Fetch Incidents Using SearchAfter
For API version information, refer to the API Version History section.
Non-Versioned
This API retrieves a large number of search results in smaller sections or batches.
This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation.
Input Parameters for Fetch Events and IncidentsInput Parameters for Fetch Events and Incidents
|
Input Parameters |
Mandatory/Optional |
Format |
Description |
|---|---|---|---|
|
Authorization |
Mandatory |
String |
Authorization parameter authenticates the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken. |
|
filter |
Optional |
String |
Filter the incident list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - incident.detectedon: ["2024-09-11T07:28:48.283Z" .. "2024-09-13T07:28:48.283Z"] AND incident.source: 'EDR' You can filter incident based on the time they are detected the incident (incident.detectedon) or based on the time they are updated (incident.updatedon). It is recommended to use the "incident.detectedon" or "incident.updatedon" parameter if you want to fetch incident by date AND time. |
|
pageNumber |
Optional |
String |
The pageNumber parameter returns the page to be returned. It starts from the value zero |
|
pageSize |
Optional |
String |
The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10. |
|
include_attributes |
Optional |
String |
include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes. For example: include_attributes = _type, _id, processName |
|
exclude_attributes |
Optional |
String |
exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list. For example: exclude_attributes = _type, _id, processName Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded. |
|
searchAfterValues |
Optional |
Array |
Enter a value for pagination to start fetching the next set of results. For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results. |
Sample - Initial RequestSample - Initial Request
API request
curl -X GET "<qualys_base_url>/ioc/incidents/searchAfter" --header
"accept: */*" --header "Authorization: Bearer <token>Response
[
{
"hostName": "<host_name>",
"agentId": "XX76XXXa-bab5-4XXe-95XX-9XXX2eeXX66X",
"malwareFamilies": [
null,
"Heur.BZC.PZQ.Boxter.919.2F8E3E9D"
],
"sha256":
"XX953a4XXXcfd39d7b7XXX8d92e9a8fXX849d52c64036c2f6XXXfb2XX5a52XXX",
"malwareCategories": [
null,
"VIRUS"
],
"eventSource": "Anti-malware",
"fileEventCount": 1,
"operatingSystem": "Microsoft Windows 10 Enterprise 10.0.19045 Build
19045",
"detectedOn": "2023-08-10T07:31:47.000+0000",
"scoreSource": "Anti-malware",
"mutexEventCount": 0,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3",
"riskScore": 9,
"id": "XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX",
"behavior": 0,
"incidentStatus": "CLOSED",
"networkEventCount": 0,
"registryEventCount": 0,
"updatedOn": "2023-08-10T08:21:28.719Z",
"userName": "Unassigned",
"eventTypes": [
"FILE",
"PROCESS"
],
"sha256Set": [
null,
"XX953a4XXXcfd39d7b7XXX8d92e9a8fXX849d52c64036c2f6XXXfb2XX5a52XXX"
],
"incidentId": "XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX",
"exploit": 0,
"incidentNumber": 21657,
"incidentDescription": "Heur.BZC.PZQ.Boxter.919.2F8E3E9D",
"processEventCount": 1
},
..
]
Sample - Follow-up RequestSample - Follow-up Request
Next API Request
curl -X GET "<qualys_base_url>/ioc/incidents/searchAfter
?pageSize=50&searchAfterValues= 1691705672299,XdeXX9Xe-50XX-XX24-b4XXdXX2XX187XdX"
--header "accept: */*" --header "Authorization: Bearer
<token>"Response
[
{
"hostName": "locXXXXst.loXXXXain",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"malwareFamilies": [
"CR_OCI_PUA",
"BD.TestSignature"
],
"techniqueNames": [
"Masquerading: Match Legitimate Name or Location",
"Service Stop",
"System Owner/User Discovery"
],
"malwareCategories": [
"VIRUS",
"worm"
],
"eventSource": "Anti-malware",
"fileEventCount": 0,
"scoreChangeSource": 1,
"operatingSystem": "Red Hat Enterprise Linux XXX",
"detectedOn": "2025-01-27T05:30:52.000+0000",
"platform": "LINUX",
"scoreSource": "REVERSING_LAB",
"mutexEventCount": 0,
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"techniqueIds": [
"T1036.005",
"T1033",
"T1489"
],
"riskScore": 7,
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"behavior": 0,
"incidentStatus": "OPEN",
"networkEventCount": 0,
"registryEventCount": 0,
"mitreRuleNames": [
"Linux_T1033_5 System Owner/User Discovery",
"Linux_T1489_3 Rsyslog Service Hang-Up Signal Actvitiy Detected",
"Process Attempted to Masquerade Legitimate File Name"
],
"tacticIds": [
"TA0005",
