Fetch Incidents Using Scroll
This API retrieves a batch of incidents at once, which is particularly beneficial when managing a large number of incidents. The API returns up to 5,000 events per request.
This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation.
Input ParametersInput Parameters
Input Parameters |
Mandatory/Optional |
Description |
---|---|---|
Authorization (String) | Mandatory | Authorization token to authenticate to the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and one space. For example - Bearer authToken. |
fromDate (String) |
Optional |
Show events logged after a certain date. Supports epoch time / unix timestamp. For example - 1483228800 Note: This parameter is used in conjunction with the "toDate" parameter to fetch events for a specific date. Time value is not considered in this parameter. Use the filter parameter to drill down further by applying the time value. |
toDate (String) |
Optional |
Show events logged until a certain date. Supports epoch time / unix timestamp. For example - 1514764799 Note: This parameter is used in conjunction with the "fromDate" parameter to fetch events for a specific date. Time value is not considered in this parameter. Use the filter parameter to drill down further by applying the time value. |
filter (String) |
Optional |
Filter the incident list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - incident.detectedon: ["2024-09-11T07:28:48.283Z" .. "2024-09-13T07:28:48.283Z"] AND incident.source: 'EDR' You can filter incident based on the time they are detected the incident (incident.detectedon) or based on the time they are updated (incident.updatedon). It is recommended to use the "incident.detectedon" or "incident.updatedon" parameter if you want to fetch incident by date AND time. |
groupBy (String) |
Optional |
Group results based on certain parameters (provide comma separated list). For example - agentId |
sort (String) |
Optional |
Sort the results using a Qualys token. For example - [{"action":"asc"}] |
include_attributes (String) |
Optional |
Include certain attributes in search (provide a comma-separated list). Only included attributes are fetched in the API response. For example,include_attributes = _type, _id, processName |
exclude_attributes (String) |
Optional |
Exclude certain attributes from search (provide a comma-separated list). For example, exclude_attributes = _type, _id, processName Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Not-included attributes are excluded by default. |
scrollId (String) |
Optional |
Identifier for the search. It retrieves the next batch of search results for the request. For example - scrollId=<scroll_id > Note: This parameter is only for the Next API Request and onwards. We will get scroll_id from the header of the new request. |
Sample - Initial RequestSample - Initial Request
API request
curl --location --request GET
"<qualys_base_url>/ioc/incidents/scroll?filter=incident.id:"xxx676ad-xxxe-34b8-axxx-e0xxxbefxxx9"
--header "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2022-10-04T11:56:47.000+0000",
"eventProcessedTime": "2022-10-04T12:00:54.149+0000",
