> ## Documentation Index > Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt > Use this file to discover all available pages before exploring further. # Get incident by id ## OpenAPI ````yaml /api-reference/openapi.json get /api/v2/workspaces/{workspaceId}/incidents/{source}/{incidentId} openapi: 3.1.1 info: title: ContraForce API description: ContraForce platform API for security operations management. version: '2.0' servers: [] security: [] tags: - name: Incidents - name: Gamebooks - name: Data sources - name: Service tickets - name: Investigation - name: Cross-workspace incidents - name: Cross-workspace gamebooks - name: Cross-workspace data sources - name: Webhooks - name: Service accounts - name: Users - name: Azure resources paths: /api/v2/workspaces/{workspaceId}/incidents/{source}/{incidentId}: get: tags: - Incidents summary: Get incident by id operationId: v2-get-incident-by-id parameters: - name: workspaceId in: path required: true schema: type: string format: uuid - name: source in: path required: true schema: $ref: '#/components/schemas/IncidentSource' - name: incidentId in: path required: true schema: type: string - name: withDetails in: query schema: type: boolean responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ApiResponseOfContraForceIncident' '400': description: Bad request — validation or parameter binding failed. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '401': description: Unauthorized — missing or invalid Bearer token. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '403': description: Forbidden — insufficient scope or workspace access. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '404': description: Not found — workspace or resource is missing. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' '500': description: Internal server error. content: application/problem+json: schema: $ref: '#/components/schemas/ApiProblemDetails' components: schemas: IncidentSource: enum: - Sentinel - DefenderXDR - QRadar - Splunk - CrowdStrike - SentinelOne ApiResponseOfContraForceIncident: type: object properties: data: $ref: '#/components/schemas/ContraForceIncident' meta: $ref: '#/components/schemas/ResponseMeta' description: Standard v2 API response envelope for single-item responses. ApiProblemDetails: type: object properties: type: type: - 'null' - string title: type: - 'null' - string status: pattern: ^-?(?:0|[1-9]\d*)$ type: - 'null' - integer - string format: int32 detail: type: - 'null' - string instance: type: - 'null' - string code: type: - 'null' - string requestId: type: - 'null' - string timestamp: type: - 'null' - string target: type: - 'null' - string errors: type: - 'null' - object additionalProperties: type: array items: type: string description: "API extension of ProblemDetails that surfaces the stable error code,\r\ntrace identifier, timestamp, optional target, and optional field-keyed validation\r\nerror map alongside the RFC 7807 members." ContraForceIncident: type: object properties: source: $ref: '#/components/schemas/IncidentSource' description: >- Property to retrieve the source of the incident (DefenderXDR, Sentinel, etc) incident: $ref: '#/components/schemas/Incident' description: Object to retrieve the base information of the incident investigationDetails: $ref: '#/components/schemas/IncidentInvestigationDetailsDto' description: Object to retrieve the entities and alerts related to the incident evidence: $ref: '#/components/schemas/GeneralTableDto' description: Object to retrieve the evidence related to the incident gamebookCatalog: $ref: '#/components/schemas/IncidentGamebooksCatalogDto' description: >- (Nullable) Represents the recommended gamebook by ContraForce or the last run gamebook for the incident description: >- Object that represents all the data from an incident that could come from any source ResponseMeta: type: object properties: requestId: type: - 'null' - string timestamp: type: - 'null' - string Incident: type: object properties: id: type: - 'null' - string name: type: - 'null' - string title: type: - 'null' - string description: type: - 'null' - string number: pattern: ^-?(?:0|[1-9]\d*)$ type: - integer - string format: int32 type: type: - 'null' - string source: $ref: '#/components/schemas/IncidentSource' sourceDisplayName: type: - 'null' - string lastModificationTime: type: - 'null' - string description: Date/Time represents the user's local time format: date-time creationTime: type: string description: Date/Time represents the user's local time format: date-time lastActivityTime: type: - 'null' - string description: Date/Time represents the user's local time format: date-time severity: $ref: '#/components/schemas/Severity' classification: oneOf: - type: 'null' - $ref: '#/components/schemas/Classification' comment: type: - 'null' - string classificationReason: oneOf: - type: 'null' - $ref: '#/components/schemas/ClassificationReason' classificationComment: type: - 'null' - string tactics: type: - 'null' - array items: type: string ruleIds: type: - 'null' - array items: type: string description: Represents the Ids of the related rules of this incidents alertProductNames: type: - 'null' - array items: type: string user: $ref: '#/components/schemas/UserSummary' description: Represents the user assigned to work on this incident isAssigned: type: boolean productId: type: - 'null' - string status: $ref: '#/components/schemas/Status' alertsCount: pattern: ^-?