"TA0007",
"TA0040"
],
"updatedOn": "2025-01-27T11:50:20.268+0000",
"userName": "Unassigned",
"eventTypes": [
"PROCESS",
"FILE"
],
"responseActions": [
""
],
"tacticNames": [
"Impact",
"Defense Evasion",
"Discovery"
],
"incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6",
"exploit": 0,
"incidentNumber": 110947,
"incidentDescription": "CR_OCI_PUA",
"processEventCount": 0
},
{
"hostName": " locXXXXst.loXXXXain ",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"malwareFamilies": [
"CR_OCI_PUA",
"BD.TestSignature"
],
"techniqueNames": [
"System Network Configuration Discovery: Internet Connection Discovery"
],
"malwareCategories": [
"VIRUS"
],
"eventSource": "Anti-malware",
"fileEventCount": 0,
"scoreChangeSource": 0,
"operatingSystem": "Red Hat Enterprise Linux 9.4",
"detectedOn": "2025-01-27T12:34:54.000+0000",
"platform": "LINUX",
"scoreSource": "Anti-malware",
"mutexEventCount": 0,
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"techniqueIds": [
"T1016.001"
],
"riskScore": 4,
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"behavior": 0,
"incidentStatus": "OPEN",
"networkEventCount": 0,
"registryEventCount": 0,
"mitreRuleNames": [
"Linux_T1016_001_1 System Network Configuration Discovery: Internet Connection Discovery"
],
"tacticIds": [
"TA0007"
],
"updatedOn": "2025-01-27T13:02:09.505+0000",
"userName": "Unassigned",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
],
"responseActions": [
"ACCESS_DENIED"
],
"tacticNames": [
"Discovery"
],
"incidentId": "34XXb8XX-2XX7-3XXb-bXXb-7XX8fXX78XX0",
"exploit": 0,
"incidentNumber": 110970,
"processEventCount": 0
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Incidents | hostName | String | The hostname of the system. |
| agentId | UUID | The unique identifier for the agent. | |
| malwareFamilies | Array of Strings | A list of detected malware families. | |
| techniqueNames | Array of Strings | A list of technique names used in attack. | |
| malwareCategories | Array of Strings | A list of malware categories. | |
| eventSource | String | The source of the event (Anti-malware or EDR). | |
| fileEventCount | Integer | The number of File events associated with the incident. | |
| scoreChangeSource | Integer |
The source of risk score change (E.g. Verdict change or SIDDHI or Sandbox). |
|
| operatingSystem | String |
The Operating System and Version of the asset (E.g. Red Hat Enterprise Linux 9.4). |
|
| detectedOn | Timestamp | Timestamp when the incident was detected. | |
| platform | String | The platform on which the host is running (e.g., LINUX). | |
| scoreSource | String | The source of the risk score. | |
| mutexEventCount | Integer | The number of mutex-related events. | |
| customerId | String | A unique identifier for the customer. | |
| techniqueIds | Array of Strings | The list of MITRE ATT&CK technique IDs. | |
| riskScore | Integer | The risk score of the incident. | |
| id | String | A unique identifier for the incident. | |
| incidentStatus | String | The status of the incident (e.g. OPEN). | |
| networkEventCount | Integer | The number of network-related events. | |
| registryEventCount | Integer | The number of registry-related events. | |
| mitreRuleNames | Array of Strings | The list of MITRE rule names applied. | |
| tacticIds | Array of Strings | The list of MITRE ATT&CK tactic IDs. | |
| updatedOn | Timestamp | Timestamp when the incident was last updated. | |
| userName | String | The user to whom the incident is assigned. | |
| eventTypes | Array of Strings | The types events detected (e.g. PROCESS, FILE). | |
| responseActions | Array of Strings | Actions taken in response to the event. | |
| tacticNames | Array of Strings | The list of MITRE ATT&CK tactic names. | |
| incidentId | String | A unique identifier for the incident. | |
| incidentNumber | Integer | A numeric identifier for the incident. | |
| incidentDescription | String | Description of the incident. | |
| processEventCount | Integer | The number of process-related events. |
Response Codes
The response codes for this API are as follows:
| HTTP Status Code | Description |
| 200 | OK: Get data | The request was successful, and the data was returned. |
| 204 | No Content: All data received | The request was successful, but there is no data to return. |
| 400 | Bad Request: Data not found | The request was invalid or malformed (e.g., missing parameters, invalid syntax). |
V1.0
This API retrieves a large number of search results in smaller sections or batches.
