Update incident basic attributes
Relative path: /v2/incidents/{incidentUuid}/basic-attributes:update
Update the chosen attributes of a specific incident.
Endpoint URL for Europe, Germany, United States, Canada and Japan regions:
|
https://eu.incident-management.eset.systems/v2/incidents/{incidentUuid}/basic-attributes:update |
|
https://de.incident-management.eset.systems/v2/incidents/{incidentUuid}/basic-attributes:update |
|
https://us.incident-management.eset.systems/v2/incidents/{incidentUuid}/basic-attributes:update |
|
https://ca.incident-management.eset.systems/v2/incidents/{incidentUuid}/basic-attributes:update |
|
https://jpn.incident-management.eset.systems/v2/incidents/{incidentUuid}/basic-attributes:update |
Updating selected attributes
To update one or more incident basic attributes, specify each parameter to be modified in updateMask of the API request body using the lower camel case, for example, displayName. If a parameter is not included in updateMask, it will not be updated. When updating multiple parameters, list them in updateMask as a comma-separated sequence.
The following parameters can be updated:
•assigneeUuid
•description
•displayName
•severity
Request body
Display Schema instead of an Example or vice-versa
Type |
Required |
Example |
Schema |
|---|---|---|---|
application/json |
Yes |
{
"assigneeUuid": "string",
"description": "string",
"displayName": "string",
"severity": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"updateMask": "string"
} |
{
"$ref": "IncidentsUpdateIncidentBasicAttributesBody",
"assigneeUuid": {
"type": "string",
"description": "Reference to the User to be assigned as the assignee. The attribute can only be empty when the status is 'Open'. type: user_management.v1.User"
},
"description": {
"type": "string",
"description": "New description."
},
"displayName": {
"type": "string",
"description": "New human-readable name."
},
"severity": {
"$ref": "v2IncidentSeverityLevel",
"type": "string",
"description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. Info: This approach is inevitable on SIEM level as there are many contributing sources. Keeping the local names for severity levels never fits all the GUIs. INCIDENT_SEVERITY_LEVEL_UNSPECIFIED: fallback INCIDENT_SEVERITY_LEVEL_LOW: In some GUIs known as Warning INCIDENT_SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat INCIDENT_SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
"default": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"enum": [
"INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"INCIDENT_SEVERITY_LEVEL_LOW",
"INCIDENT_SEVERITY_LEVEL_MEDIUM",
"INCIDENT_SEVERITY_LEVEL_HIGH"
]
},
"updateMask": {
"type": "string",
"description": "The list of fields to update. Info: Modeled after: Standard Methods: Update"
}
} |
Parameters in path
Name |
Type |
Required |
Description |
|---|---|---|---|
incidentUuid |
string |
Yes |
Reference to [Incident]. type: Incident |
Responses
Display Schema+Headers instead of an Example or vice-versa
Code |
Description and Example |
Description, Schema and Headers |
|---|---|---|
200 |
Successful response.
{
"incident": {
"assigneeUuid": "string",
"createTime": "string",
"description": "string",
"detectionUuids": [
"string"
],
"deviceUuids": [
"string"
],
"displayName": "string",
"metrics": {
"deviceCount": 0,
"executableCount": 0,
"processCount": 0
},
"resolveReason": "INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"responseDuration": "string",
"severity": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"status": "INCIDENT_STATUS_UNSPECIFIED",
"tags": [
"string"
],
"triageDuration": "string",
"updateTime": "string",
"uuid": "string"
}
}
|
Successful response.
{
"$ref": "v2UpdateIncidentBasicAttributesResponse",
"incident": {
"$ref": "v2Incident",
"description": {
"type": "string",
"description": "Arbitrary text describing the incident."
},
"assigneeUuid": {
"type": "string",
"description": "User responsible for investigation and remediation. type: user_management.v1.User"
},
"createTime": {
"type": "string",
"description": "Timestamp for when the incident was created.",
"format": "date-time",
"readOnly": true
},
"detectionUuids": [
{
"type": "string"
}
],
"deviceUuids": [
{
"type": "string"
}
],
"displayName": {
"type": "string",
"description": "Human-readable name of the incident."