(?:0|[1-9]\d*)$ type: - integer - string format: int32 entities: type: - 'null' - array items: $ref: '#/components/schemas/IncidentEntity' workspaceName: type: - 'null' - string description: "Name of the workspace in the customer tenant\r\nThis property is beneficial when the customer has multiple workspaces or when the partner is working under the multi-tenancy mode" workspaceId: type: - 'null' - string description: "Name of the workspace in the customer tenant\r\nThis property is beneficial when the customer has multiple workspaces or when the partner is working under the multi-tenancy mode" isDefenderXDRSourced: type: boolean description: >- Determines whether the incident is orginally sourced from Microsoft Defender XDR description: >- This incident object built on top of the Microsoft Azure Sentinel Incident and it's open to extend to any new provider IncidentInvestigationDetailsDto: type: object properties: entities: type: - 'null' - array items: $ref: '#/components/schemas/InvestigationEntityDto' alerts: type: - 'null' - array items: $ref: '#/components/schemas/InvestigationAlertDto' incident: $ref: '#/components/schemas/Incident' incidentComment: type: - 'null' - array items: $ref: '#/components/schemas/IncidentCommentDto' GeneralTableDto: type: object properties: columns: type: - 'null' - array items: type: string rows: type: - 'null' - array items: type: array IncidentGamebooksCatalogDto: type: object properties: recommended: $ref: '#/components/schemas/RecommendedGamebookDto' lastGamebook: $ref: '#/components/schemas/GamebookDto' isPreviousRunAvailable: type: boolean description: Indicates if the last Gamebook Run is available isRecommendedAvailable: type: boolean description: Indicates if the recommended Gamebook is available aiRecommendedAvailable: type: boolean description: Indicator if there is a recommended Gamebook by ContraForce serviceProviderRecommendedAvailable: type: boolean description: Indicator if there is a recommended Gamebook by the Service Provider description: >- Contains the recommended gamebooks by ContraForce or the Service Provider, in addition to the last Gamebook Run associated with an Incident Severity: enum: - Informational - Low - Medium - High Classification: enum: - BenignPositive - FalsePositive - TruePositive - Undetermined - InformationalExpectedActivity - Unknown - NonIssue - PolicyViolation - QradarFalsePositive - Undefined - Suspicious - null ClassificationReason: enum: - InaccurateData - IncorrectAlertLogic - SuspiciousActivity - SuspiciousButExpected - Unknown - Apt - Malware - SecurityPersonnel - SecurityTesting - UnwantedSoftware - Other - MultistagedAttack - CompromisedUser - Phishing - MaliciousUserActivity - NotMalicious - NoEnoughDataToValidate - ConfirmedUserActivity - LineOfBusinessApplication - null UserSummary: type: object properties: id: type: - 'null' - string displayName: type: - 'null' - string email: type: - 'null' - string description: >- Represents a light version of the user object, that is used to add reference to a specific user in a foriegn entities Status: enum: - Active - New - Closed IncidentEntity: type: object properties: id: type: - 'null' - string type: $ref: '#/components/schemas/EntityType' kind: type: - 'null' - string displayName: type: - 'null' - string friendlyName: type: - 'null' - string fileName: type: - 'null' - string hostName: type: - 'null' - string accountEntityId: type: - 'null' - string deviceId: type: - 'null' - string deviceAzureId: type: - 'null' - string defenderAtpDeviceId: type: - 'null' - string defenderEndpointDeviceId: type: - 'null' - string networkMessageId: type: - 'null' - string hashAlgorithm: type: - 'null' - string aadUserId: type: - 'null' - string emailAddress: type: - 'null' - string userPrincipalName: type: - 'null' - string ipAddress: type: - 'null' - string fileHash: type: - 'null' - string emailId: type: - 'null' - string emailSubject: type: - 'null' - string description: >- This class is used to unify the Entities from different sources into a ContraForce Entity InvestigationEntityDto: type: object properties: id: type: - 'null' - string displayName: type: - 'null' - string fileName: type: - 'null' - string fileHash: type: - 'null' - string type: $ref: '#/components/schemas/EntityType' friendlyName: type: - 'null' - string hostName: type: - 'null' - string kind: type: - 'null' - string accountEntityId: type: - 'null' - string networkMessageId: type: - 'null' - string commandLine: type: - 'null' - string userUpn: type: - 'null' - string deviceId: type: - 'null' - string aadUserId: type: - 'null' - string entityType: $ref: '#/components/schemas/PlaybookEntityType' isValidEntraIdUser: type: boolean description: >- True if the user is a Microsoft Entra ID user (AAD), false indicates that the user is a local user isValidEntraIdDevice: type: boolean description: >- True if the device is a Microsoft Entra ID joined-device (AAD), false indicates that the device is a local device description: >- DTO that is being used for the investigation graph while retrieving the related entity of an node InvestigationAlertDto: type: object properties: id: type: - 'null' - string kind: type: - 'null' - string displayName: type: - 'null' - string alertName: type: - 'null' - string vendorName: type: - 'null' - string type: type: - 'null' - string description: type: - 'null' - string timeGenerated: type: - 'null' - string