"workflow": 4,
"eventSource": "EDR",
"stateDocumentId": "RTF_xxxf627e-xxx3-xxxc-xxx3-
xxx863c3fxxx_6902519366503004772",
"type": "FILE",
"actor": {
"processEventId": "RTP_xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx_-
7833919771257568865_32386",
"processUniqueId": "-7833919771257568865",
"processId": 32386,
"processName": "/usr/sbin/syslog-ng",
"userName": "root",
"imageFullPath": "/usr/sbin/syslog-ng"
},
"score": "5",
"scoreSource": "SIDDHI",
"file": {
"fullPath": "/var/log/secure",
"path": "/var/log",
"fileName": "secure",
"createdDate": "2022-10-04T10:52:11.000+0000",
"sha256": "xxxddcb5a776652xxxx97xxxxxx941xxx23d1bxxxx66",
"size": 14910,
"accessDate": "2022-10-04T10:52:11.000+0000",
"nonPEFile": false,
"writeDate": "2022-10-04T11:56:47.000+0000",
"macroEmbedded": false,
"fileType": "regularfile",
"md5": "xxx4exxx7cxxxfebxxxx75aaxxxx20dx6"
},
"techniques": [
{
"techniqueName": "Ingress Tool Transfer",
"techniqueScore": 5,
"techniqueId": "T1105"
}
],
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bxxx",
"action": "WRITE",
"tactics": [
{
"tacticName": "Command and Control",
"tacticId": "TA0011"
}
],
"ruleNames": [
"AK1001"
],
"id": "RTF_xxx2c622-xxx3-xxxf-xxx8-xxx29b20fxxx_4-10-2022",
"incidentId": "xxx676ad-xxxe-34b8-axxx-e0xxxbefxxx9"",
"asset": {
"fullOSName": "CentOS Linux 7.9.2009",
"hostName": "xxxxxxx.xxxx.xxx.xxxx.xxxx.com",
"agentId": "xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx",
"isQuarantineHost": false,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bxxx",
"platform": "LINUX",
"assetType": "HOST"
},
"nodeId": "xxx036f5-xxx5-xxxf-xxx4-xxx4276fcxxx",
"uniqueId": "xxx25xxxx0300xxx2"
},
{
"dateTime": "2022-10-01T02:45:03.000+0000",
"eventSource": "EDR",
"type": "FILE",
"score": "5",
"scoreSource": "SIDDHI",
"file": {
"fullPath": "/var/log//maillog",
"path": "/var/log/",
"fileName": "maillog",
"createdDate": "2022-10-01T02:32:02.000+0000",
"sha256": "xxxxc1bexxxefb21ba2xxxx1200b5xxxdb26xxxx9d7e",
"size": 81139,
"accessDate": "2022-10-01T02:32:02.000+0000",
"nonPEFile": false,
"writeDate": "2022-10-01T02:45:03.000+0000",
"macroEmbedded": false,
"fileType": "regularfile",
"md5": "xxx9109aabxxx17xxxebxx86cxxxa"
},
"familyName": [
""
],
"customerId": "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx",
"action": "WRITE",
"id": "RTF_xxxc1476-xxx3-xxx8-xxxb-xxxa88bb2xxx_30-9-2022",
"eventProcessedTime": "2022-10-01T02:58:39.093+0000",
"workflow": 2,
"stateDocumentId": "RTF_xxxf627e-xxx3-xxxc-xxx3-
xxx863c3fff4_6561786300176718951",
"indicator2": [
{
"sha256": "xxxxx8cfxxxx2565xxf6z7xxxx551xxx458xx299xx1",
"verdict": "UNKNOWN",
"rowId": "6561786300176718951"
},
{
"sha256": "xxxxb11e8a826489xxxd9fxxx6c6xxx003d",
"verdict": "UNKNOWN",
"rowId": "6561786300176718951"
},
{
"sha256": "xxx5b20eaa35ec27xxx90a4adxxx15470xxxa8xxb",
"verdict": "UNKNOWN",
"rowId": "6561786300176718951"
}
],
"actor": {
"processEventId": "RTP_xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx_-
78xxxxxx756xxx_32xxx",
"processUniqueId": "-xx3xxxxxxxxx8865",
"processId": 32386,
"processName": "/usr/sbin/syslog-ng",
"userName": "root",