This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation.
Input Parameters for Fetch Events and IncidentsInput Parameters for Fetch Events and Incidents
|
Input Parameters |
Mandatory/Optional |
Format |
Description |
|---|---|---|---|
|
Authorization |
Mandatory |
String |
Authorization parameter authenticates the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken. |
|
filter |
Optional |
String |
Filter the incident list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - incident.detectedon: ["2024-09-11T07:28:48.283Z" .. "2024-09-13T07:28:48.283Z"] AND incident.source: 'EDR' You can filter incident based on the time they are detected the incident (incident.detectedon) or based on the time they are updated (incident.updatedon). It is recommended to use the "incident.detectedon" or "incident.updatedon" parameter if you want to fetch incident by date AND time. |
|
pageNumber |
Optional |
String |
The pageNumber parameter returns the page to be returned. It starts from the value zero |
|
pageSize |
Optional |
String |
The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10. |
|
include_attributes |
Optional |
String |
include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes. For example: include_attributes = _type, _id, processName |
|
exclude_attributes |
Optional |
String |
exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list. For example: exclude_attributes = _type, _id, processName Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded. |
|
searchAfterValues |
Optional |
Array |
Enter a value for pagination to start fetching the next set of results. For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results. |
Sample - Initial RequestSample - Initial Request
API request
curl -X GET "<qualys_base_url>/ioc/v1/incidents/searchAfter" --header
"accept: */*" --header "Authorization: Bearer <token>Response
[
{
"hostName": "<host_name>",
"agentId": "XX76XXXa-bab5-4XXe-95XX-9XXX2eeXX66X",
"malwareFamilies": [
null,
"Heur.BZC.PZQ.Boxter.919.2F8E3E9D"
],
"sha256":
"XX953a4XXXcfd39d7b7XXX8d92e9a8fXX849d52c64036c2f6XXXfb2XX5a52XXX",
"malwareCategories": [
null,
"VIRUS"
],
"eventSource": "Anti-malware",
"fileEventCount": 1,
"operatingSystem": "Microsoft Windows 10 Enterprise 10.0.19045 Build
19045",
"detectedOn": "2023-08-10T07:31:47.000+0000",
"scoreSource": "Anti-malware",
"mutexEventCount": 0,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3",
"riskScore": 9,
"id": "XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX",
"behavior": 0,
"incidentStatus": "CLOSED",
"networkEventCount": 0,
"registryEventCount": 0,
"updatedOn": "2023-08-10T08:21:28.719Z",
"userName": "Unassigned",
"eventTypes": [
"FILE",
"PROCESS"
],
"sha256Set": [
null,
"XX953a4XXXcfd39d7b7XXX8d92e9a8fXX849d52c64036c2f6XXXfb2XX5a52XXX"
],
"incidentId": "XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX",
"exploit": 0,
"incidentNumber": 21657,
"incidentDescription": "Heur.BZC.PZQ.Boxter.919.2F8E3E9D",
"processEventCount": 1
},
..
]
Sample - Follow-up RequestSample - Follow-up Request
Next API Request
curl -X GET "<qualys_base_url>/ioc/v1/incidents/searchAfter
?pageSize=50&searchAfterValues= 1691705672299,XdeXX9Xe-50XX-XX24-b4XXdXX2XX187XdX"
--header "accept: */*" --header "Authorization: Bearer
<token>"Response
[
{
"hostName": "locXXXXst.loXXXXain",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"malwareFamilies": [
"CR_OCI_PUA",
"BD.TestSignature"
],
"techniqueNames": [
"Masquerading: Match Legitimate Name or Location",
"Service Stop",
"System Owner/User Discovery"
],
"malwareCategories": [
"VIRUS",
"worm"
],
"eventSource": "Anti-malware",
"fileEventCount": 0,
"scoreChangeSource": 1,
"operatingSystem": "Red Hat Enterprise Linux XXX",
"detectedOn": "2025-01-27T05:30:52.000+0000",
"platform": "LINUX",
"scoreSource": "REVERSING_LAB",
"mutexEventCount": 0,
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"techniqueIds": [
"T1036.005",
"T1033",
"T1489"
],
"riskScore": 7,
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"behavior": 0,
"incidentStatus": "OPEN",
"networkEventCount": 0,
"registryEventCount": 0,
"mitreRuleNames": [
"Linux_T1033_5 System Owner/User Discovery",
"Linux_T1489_3 Rsyslog Service Hang-Up Signal Actvitiy Detected",
"Process Attempted to Masquerade Legitimate File Name"
],
"tacticIds": [
"TA0005",
"TA0007",
"TA0040"
],
"updatedOn": "2025-01-27T11:50:20.268+0000",
"userName": "Unassigned",
"eventTypes": [
"PROCESS",
"FILE"
],
"responseActions": [
""
],
"tacticNames": [
"Impact",