format: date-time tactics: type: - 'null' - array items: type: string severity: type: - 'null' - string productName: type: - 'null' - string deviceId: type: - 'null' - string description: >- DTO that is being used for the investigation graph while retrieving the related Alerts of an entity IncidentCommentDto: type: object properties: id: type: - 'null' - string message: type: - 'null' - string createdTime: type: - 'null' - string format: date-time authorEmail: type: - 'null' - string authorName: type: - 'null' - string isActivityComment: type: boolean description: >- Indicates if the comment doesn't represent a written note, instead if just a system activity like status changed, priority changed, user assigned, etc. isAgentComment: type: boolean description: >- Indicates if the comment was authored by an AI agent rather than a human analyst. agentName: type: - 'null' - string description: Name of the agent that authored the comment. isClosingComment: type: boolean description: >- Indicates if the comment is the closing comment added when the incident was resolved or closed. ticketNoteId: type: - 'null' - string description: "ID of the ticket note in the service ticketing system if the comment is related to a ticket note.\r\n(Nullable) only available if the tenant written this comment has a ticketing system enabled in their configuration." ticketId: type: - 'null' - string description: "ID of the ticket in the service ticketing system if the comment is related to a ticket note.\r\n(Nullable) only available if the tenant written this comment has a ticketing system enabled in their configuration." RecommendedGamebookDto: type: object properties: aiGamebook: $ref: '#/components/schemas/GamebookDto' serviceProviderGamebook: $ref: '#/components/schemas/GamebookDto' GamebookDto: type: object properties: id: type: - 'null' - string tracingId: type: - 'null' - string incidentId: type: - 'null' - string source: $ref: '#/components/schemas/IncidentSource' description: >- Source of the system that owns the incident Sentinel, Defender ATP, etc. incidentTitle: type: - 'null' - string incidentNumber: pattern: ^-?(?:0|[1-9]\d*)$ type: - integer - string format: int32 isOcr: type: boolean isRecover: type: boolean triggedByUserId: type: - 'null' - string displayName: type: - 'null' - string modificationDate: type: string format: date-time creationDate: type: string format: date-time status: $ref: '#/components/schemas/GamebookRunningStatus' title: type: - 'null' - string isAdminRequired: type: boolean workspaceId: type: - 'null' - string workspaceName: type: - 'null' - string tenantId: type: - 'null' - string isAutoRun: type: boolean originalGamebookId: type: - 'null' - string description: >- Used if the gamebook is retry gamebook and refers to the id of the gamebook id that has been retried originalGamebookTitle: type: - 'null' - string description: >- Used if the gamebook is retry gamebook and refers to the id of the gamebook title that has been retried isRetryGamebook: type: boolean description: Indicator if the gamebook is a retry to failed gamebook isQueued: type: boolean description: >- Indicator if the gamebook is queued by a service provider and it is not started yet playbooks: type: - 'null' - array items: $ref: '#/components/schemas/PlaybookGameplanDto' summary: type: - 'null' - string EntityType: enum: - User - IP - File - Process - Device - Malware - CloudApplication - DomainName - AzureResource - FileHash - RegistryKey - RegistryValue - SecurityGroup - URL - IoTDevice - Mailbox - MailCluster - MailMessage - Submission - SentinelEntities - DnsResolution - Registry - OAuthApplication - AmazonResource - BlobContainer - Blob - Container - ContainerRegistry - ContainerImage - GoogleCloudResource - KubernetesCluster - KubernetesController - KubernetesNamespace - KubernetesPod - KubernetesService - KubernetesSecret - KubernetesServiceAccount - AnalyzedMessage - DNS - Unknown PlaybookEntityType: enum: - User - Endpoint - General - Network - Email GamebookRunningStatus: enum: - Pending - Running - Finished - Failed - Queued - Denied - Cancelled PlaybookGameplanDto: type: object properties: id: type: - 'null' - string referenceId: type: - 'null' - string description: >- Reference Id (readonly) which is the id of the playbook + the id of the entity entityId: type: - 'null' - string name: type: - 'null' - string description: type: - 'null' - string entityType: $ref: '#/components/schemas/PlaybookEntityType' affectedEntity: type: - 'null' - string isRecommended: type: boolean status: $ref: '#/components/schemas/PlaybookRunningStatus' errorMessage: type: - 'null' - string sequence: pattern: ^-?(?:0|[1-9]\d*)$ type: - integer - string format: int32 modificationDate: type: string format: date-time startingDate: type: - 'null' - string format: date-time finishingDate: type: - 'null' - string format: date-time executionTime: type: - 'null' - string description: >- Total execution time taken to execute the playbook, the value is null until the DateTime? PlaybookGameplanDto.FinishingDate property is populated tracingId: type: - 'null' - string parameters: type: - 'null' - object description: "Represents the parameters of the playbooks to be sent in the message\r\nThe value will be populated only if the playbook is configurable (Block IP)" isAdminRequired: type: boolean PlaybookRunningStatus: enum: - Pending - Running - Finished - Failed - Terminated ````