> ## Documentation Index > Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt > Use this file to discover all available pages before exploring further. # List incidents across workspaces ## OpenAPI ````yaml /api-reference/openapi.json post /api/v2/incidents/across-workspaces openapi: 3.1.1 info: title: ContraForce API description: ContraForce platform API for security operations management. version: '2.0' servers: [] security: [] tags: - name: Incidents - name: Gamebooks - name: Data sources - name: Service tickets - name: Investigation - name: Cross-workspace incidents - name: Cross-workspace gamebooks - name: Cross-workspace data sources - name: Webhooks - name: Service accounts - name: Users - name: Azure resources paths: /api/v2/incidents/across-workspaces: post: tags: - Cross-workspace incidents summary: List incidents across workspaces operationId: v2-list-incidents-across-workspaces requestBody: content: application/json: schema: $ref: '#/components/schemas/ListIncidentsAcrossWorkspacesRequest' responses: '200': description: OK content: application/json: schema: $ref: >- #/components/schemas/ApiResponseOfListIncidentsForWorkspacesResultDto '400': description: Bad request — validation or parameter binding failed. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '401': description: Unauthorized — missing or invalid Bearer token. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '403': description: Forbidden — insufficient scope or workspace access. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '404': description: Not found — workspace or resource is missing. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '500': description: Internal server error. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' components: schemas: ListIncidentsAcrossWorkspacesRequest: type: object properties: severities: type: - 'null' - array items: $ref: '#/components/schemas/Severity' statuses: type: - 'null' - array items: $ref: '#/components/schemas/Status' timeFilterSelection: $ref: '#/components/schemas/TimeFilterSelection' workspacePageTokens: type: - 'null' - array items: $ref: '#/components/schemas/WorkspaceSourcePageTokens' query: type: - 'null' - string isFirstCall: type: boolean sources: type: - 'null' - array items: $ref: '#/components/schemas/IncidentSource' assigneeIds: type: - 'null' - array items: type: string assigneeEmails: type: - 'null' - array items: type: string includeUnassigned: type: boolean description: v2 request for listing incidents across multiple workspaces. ApiResponseOfListIncidentsForWorkspacesResultDto: type: object properties: data: $ref: '#/components/schemas/ListIncidentsForWorkspacesResultDto' meta: $ref: '#/components/schemas/ResponseMeta' description: Standard v2 API response envelope for single-item responses. ApiProblemDetails: type: object properties: type: type: - 'null' - string title: type: - 'null' - string status: pattern: ^-?(?:0|[1-9]\d*)$ type: - 'null' - integer - string format: int32 detail: type: - 'null' - string instance: type: - 'null' - string code: type: - 'null' - string requestId: type: - 'null' - string timestamp: type: - 'null' - string target: type: - 'null' - string errors: type: - 'null' - object additionalProperties: type: array items: type: string description: "API extension of ProblemDetails that surfaces the stable error code,\r\ntrace identifier, timestamp, optional target, and optional field-keyed validation\r\nerror map alongside the RFC 7807 members." Severity: enum: - Informational - Low - Medium - High Status: enum: - Active - New - Closed TimeFilterSelection: type: object properties: type: $ref: '#/components/schemas/TimeFilteringType' customStartUtc: type: - 'null' - string format: date-time customEndUtc: type: - 'null' - string format: date-time description: "Canonical representation of a global time filter.\r\nWhen Type == Custom, CustomStartUtc and CustomEndUtc must be provided (UTC)." WorkspaceSourcePageTokens: type: object properties: workspaceId: type: - 'null' - string sourceTokens: type: - 'null' - object additionalProperties: type: string IncidentSource: enum: - Sentinel - DefenderXDR - QRadar - Splunk - CrowdStrike - SentinelOne ListIncidentsForWorkspacesResultDto: type: object properties: incidents: type: - 'null' - array items: $ref: '#/components/schemas/Incident' sourcePageTokens: type: - 'null' - array items: $ref: '#/components/schemas/WorkspaceSourcePageTokens' moreIncidentsAvailable: type: boolean description: >- Wraps the result of listing incidents for multiple workspaces in the multi-tenancy mode ResponseMeta: type: object properties: requestId: type: - 'null' - string timestamp: type: - 'null' - string TimeFilteringType: enum: - ThreeHours - SixHours - TwelveHours - TwentyFourHours - FourtyEightHours - Custom - null Incident: type: object properties: id: type: - 'null' - string name: type: - 'null' - string title: type: - 'null' - string description: type: - 'null' - string number: pattern: ^-?