DELETE /api/v1/incident/delete
DELETE /api/v1/incidents/delete
# Actions
These are a collection of endpoints that allow you to interact with incidents.
Endpoints
# Acknowledge Incident
POST /api/v1/incident/acknowledge
Acknowledge a specified incident.
Required Parameters
auth_token string
A valid auth token
incident string
A valid incident key
Response
JSON structure with result indicator.
Example
Response
{
"action": "acknowledged",
"key": "<incident_key>",
"result": "success"
}
1
2
3
4
5
2
3
4
5
# Delete Incident
DELETE /api/v1/incident/delete
Deletes a specified incident.
Required Parameters
auth_token string
A valid auth token
incident string
A valid incident key
Response
JSON structure with result indicator.
Example
Response
{
"action": "deleted",
"key": "<incident_key>",
"result": "success"
}
1
2
3
4
5
2
3
4
5
# Fetch Incident
GET /api/v1/incident/fetch
Retrieve a specified incident.
Required Parameters
auth_token string
A valid auth token
Optional Parameters
incident string
A valid incident key
hash_id string
A valid incident hash
extended_details boolean
Return all incident fields
tz string
Timezone for standardised timestamps (fields that end in "_std"). Use the pytz names to specify the timezone
TIP
Either incident or hash_id is required.
Response
JSON structure containing the specified incident.
Example
Response
{
"incident": {
"acknowledged": "False",
"created": "1586260854",
"created_std": "2020-04-07 12:00:54 UTC+0000",
"description": "Telnet Login Attempt",
"dst_host": "<destination_ip>",
"dst_port": "23",
"events": [
{
"PASSWORD": "<password>",
"TERMSIZE": "91x44",
"TERMTYPE": "XTERM-256COLOR",
"USERNAME": "<username>",
"timestamp": 1586260854,
"timestamp_std": "2020-04-07 12:00:54 UTC+0000"
},
],
"events_count": "3",
"id": "<incident_key>",
"ip_address": "",
"ippers": "",
"local_time": "2020-04-07 12:00:53",
"logtype": "6001",
"mac_address": "",
"node_id": "<node_id>",
"notified": "False",
"src_host": "<source_ip>",
"src_host_reverse": "<source_hostname>",
"src_port": "54968"
},
"result": "success"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Unacknowledge Incident
POST /api/v1/incident/unacknowledge
Unacknowledge a specified incident.
Required Parameters
auth_token string
A valid auth token
incident string
A valid incident key
Response
JSON structure with result indicator.
Example
Response
{
"action": "unacknowledged",
"key": "<incident_key>",
"result": "success"
}
1
2
3
4
5
2
3
4
5
# Acknowledge Multiple Incidents
POST /api/v1/incidents/acknowledge
Acknowledge multiple incidents.
Required Parameters
auth_token string
A valid auth token
Optional Parameters
flock_id string
Acknowledge incidents for a specific flock
node_id string
Acknowledge incidents for a specific node (cannot be used in conjunction with src_host)
src_host string
Acknowledge incidents for a specific source IP address (cannot be used in conjunction with node_id)
older_than string
Acknowledge incidents older than the provided period. Periods are "[quantity][unit]", where "[unit]" is one of 'h', 'd', 'w' (hours, days or weeks) e.g. 1h or 1d or 1w
filter_str string
The string used when searching for incidents to be acknowledged. This string will attempt to match against incident details such
filter_logtypes string
The logtype of the incidents to be acknowledged
TIP
At least one of the optional parameters is required.
Response
JSON structure with result indicator.
Example
Response
{
"action": "acknowledged",
"keys": [
"<incident_key>",
"<incident_key>",
"<incident_key>",
"<incident_key>",
"<incident_key>",
"<incident_key>",
"<incident_key>"
],
"result": "success"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
# Delete Multiple Incidents
DELETE /api/v1/incidents/delete
Delete multiple acknowledged incidents.
Required Parameters
auth_token string
A valid auth token
Optional Parameters
flock_id string
Delete incidents for a specific flock
node_id string
Delete incidents for a specific node (cannot be used in conjunction with src_host)
src_host string
Delete incidents for a specific source IP address (cannot be used in conjunction with src_host)
older_than string
Delete incidents older than the provided period. Periods are "[quantity][unit]", where "[unit]" is one of 'h', 'd', 'w' (hours, days or weeks) e.g. 1h or 1d or 1w
filter_str string
The string used when searching for incidents to be deleted. This string will attempt to match against incident details such
filter_logtypes string
The logtype of the incidents to be deleted
include_unacknowledged boolean
Include unacknowledged incidents when deleting
TIP
At least one of the optional parameters is required.
Response
JSON structure with result indicator.
Example
Response
{
"action": "deleted",
"keys": [
"<incident_key>",
"<incident_key>",
"<incident_key>",
"<incident_key>"
],
"result": "success"
}
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
# Unacknowledge Multiple Incidents
POST /api/v1/incidents/unacknowledge
Unacknowledge multiple incidents.
Required Parameters
auth_token string
A valid auth token
Optional Parameters
flock_id string
Unacknowledge incidents for a specific flock
node_id string
Unacknowledge incidents for a specific node (cannot be used in conjunction with src_host)
src_host string
Unacknowledge incidents for a specific source IP address (cannot be used in conjunction with src_host)
older_than string
Unacknowledge incidents older than the provided period. Periods are "[quantity][unit]", where "[unit]" is one of 'h', 'd', 'w' (hours, days or weeks) e.g. 1h or 1d or 1w
filter_str string
The string used when searching for incidents to be unacknowledged. This string will attempt to match against incident details such
filter_logtypes string
The logtype of the incidents to be unacknowledged
TIP
At least one of the optional parameters is required.
Response
JSON structure with result indicator.
Example
Response
{
"action": "unacknowledged",
"keys": [
"<incident_key>",
"<incident_key>",
"<incident_key>",
"<incident_key>",
"<incident_key>",
"<incident_key>",
"<incident_key>"
],
"result": "success"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13