# Incident Management - Incidents ## Overview Get a list of incidents filtered by a list of incident IDs, modification time, or creation time. This includes all incident types and severities, including correlation-generated incidents. * The response is concatenated using AND condition (OR is not supported). * The maximum result set size is >100. * Offset is the zero-based number of incidents from the start of the result set. ## Configuration ### Parameters **Name** - domain **Value** - `CortexXdrDomain` ### Secrets * `CortexXDRAuthorization` will reference the Cortex XDR Authorization token. * `CortexXDRAuthId` will reference the [Cortex XDR Authorization ID](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Platform-APIs/Get-your-Cortex-XDR-API-key-ID?contentId=GwbuuBI0cJvEhgDAelFiMw).

To add a Secret, open the **Secret** fields and click **New secret**: * Give the secret a **Name**. * Turn off the **Expiration date** option. * Click **Add new value** and paste the secret corresponding to the value. * Click **Save**.

{% hint style="info" %} Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management). {% endhint %} You can now select the secret you just created in the corresponding fields. After entering the required parameters and secrets, you can choose to manually enter the Cortex incident Management fields, or simply paste the given YAML: {% tabs %} {% tab title="Config as YAML" %} Toggle this **ON** to enable a free text field where you can paste your **Cortex XDR multi alerts** YAML. ```yaml withTemporalWindow: true temporalWindow: duration: 5m offset: 5m tz: UTC format: Epoch withAuthentication: false withEnumerationPhase: false collectionPhase: paginationType: "fromTo" limit: 100 request: method: "POST" url: "https://${parameters.CortexXdrDomain}/public_api/v1/incidents/get_incidents" headers: - name: Accept value: "application/json" - name: Content-Type value: "application/json" - name: Authorization value: "${secrets.CortexXdrAuthorization}" - name: x-xdr-auth-id value: ${secrets.CortexXdrAuthId} bodyType: raw bodyRaw: | { "request_data": { "search_from": ${pagination.from}, "search_to": ${pagination.to}, "filters": [ { "field": "creation_time", "operator": "gte", "value": ${temporalWindow.from}000 }, { "field": "creation_time", "operator": "lte", "value": ${temporalWindow.to}000 } ] } } output: select: ".reply.incidents" map: "." outputMode: "element" ``` {% endtab %} {% tab title="Manually configure" %} **Temporal Window** Toggle **ON** to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

**Authentication Phase** Off #### **Enumeration Phase** Off #### **Collection Phase** * **Pagination Type****\***** -** `fromTo` * **Zero index****\***** -** false * **Limit****\***** -** 100 * **Request** * **Response Type****\***** -** JSON * **Method****\***** -** `POST` * **URL****\***** -** `https://${parameters.CortexXdrDomain}/public_api/v1/alerts/get_alerts` * **Headers** * **Name** - Accept * **Value** - `application/json` * **Name** - Content-Type * **Value** - `application/json` * **Name** - Authorization * **Value** - `${secrets.CortexXdrAuthorization}` * **Name** - x-xdr-auth-id * **Value** - `${secrets.CortexXdrAuthId}` * **Body type****\***** -** raw * **Body content****\*** - `{`\ `"request_data": {`\ `"search_from": ${pagination.from},`\ `"search_to": ${pagination.to},`\ `"filters": [`\ `{`\ `"field": "creation_time",`\ `"operator": "gte",`\ `"value": ${temporalWindow.from}000`\ `},`\ `{`\ `"field": "creation_time",`\ `"operator": "lte",`\ `"value": ${temporalWindow.to}000`\ `}`\ `]`\ `}`\ `}` * **Output** * **Select -** `.reply.alerts` * **Map -** `.` * **Output Mode** - `element`

{% endtab %} {% endtabs %} This HTTP Pull Listener now uses the data export API to extract events. Click **Create labels** to move on to the next step and define the required [Labels](https://docs.onum.com/the-workspace/listeners/labels) if needed.