"imageFullPath": "/usr/sbin/syslog-ng"
},
"techniques": [
{
"techniqueName": "Ingress Tool Transfer",
"techniqueScore": 5,
"techniqueId": "T1105"
}
],
"verdict": [
"UNKNOWN"
],
"tactics": [
{
"tacticName": "Command and Control",
"tacticId": "TA0011"
}
],
"ruleNames": [
"AK1001"
],
"incidentId": "xxx676ad-xxxe-34b8-axxx-e0xxxbefxxx9"",
"asset": {
"fullOSName": "CentOS Linux 7.9.2009",
"hostName": "xxxxx.xxx.xxx.xxxx.xxxx.com",
"agentId": "xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx",
"isQuarantineHost": false,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bxxx",
"platform": "LINUX",
"assetType": "HOST"
},
"category": [
""
],
"nodeId": "xxx5056f-xxx9-xxx5-xxxb-xxx826773xxx",
"uniqueId": "6561xxxxxxxx71xxxxx"
}
]
Sample - Follow-up RequestSample - Follow-up Request
Next API request
curl --location --request GET "<qualys_base_url>/ioc/incidents/events/scroll?scrollId=<scroll_id> --header "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2022-10-01T15:30:01.000+0000",
"eventProcessedTime": "2022-10-01T15:34:54.785+0000",
"workflow": 4,
"eventSource": "EDR",
"stateDocumentId": "RTF_xxxf627e-xxx3-xxxc-xxx3-
xxx863c3fxxx_7836938903773883484",
"type": "FILE",
"actor": {
"processEventId": "RTP_xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx_-
7833919771257568865_32386",
"processUniqueId": "-7833919771257568865",
"processId": 32386,
"processName": "/usr/sbin/syslog-ng",
"userName": "root",
"imageFullPath": "/usr/sbin/syslog-ng"
},
"score": "5",
"scoreSource": "SIDDHI",
"file": {
"fullPath": "/var/log/cron",
"path": "/var/log",
"fileName": "cron",
"createdDate": "2022-10-01T15:17:07.000+0000",
"sha256": "xxxf33b5xxxa2b77625xxx078cxxx1f5xx0f0xx0xxxf8c9bf",
"size": 28736,
"accessDate": "2022-10-01T15:17:07.000+0000",
"nonPEFile": false,
"writeDate": "2022-10-01T15:30:01.000+0000",
"macroEmbedded": false,
"fileType": "regularfile",
"md5": "xxx3cexxd460xx089b2xxc9fxx8710"
},
"techniques": [
{
"techniqueName": "Ingress Tool Transfer",
"techniqueScore": 5,
"techniqueId": "T1105"
}
],
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bxxx",
"action": "WRITE",
"tactics": [
{
"tacticName": "Command and Control",
"tacticId": "TA0011"
}
],
"ruleNames": [
"AK1001"
],
"id": "RTF_xxx584ec-xxx3-xxx4-xxx7-xxx738330xxx_1-10-2022",
"incidentId": "xxx676ad-xxxe-34b8-axxx-e0xxxbefxxx9",
"asset": {
"fullOSName": "CentOS Linux 7.9.2009",
"hostName": "xxxxxxx.xxx.xxx.xxxx.qualys.com",
"agentId": "xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx",
"isQuarantineHost": false,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bxxx",
"platform": "LINUX",
"assetType": "HOST"
},
"nodeId": "xxxd4ea1-xxxa-xxx7-xxx4-xxxcbb193xxx",
"uniqueId": "xxx36xxxxxx3883484"
},
{
"dateTime": "2022-10-01T16:30:01.000+0000",
"eventProcessedTime": "2022-10-01T16:35:01.803+0000",
"workflow": 4,
"eventSource": "EDR",
"stateDocumentId": "RTF_xxxf627e-xxx3-xxxc-xxx3-
xxx863c3fxxx_7836xxxxxx3883484",
"type": "FILE",
"actor": {
"processEventId": "RTP_xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx_-
7833xxxxxx68865_32386",
"processUniqueId": "-xxx39xxxxx688xxx",
"processId": 32386,
"processName": "/usr/sbin/syslog-ng",
