List incidents
Relative path: /v2/incidents
List incidents.
Returns a list of incidents matching filter.
List is ordered according 'order_by'
Query parameters
Name |
Type |
Description |
|---|---|---|
filter |
string |
A filter string compliant with https://google.aip.dev/160. Common Expression Language is defined at https://github.com/google/cel-spec along with libraries for C++/C#: https://github.com/google/cel-go Go: https://github.com/google/cel-go |
orderBy |
string |
It is a comma separated list of fields. The default sorting order is ascending. To specify descending order for a field, users append a " desc" suffix. Every actual fields and subfields from object [Incident] can be used. Subfields are specified with a . character Field names can be expressed in both lower_case_with_underscores and in lowerCamelCase forms. That is, both display_name and displayName are supported.
For example, result will be ordered by device name given by user and by the incident severity in the reverse order: displayName, SeverityLevel desc |
pageSize |
integer |
Limit for pagination purposes. If unspecified or 0, default value is 50. The maximum value is 1000; values above 1000 will be coerced to 1000.
|
pageToken |
string |
Page token of current page. If not given or "", the first page is returned.
|
Responses
Display Schema instead of an Example or vice-versa
Code |
Description |
Example |
Schema |
|---|---|---|---|
200 |
Successful response. |
{
"incidents": [
{
"assigneeUuid": "string",
"createTime": "string",
"description": "string",
"detectionUuids": [
"string"
],
"deviceUuids": [
"string"
],
"displayName": "string",
"metrics": {
"deviceCount": 0,
"executableCount": 0,
"processCount": 0
},
"resolveReason": "INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"responseDuration": "string",
"severity": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"status": "INCIDENT_STATUS_UNSPECIFIED",
"tags": [
"string"
],
"triageDuration": "string",
"updateTime": "string",
"uuid": "string"
}
],
"nextPageToken": "string"
} |
{
"$ref": "v2ListIncidentsResponse",
"incidents": [
{
"$ref": "v2Incident",
"description": {
"type": "string",
"description": "Arbitrary text describing the incident."
},
"assigneeUuid": {
"type": "string",
"description": "User responsible for investigation and remediation. type: user_management.v1.User"
},
"createTime": {
"type": "string",
"description": "Timestamp for when the incident was created.",
"format": "date-time",
"readOnly": true
},
"detectionUuids": [
{
"type": "string"
}
],
"deviceUuids": [
{
"type": "string"
}
],
"displayName": {
"type": "string",
"description": "Human readable name of the incident."
},
"metrics": {
"$ref": "v2IncidentMetrics",
"description": "Metrics related to the incident.",
"deviceCount": {
"type": "integer",
"description": "Count of devices related to the incident.",
"format": "int64"
},
"executableCount": {
"type": "integer",
"description": "Count of executables related to the incident.",
"format": "int64"
},
"processCount": {
"type": "integer",
"description": "Count of processes related to the incident.",
"format": "int64"
}
},
"resolveReason": {
"$ref": "v2IncidentResolveReason",
"type": "string",
"description": "Possible reasons for resolved incident. INCIDENT_RESOLVE_REASON_UNSPECIFIED: fallback INCIDENT_RESOLVE_REASON_TRUE_POSITIVE: The incident was a true positive, indicating a genuine security threat. INCIDENT_RESOLVE_REASON_FALSE_POSITIVE: The incident was initially thought to be a security threat but later determined to be a false alarm. INCIDENT_RESOLVE_REASON_SUSPICIOUS: The incident is not a confirmed threat (true positive), but investigating it can provide valuable insights into user behavior patterns and help mitigate potential attacks.",
"default": "INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"enum": [
"INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"INCIDENT_RESOLVE_REASON_TRUE_POSITIVE",
"INCIDENT_RESOLVE_REASON_FALSE_POSITIVE",
"INCIDENT_RESOLVE_REASON_SUSPICIOUS"
]
},
"responseDuration": {
"type": "string",
"description": "How long did it take to respond to the incident.",
"readOnly": true
},
"severity": {
"$ref": "v2IncidentSeverityLevel",
"type": "string",
"description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. Info: This approach is inevitable on SIEM level as there are many contributing sources. Keeping the local names for severity levels never fits all the GUIs. INCIDENT_SEVERITY_LEVEL_UNSPECIFIED: fallback INCIDENT_SEVERITY_LEVEL_LOW: In some GUIs known Warning INCIDENT_SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat INCIDENT_SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
"default": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"enum": [
"INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"INCIDENT_SEVERITY_LEVEL_LOW",
"INCIDENT_SEVERITY_LEVEL_MEDIUM",
"INCIDENT_SEVERITY_LEVEL_HIGH"
]
},
"status": {
"$ref": "v2IncidentStatus",
"type": "string",
"description": "Define an enumeration for incident status. INCIDENT_STATUS_UNSPECIFIED: fallback INCIDENT_STATUS_OPEN: The incident is OPEN (aka NEW) and has been reported or detected. INCIDENT_STATUS_IN_PROGRESS: The incident is currently in progress and being actively addressed. INCIDENT_STATUS_CLOSED: The incident has been closed, and the necessary actions have been taken.",
"default": "INCIDENT_STATUS_UNSPECIFIED",
"enum": [
"INCIDENT_STATUS_UNSPECIFIED",
"INCIDENT_STATUS_OPEN",
"INCIDENT_STATUS_IN_PROGRESS",
"INCIDENT_STATUS_CLOSED"
]
},
"tags": [
{
"type": "string"
}
],
"triageDuration": {
"type": "string",
"description": "How long incident remained in triage status.",
"readOnly": true
},
"updateTime": {
"type": "string",
"description": "Represents the timestamp when the resource was most recently updated. Any change to the resource made by users (create/update/delete) must update this value; changes to a resource made internally by the service should refresh this value unless specified otherwise on entity level. Info: Modeled after: https://google.aip.dev/148#timestamps",
"format": "date-time",
"readOnly": true
},
"uuid": {
"type": "string",
"description": "Unique identifier of the entity. Must be collision free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'"
}
}
],
"nextPageToken": {
"type": "string",
"description": "Page token of next page. Empty or '' for the last page. Info: For more information, refer to Paginating Requests in APIs or https://cloud.google.com/apis/design/design_patterns#list_pagination"
}
} |
202 |
Response took too long; request cached. Response can be retrieved later using the response-id header. |
null |
[] |
400 |
One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided. |
null |
[] |
401 |
Token has expired or is invalid. |
null |
[] |
403 |
Access denied. Check permissions. |
null |
[] |
404 |
Requested resource not found. |
null |
[] |
429 |
Rate limit reached. Try again later. |
null |
[] |
500 |
Internal server failure. Try again later. |
null |
[] |
502 |
Internal server failure. Try again later. |
null |
[] |
503 |
Environment under maintenance. Try again later. |
null |
[] |
504 |
Action took too long; timeout reached |
null |
[] |