"Defense Evasion",
"Discovery"
],
"incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6",
"exploit": 0,
"incidentNumber": 110947,
"incidentDescription": "CR_OCI_PUA",
"processEventCount": 0
},
{
"hostName": " locXXXXst.loXXXXain ",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"malwareFamilies": [
"CR_OCI_PUA",
"BD.TestSignature"
],
"techniqueNames": [
"System Network Configuration Discovery: Internet Connection Discovery"
],
"malwareCategories": [
"VIRUS"
],
"eventSource": "Anti-malware",
"fileEventCount": 0,
"scoreChangeSource": 0,
"operatingSystem": "Red Hat Enterprise Linux 9.4",
"detectedOn": "2025-01-27T12:34:54.000+0000",
"platform": "LINUX",
"scoreSource": "Anti-malware",
"mutexEventCount": 0,
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"techniqueIds": [
"T1016.001"
],
"riskScore": 4,
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"behavior": 0,
"incidentStatus": "OPEN",
"networkEventCount": 0,
"registryEventCount": 0,
"mitreRuleNames": [
"Linux_T1016_001_1 System Network Configuration Discovery: Internet Connection Discovery"
],
"tacticIds": [
"TA0007"
],
"updatedOn": "2025-01-27T13:02:09.505+0000",
"userName": "Unassigned",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
],
"responseActions": [
"ACCESS_DENIED"
],
"tacticNames": [
"Discovery"
],
"incidentId": "34XXb8XX-2XX7-3XXb-bXXb-7XX8fXX78XX0",
"exploit": 0,
"incidentNumber": 110970,
"processEventCount": 0
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Incidents | hostName | String | The hostname of the system. |
| agentId | UUID | The unique identifier for the agent. | |
| malwareFamilies | Array of Strings | A list of detected malware families. | |
| techniqueNames | Array of Strings | A list of technique names used in attack. | |
| malwareCategories | Array of Strings | A list of malware categories. | |
| eventSource | String | The source of the event (Anti-malware or EDR). | |
| fileEventCount | Integer | The number of File events associated with the incident. | |
| scoreChangeSource | Integer |
The source of risk score change (E.g. Verdict change or SIDDHI or Sandbox). |
|
| operatingSystem | String |
The Operating System and Version of the asset (E.g. Red Hat Enterprise Linux 9.4). |
|
| detectedOn | Timestamp | Timestamp when the incident was detected. | |
| platform | String | The platform on which the host is running (e.g., LINUX). | |
| scoreSource | String | The source of the risk score. | |
| mutexEventCount | Integer | The number of mutex-related events. | |
| customerId | String | A unique identifier for the customer. | |
| techniqueIds | Array of Strings | The list of MITRE ATT&CK technique IDs. | |
| riskScore | Integer | The risk score of the incident. | |
| id | String | A unique identifier for the incident. | |
| incidentStatus | String | The status of the incident (e.g. OPEN). | |
| networkEventCount | Integer | The number of network-related events. | |
| registryEventCount | Integer | The number of registry-related events. | |
| mitreRuleNames | Array of Strings | The list of MITRE rule names applied. | |
| tacticIds | Array of Strings | The list of MITRE ATT&CK tactic IDs. | |
| updatedOn | Timestamp | Timestamp when the incident was last updated. | |
| userName | String | The user to whom the incident is assigned. | |
| eventTypes | Array of Strings | The types events detected (e.g. PROCESS, FILE). | |
| responseActions | Array of Strings | Actions taken in response to the event. | |
| tacticNames | Array of Strings | The list of MITRE ATT&CK tactic names. | |
| incidentId | String | A unique identifier for the incident. | |
| incidentNumber | Integer | A numeric identifier for the incident. | |
| incidentDescription | String | Description of the incident. | |
| processEventCount | Integer | The number of process-related events. |
Response Codes
The response codes for this API are as follows:
| HTTP Status Code | Description |
| 200 | OK: Get data | The request was successful, and the data was returned. |
| 204 | No Content: All data received | The request was successful, but there is no data to return. |
| 400 | Bad Request: Data not found | The request was invalid or malformed (e.g., missing parameters, invalid syntax). |
API Version History
The following table depicts the information about the different versions of this API along with the status:
| API Version | API Status | Release Date |
| /ioc/incidents/searchAfter | Active | |
| /ioc/v1/incidents/searchAfter | Active | May 2025 |