"userName": "root",
"imageFullPath": "/usr/sbin/syslog-ng"
},
"score": "5",
"scoreSource": "SIDDHI",
"file": {
"fullPath": "/var/log/cron",
"path": "/var/log",
"fileName": "cron",
"createdDate": "2022-10-01T16:17:14.000+0000",
"sha256": "3xxx4db24868xxxxx678xxxxx3fc77xxxxxx7axxxxx83",
"size": 31006,
"accessDate": "2022-10-01T16:17:14.000+0000",
"nonPEFile": false,
"writeDate": "2022-10-01T16:30:01.000+0000",
"macroEmbedded": false,
"fileType": "regularfile",
"md5": "xxxa0f9xxx29b16eba9xxxxe85c1exxx"
},
"techniques": [
{
"techniqueName": "Ingress Tool Transfer",
"techniqueScore": 5,
"techniqueId": "T1105"
}
],
"customerId": "xxxcxxe1-xxx5-xxx1-xxx3-xxx08f55bxxx",
"action": "WRITE",
"tactics": [
{
"tacticName": "Command and Control",
"tacticId": "TA0011"
}
],
"ruleNames": [
"AK1001"
],
"id": "RTF_xxx806a0-xxxd-xxx9-xxx4-xxxc6a154xxx_1-10-2022",
"incidentId": "xxx676ad-xxxe-34b8-axxx-e0xxxbefxxx9",
"asset": {
"fullOSName": "CentOS Linux 7.9.2009",
"hostName": "xxxxxxx.xxxxx.xxxxx.xxxxx.xxxxx.com",
"agentId": "xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx",
"isQuarantineHost": false,
"customerId": "xxxcxxe1-xxx5-xxx1-xxx3-xxx08f55bxxx",
"platform": "LINUX",
"assetType": "HOST"
},
"nodeId": "xxxd4ea1-xxxa-xxx7-xxx4-xxxcbb193xxx",
"uniqueId": "7836xxxxxx3883484"
}
]
"agentId": "xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx",
"sha256":
"xxxxxxb076caa8xxxxx922xxxxdeec0542xxxxx6a2e53aa968055fxxx",
"techniqueNames": [
"System Information Discovery",
"Ingress Tool Transfer"
],
"fileEventCount": 11,
"operatingSystem": "CentOS Linux 7.9.2009",
"detectedOn": "2022-10-01T08:45:01.000+0000",
"scoreSource": "SIDDHI",
"mutexEventCount": 0,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bxxx",
"techniqueIds": [
"T1082",
"T1105"
],
"riskScore": 5,
"id": "xxx227f4-xxxf-xxxa-xxx9-xxx99b9c5xxx",
"behavior": 0,
"networkEventCount": 0,
"registryEventCount": 0,
"mitreRuleNames": [
"AK1001",
"AK1002"
],
"tacticIds": [
"TA0007",
"TA0011"
],
"updatedOn": "2022-10-01T08:49:44.008+0000",
"eventTypes": [
"PROCESS",
"FILE"
],
"tacticNames": [
"Command and Control"
],
"incidentId": "xxx227f4-xxxf-xxxa-xxx9-xxx99b9c5xxx",
"exploit": 0,
"processEventCount": 4
},
{
"hostName": "xxxxxxxx.xxx.xxx.xxxx.qualys.com",
"agentId": "xxxf627e-xxx3-xxxc-xxx3-xxx863c3fxxx",
"sha256":
"xxxxx376xxx65a48527b52ca23xxxx825c54dff1xxxf01exxxxxx1161",
"techniqueNames": [
"System Information Discovery",
"Ingress Tool Transfer"
],
"fileEventCount": 1,
"operatingSystem": "CentOS Linux 7.9.2009",
"detectedOn": "2022-10-01T09:15:02.000+0000",
"scoreSource": "SIDDHI",
"mutexEventCount": 0,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bxxx",
"techniqueIds": [
"T1082",
"T1105"
],
"riskScore": 5,
"id": "xxx4aca-8xxd-8669-3xxx6bxx2xx0",
"behavior": 0,
"networkEventCount": 0,
"registryEventCount": 0,
"mitreRuleNames": [
"AK1001",
"AK1002"
],
"tacticIds": [
"TA0007",
"TA0011"
],
"updatedOn": "2022-10-01T09:20:02.659+0000",
"eventTypes": [
"PROCESS",
"FILE"
],
"tacticNames": [
"Command and Control"
],
"incidentId": "xxxb4aca-xxxf-xxxd-xxx9-xxx6b5452xxx",
"exploit": 0,
"processEventCount": 6
}
]