string>\"\n ],\n \"includeUnassigned\": true\n}")
.asString();
require 'uri'
require 'net/http'

url = URI("https://api.example.com/api/v2/incidents/across-workspaces")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Post.new(url)
request["Content-Type"] = 'application/json'
request.body = "{\n \"severities\": [],\n \"statuses\": [],\n \"timeFilterSelection\": {\n \"customStartUtc\": \"2023-11-07T05:31:56Z\",\n \"customEndUtc\": \"2023-11-07T05:31:56Z\"\n },\n \"workspacePageTokens\": [\n {\n \"workspaceId\": \"<string>\",\n \"sourceTokens\": {}\n }\n ],\n \"query\": \"<string>\",\n \"isFirstCall\": true,\n \"sources\": [],\n \"assigneeIds\": [\n \"<string>\"\n ],\n \"assigneeEmails\": [\n \"<string>\"\n ],\n \"includeUnassigned\": true\n}"

response = http.request(request)
puts response.read_body
{
  "data": {
    "incidents": [
      {
        "id": "<string>",
        "name": "<string>",
        "displayId": "<string>",
        "title": "<string>",
        "description": "<string>",
        "number": 123,
        "type": "<string>",
        "sourceDisplayName": "<string>",
        "lastModificationTime": "2023-11-07T05:31:56Z",
        "creationTime": "2023-11-07T05:31:56Z",
        "lastActivityTime": "2023-11-07T05:31:56Z",
        "comment": "<string>",
        "classificationComment": "<string>",
        "tactics": [
          "<string>"
        ],
        "ruleIds": [
          "<string>"
        ],
        "alertProductNames": [
          "<string>"
        ],
        "user": {
          "id": "<string>",
          "displayName": "<string>",
          "email": "<string>"
        },
        "isAssigned": true,
        "productId": "<string>",
        "alertsCount": 123,
        "entities": [
          {
            "id": "<string>",
            "kind": "<string>",
            "displayName": "<string>",
            "friendlyName": "<string>",
            "fileName": "<string>",
            "hostName": "<string>",
            "accountEntityId": "<string>",
            "deviceId": "<string>",
            "deviceAzureId": "<string>",
            "defenderAtpDeviceId": "<string>",
            "defenderEndpointDeviceId": "<string>",
            "networkMessageId": "<string>",
            "hashAlgorithm": "<string>",
            "aadUserId": "<string>",
            "emailAddress": "<string>",
            "userPrincipalName": "<string>",
            "ipAddress": "<string>",
            "fileHash": "<string>",
            "emailId": "<string>",
            "emailSubject": "<string>"
          }
        ],
        "workspaceName": "<string>",
        "workspaceId": "<string>",
        "isDefenderXDRSourced": true
      }
    ],
    "sourcePageTokens": [
      {
        "workspaceId": "<string>",
        "sourceTokens": {}
      }
    ],
    "moreIncidentsAvailable": true
  },
  "meta": {
    "requestId": "<string>",
    "timestamp": "<string>"
  }
}
{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}
{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}
{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}
{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}
{
"type": "<string>",
"title": "<string>",
"status": 123,
"detail": "<string>",
"instance": "<string>",
"code": "<string>",
"requestId": "<string>",
"timestamp": "<string>",
"target": "<string>",
"errors": {}
}

Body

application/json

v2 request for listing incidents across multiple workspaces.

severities
null | enum<string>[]

Filter incidents to only the listed severities. Empty list returns all severities.

Available options:
Informational,
Low,
Medium,
High
statuses
null | enum<string>[]

Filter incidents to only the listed statuses. Empty list returns all statuses.

Available options:
Active,
New,
Closed
timeFilterSelection
object

Time window for incident creation. Defaults to the last 24 hours.

workspacePageTokens
null | object[]

Opaque pagination tokens echoed from the previous response's SourcePageTokens. Leave empty on the first call. See type-level remarks for the pagination protocol.

query
null | string

Free-text search applied across incident title/description fields. Empty matches all.

isFirstCall
boolean

true for the initial request; false when echoing List<WorkspaceSourcePageTokens> ListIncidentsAcrossWorkspacesRequest.WorkspacePageTokens back for subsequent pages. See type-level remarks for the pagination protocol.

sources
null | enum<string>[]

Filter incidents to only the listed sources (e.g. Sentinel, DefenderXDR, CrowdStrike). Empty list returns all sources the caller has access to.

Available options:
Sentinel,
DefenderXDR,
QRadar,
Splunk,
CrowdStrike,
SentinelOne
assigneeIds
null | string[]

Filter incidents assigned to any of the listed ContraForce user IDs.

assigneeEmails
null | string[]

Filter incidents assigned to any of the listed user email addresses.

includeUnassigned
boolean

When true, include incidents that have no assignee alongside any matches from List<string> ListIncidentsAcrossWorkspacesRequest.AssigneeIds / List<string> ListIncidentsAcrossWorkspacesRequest.AssigneeEmails.

Response

OK

Standard v2 API response envelope for single-item responses.

data
object

Wraps the result of listing incidents for multiple workspaces in the multi-tenancy mode.

meta
object