},
"metrics": {
"$ref": "v2IncidentMetrics",
"description": "Metrics related to the incident.",
"deviceCount": {
"type": "integer",
"description": "Count of devices related to the incident.",
"format": "int64"
},
"executableCount": {
"type": "integer",
"description": "Count of executables related to the incident.",
"format": "int64"
},
"processCount": {
"type": "integer",
"description": "Count of processes related to the incident.",
"format": "int64"
}
},
"resolveReason": {
"$ref": "v2IncidentResolveReason",
"type": "string",
"description": "Possible reasons for resolved incident. INCIDENT_RESOLVE_REASON_UNSPECIFIED: fallback INCIDENT_RESOLVE_REASON_TRUE_POSITIVE: The incident was a true positive, indicating a genuine security threat. INCIDENT_RESOLVE_REASON_FALSE_POSITIVE: The incident was initially thought to be a security threat but later determined to be a false alarm. INCIDENT_RESOLVE_REASON_SUSPICIOUS: The incident is not a confirmed threat (true positive), but investigating it can provide valuable insights into user behavior patterns and help mitigate potential attacks.",
"default": "INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"enum": [
"INCIDENT_RESOLVE_REASON_UNSPECIFIED",
"INCIDENT_RESOLVE_REASON_TRUE_POSITIVE",
"INCIDENT_RESOLVE_REASON_FALSE_POSITIVE",
"INCIDENT_RESOLVE_REASON_SUSPICIOUS"
]
},
"responseDuration": {
"type": "string",
"description": "How long it took to respond to the incident.",
"readOnly": true
},
"severity": {
"$ref": "v2IncidentSeverityLevel",
"type": "string",
"description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. Info: This approach is inevitable on SIEM level as there are many contributing sources. Keeping the local names for severity levels never fits all the GUIs. INCIDENT_SEVERITY_LEVEL_UNSPECIFIED: fallback INCIDENT_SEVERITY_LEVEL_LOW: In some GUIs known as Warning INCIDENT_SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat INCIDENT_SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
"default": "INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"enum": [
"INCIDENT_SEVERITY_LEVEL_UNSPECIFIED",
"INCIDENT_SEVERITY_LEVEL_LOW",
"INCIDENT_SEVERITY_LEVEL_MEDIUM",
"INCIDENT_SEVERITY_LEVEL_HIGH"
]
},
"status": {
"$ref": "v2IncidentStatus",
"type": "string",
"description": "Defines an enumeration for incident status. INCIDENT_STATUS_UNSPECIFIED: fallback INCIDENT_STATUS_OPEN: The incident is OPEN (also known as NEW) and has been reported or detected. INCIDENT_STATUS_IN_PROGRESS: The incident is currently in progress and being actively addressed. INCIDENT_STATUS_CLOSED: The incident has been closed, and the necessary actions have been taken. INCIDENT_STATUS_WAITING_FOR_INPUT: The incident is awaiting input from the customer.",
"default": "INCIDENT_STATUS_UNSPECIFIED",
"enum": [
"INCIDENT_STATUS_UNSPECIFIED",
"INCIDENT_STATUS_OPEN",
"INCIDENT_STATUS_IN_PROGRESS",
"INCIDENT_STATUS_CLOSED",
"INCIDENT_STATUS_WAITING_FOR_INPUT"
]
},
"tags": [
{
"type": "string"
}
],
"triageDuration": {
"type": "string",
"description": "How long incident remained in triage status.",
"readOnly": true
},
"updateTime": {
"type": "string",
"description": "Represents the timestamp when the resource was most recently updated. Any change to the resource made by users (create/update/delete) must update this value; changes to a resource made internally by the service should refresh this value unless specified otherwise on the entity level. Info: Modeled after Standard fields: Timestamps",
"format": "date-time",
"readOnly": true
},
"uuid": {
"type": "string",
"description": "Unique identifier of the entity. Must be collision-free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to the template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on Wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'"
}
}
}
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
202 |
Response took too long; request cached. Response can be retrieved later using the response-id header. |
Response took too long; request cached. Response can be retrieved later using the response-id header.
[]
{
"response-id": {
"description": "Unique ID of a pending request. Used to retrieve cached result.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
},
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
400 |
One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided. |
One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
401 |
Token has expired or is invalid. |
Token has expired or is invalid.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
403 |
Access denied. Check permissions. |
Access denied. Check permissions.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
404 |
Requested resource not found. |
Requested resource not found.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
429 |
Rate limit reached. Try again later. |
Rate limit reached. Try again later.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
500 |
Internal server failure. Try again later. |
Internal server failure. Try again later.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
502 |
Internal server failure. Try again later. |
Internal server failure. Try again later.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
503 |
Environment under maintenance. Try again later. |
Environment under maintenance. Try again later.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
504 |
Action took too long; timeout reached |
Action took too long; timeout reached
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|