(?:0|[1-9]\d*)$ type: - integer - string format: int32 type: type: - 'null' - string source: $ref: '#/components/schemas/IncidentSource' sourceDisplayName: type: - 'null' - string lastModificationTime: type: - 'null' - string description: Date/Time represents the user's local time format: date-time creationTime: type: string description: Date/Time represents the user's local time format: date-time lastActivityTime: type: - 'null' - string description: Date/Time represents the user's local time format: date-time severity: $ref: '#/components/schemas/Severity' classification: oneOf: - type: 'null' - $ref: '#/components/schemas/Classification' comment: type: - 'null' - string classificationReason: oneOf: - type: 'null' - $ref: '#/components/schemas/ClassificationReason' classificationComment: type: - 'null' - string tactics: type: - 'null' - array items: type: string ruleIds: type: - 'null' - array items: type: string description: Represents the Ids of the related rules of this incidents alertProductNames: type: - 'null' - array items: type: string user: $ref: '#/components/schemas/UserSummary' description: Represents the user assigned to work on this incident isAssigned: type: boolean productId: type: - 'null' - string status: $ref: '#/components/schemas/Status' alertsCount: pattern: ^-?(?:0|[1-9]\d*)$ type: - integer - string format: int32 entities: type: - 'null' - array items: $ref: '#/components/schemas/IncidentEntity' workspaceName: type: - 'null' - string description: "Name of the workspace in the customer tenant\r\nThis property is beneficial when the customer has multiple workspaces or when the partner is working under the multi-tenancy mode" workspaceId: type: - 'null' - string description: "Name of the workspace in the customer tenant\r\nThis property is beneficial when the customer has multiple workspaces or when the partner is working under the multi-tenancy mode" isDefenderXDRSourced: type: boolean description: >- Determines whether the incident is orginally sourced from Microsoft Defender XDR description: >- This incident object built on top of the Microsoft Azure Sentinel Incident and it's open to extend to any new provider Classification: enum: - BenignPositive - FalsePositive - TruePositive - Undetermined - InformationalExpectedActivity - Unknown - NonIssue - PolicyViolation - QradarFalsePositive - Undefined - Suspicious - null ClassificationReason: enum: - InaccurateData - IncorrectAlertLogic - SuspiciousActivity - SuspiciousButExpected - Unknown - Apt - Malware - SecurityPersonnel - SecurityTesting - UnwantedSoftware - Other - MultistagedAttack - CompromisedUser - Phishing - MaliciousUserActivity - NotMalicious - NoEnoughDataToValidate - ConfirmedUserActivity - LineOfBusinessApplication - null UserSummary: type: object properties: id: type: - 'null' - string displayName: type: - 'null' - string email: type: - 'null' - string description: >- Represents a light version of the user object, that is used to add reference to a specific user in a foriegn entities IncidentEntity: type: object properties: id: type: - 'null' - string type: $ref: '#/components/schemas/EntityType' kind: type: - 'null' - string displayName: type: - 'null' - string friendlyName: type: - 'null' - string fileName: type: - 'null' - string hostName: type: - 'null' - string accountEntityId: type: - 'null' - string deviceId: type: - 'null' - string deviceAzureId: type: - 'null' - string defenderAtpDeviceId: type: - 'null' - string defenderEndpointDeviceId: type: - 'null' - string networkMessageId: type: - 'null' - string hashAlgorithm: type: - 'null' - string aadUserId: type: - 'null' - string emailAddress: type: - 'null' - string userPrincipalName: type: - 'null' - string ipAddress: type: - 'null' - string fileHash: type: - 'null' - string emailId: type: - 'null' - string emailSubject: type: - 'null' - string description: >- This class is used to unify the Entities from different sources into a ContraForce Entity EntityType: enum: - User - IP - File - Process - Device - Malware - CloudApplication - DomainName - AzureResource - FileHash - RegistryKey - RegistryValue - SecurityGroup - URL - IoTDevice - Mailbox - MailCluster - MailMessage - Submission - SentinelEntities - DnsResolution - Registry - OAuthApplication - AmazonResource - BlobContainer - Blob - Container - ContainerRegistry - ContainerImage - GoogleCloudResource - KubernetesCluster - KubernetesController - KubernetesNamespace - KubernetesPod - KubernetesService - KubernetesSecret - KubernetesServiceAccount - AnalyzedMessage - DNS - Unknown ````