Page Comparison

Incidents

Get a list of incidents filtered by a list of incident IDs, modification time, or creation time.

• The response is concatenated using the AND condition (OR is not supported).

• The maximum result set size is >100.

• Offset is the zero-based number of incidents from the start of the result set.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

• URL: https://api-yourfqdn

• Endpoint: /public_api/v1/incidents/get_incidents

• Documentation:https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents

• edr.cortex_xdr.incidents

IncidentsAlerts

Get extra data fields of a specific incident including alerts and key artifacts.

• Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

• URL: https://api-yourfqdn

• Endpoint:/public_api/v1/incidents/get_incident_extra_data

• Documentation: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-Extra-Incident-Data

• edr.cortex_xdr.alerts

Alert multi-events

Get a list of alerts with multiple events.

• Response is concatenated using AND condition (OR is not supported).

• The maximum result set size is 100.

• Offset is the zero-based number of alerts from the start of the result set.

• Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet.

Required license: ​Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

• URL: https://api-yourfqdn

• Endpoint: /public_api/v1/alerts/get_alerts_multi_events

• Documentation: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-Alerts-Multi-Events-v1

• edr.cortex_xdr.alerts_multi

• edr.cortex_xdr.alerts_multi_event