List incidents across workspaces

curl --request POST \
  --url https://api.example.com/api/v2/incidents/across-workspaces \
  --header 'Content-Type: application/json' \
  --data '
{
  "severities": [],
  "statuses": [],
  "timeFilterSelection": {
    "customStartUtc": "2023-11-07T05:31:56Z",
    "customEndUtc": "2023-11-07T05:31:56Z"
  },
  "workspacePageTokens": [
    {
      "workspaceId": "<string>",
      "sourceTokens": {}
    }
  ],
  "query": "<string>",
  "isFirstCall": true,
  "sources": [],
  "assigneeIds": [
    "<string>"
  ],
  "assigneeEmails": [
    "<string>"
  ],
  "includeUnassigned": true
}
'

{
  "data": {
    "incidents": [
      {
        "id": "<string>",
        "name": "<string>",
        "displayId": "<string>",
        "title": "<string>",
        "description": "<string>",
        "number": 123,
        "type": "<string>",
        "sourceDisplayName": "<string>",
        "lastModificationTime": "2023-11-07T05:31:56Z",
        "creationTime": "2023-11-07T05:31:56Z",
        "lastActivityTime": "2023-11-07T05:31:56Z",
        "comment": "<string>",
        "classificationComment": "<string>",
        "tactics": [
          "<string>"
        ],
        "ruleIds": [
          "<string>"
        ],
        "alertProductNames": [
          "<string>"
        ],
        "user": {
          "id": "<string>",
          "displayName": "<string>",
          "email": "<string>"
        },
        "isAssigned": true,
        "productId": "<string>",
        "alertsCount": 123,
        "entities": [
          {
            "id": "<string>",
            "kind": "<string>",
            "displayName": "<string>",
            "friendlyName": "<string>",
            "fileName": "<string>",
            "hostName": "<string>",
            "accountEntityId": "<string>",
            "deviceId": "<string>",
            "deviceAzureId": "<string>",
            "defenderAtpDeviceId": "<string>",
            "defenderEndpointDeviceId": "<string>",
            "networkMessageId": "<string>",
            "hashAlgorithm": "<string>",
            "aadUserId": "<string>",
            "emailAddress": "<string>",
            "userPrincipalName": "<string>",
            "ipAddress": "<string>",
            "fileHash": "<string>",
            "emailId": "<string>",
            "emailSubject": "<string>"
          }
        ],
        "workspaceName": "<string>",
        "workspaceId": "<string>",
        "isDefenderXDRSourced": true
      }
    ],
    "sourcePageTokens": [
      {
        "workspaceId": "<string>",
        "sourceTokens": {}
      }
    ],
    "moreIncidentsAvailable": true
  },
  "meta": {
    "requestId": "<string>",
    "timestamp": "<string>"
  }
}

POST

api

incidents

across-workspaces

List incidents across workspaces

curl --request POST \
  --url https://api.example.com/api/v2/incidents/across-workspaces \
  --header 'Content-Type: application/json' \
  --data '
{
  "severities": [],
  "statuses": [],
  "timeFilterSelection": {
    "customStartUtc": "2023-11-07T05:31:56Z",
    "customEndUtc": "2023-11-07T05:31:56Z"
  },
  "workspacePageTokens": [
    {
      "workspaceId": "<string>",
      "sourceTokens": {}
    }
  ],
  "query": "<string>",
  "isFirstCall": true,
  "sources": [],
  "assigneeIds": [
    "<string>"
  ],
  "assigneeEmails": [
    "<string>"
  ],
  "includeUnassigned": true
}
'

{
  "data": {
    "incidents": [
      {
        "id": "<string>",
        "name": "<string>",
        "displayId": "<string>",
        "title": "<string>",
        "description": "<string>",
        "number": 123,
        "type": "<string>",
        "sourceDisplayName": "<string>",
        "lastModificationTime": "2023-11-07T05:31:56Z",
        "creationTime": "2023-11-07T05:31:56Z",
        "lastActivityTime": "2023-11-07T05:31:56Z",
        "comment": "<string>",
        "classificationComment": "<string>",
        "tactics": [
          "<string>"
        ],
        "ruleIds": [
          "<string>"
        ],
        "alertProductNames": [
          "<string>"
        ],
        "user": {
          "id": "<string>",
          "displayName": "<string>",
          "email": "<string>"
        },
        "isAssigned": true,
        "productId": "<string>",
        "alertsCount": 123,
        "entities": [
          {
            "id": "<string>",
            "kind": "<string>",
            "displayName": "<string>",
            "friendlyName": "<string>",
            "fileName": "<string>",
            "hostName": "<string>",
            "accountEntityId": "<string>",
            "deviceId": "<string>",
            "deviceAzureId": "<string>",
            "defenderAtpDeviceId": "<string>",
            "defenderEndpointDeviceId": "<string>",
            "networkMessageId": "<string>",
            "hashAlgorithm": "<string>",
            "aadUserId": "<string>",
            "emailAddress": "<string>",
            "userPrincipalName": "<string>",
            "ipAddress": "<string>",
            "fileHash": "<string>",
            "emailId": "<string>",
            "emailSubject": "<string>"
          }
        ],
        "workspaceName": "<string>",
        "workspaceId": "<string>",
        "isDefenderXDRSourced": true
      }
    ],
    "sourcePageTokens": [
      {
        "workspaceId": "<string>",
        "sourceTokens": {}
      }
    ],
    "moreIncidentsAvailable": true
  },
  "meta": {
    "requestId": "<string>",
    "timestamp": "<string>"
  }
}

Body

application/json

v2 request for listing incidents across multiple workspaces.

severities

null | enum<string>[]

Filter incidents to only the listed severities. Empty list returns all severities.

Available options:

Informational,

Low,

Medium,

High

statuses

null | enum<string>[]

Filter incidents to only the listed statuses. Empty list returns all statuses.

Available options:

Active,

New,

Closed

timeFilterSelection

object

Time window for incident creation. Defaults to the last 24 hours.

Show child attributes

workspacePageTokens

null | object[]

Opaque pagination tokens echoed from the previous response's SourcePageTokens. Leave empty on the first call. See type-level remarks for the pagination protocol.

Show child attributes

query

null | string

Free-text search applied across incident title/description fields. Empty matches all.

isFirstCall

boolean

true for the initial request; false when echoing List<WorkspaceSourcePageTokens> ListIncidentsAcrossWorkspacesRequest.WorkspacePageTokens back for subsequent pages. See type-level remarks for the pagination protocol.

sources

null | enum<string>[]

Filter incidents to only the listed sources (e.g. Sentinel, DefenderXDR, CrowdStrike). Empty list returns all sources the caller has access to.

Available options:

Sentinel,

DefenderXDR,

QRadar,

Splunk,

CrowdStrike,

SentinelOne

assigneeIds

null | string[]

Filter incidents assigned to any of the listed ContraForce user IDs.

assigneeEmails

null | string[]

Filter incidents assigned to any of the listed user email addresses.

includeUnassigned

boolean

When true, include incidents that have no assignee alongside any matches from List<string> ListIncidentsAcrossWorkspacesRequest.AssigneeIds / List<string> ListIncidentsAcrossWorkspacesRequest.AssigneeEmails.

Response

Standard v2 API response envelope for single-item responses.

data

object

Wraps the result of listing incidents for multiple workspaces in the multi-tenancy mode.

Show child attributes

Documentation Index

Body

Response