Fetch Incidents Using SearchAfter

For API version information, refer to the API Version History section.

Non-Versioned | V1.0

Non-Versioned

This API retrieves a large number of search results in smaller sections or batches.

This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation. 

GET/ioc/incidents/searchAfter

Input Parameters for Fetch Events and IncidentsInput Parameters for Fetch Events and Incidents

Input Parameters

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken.

filter

Optional

String

Filter the incident list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query.

For example - incident.detectedon: ["2024-09-11T07:28:48.283Z" .. "2024-09-13T07:28:48.283Z"] AND incident.source: 'EDR'

You can filter incident based on the time they are detected the incident (incident.detectedon) or based on the time they are updated (incident.updatedon). It is recommended to use the "incident.detectedon" or "incident.updatedon" parameter if you want to fetch incident by date AND time. 

pageNumber

Optional

String

The pageNumber parameter returns the page to be returned. It starts from the value zero

pageSize

Optional

String

The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10.

include_attributes

Optional

String

include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes.

For example: include_attributes = _type, _id, processName

exclude_attributes

Optional

String

exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list.

For example: exclude_attributes = _type, _id, processName

Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded.

searchAfterValues

Optional

Array

Enter a value for pagination to start fetching the next set of results.

For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax

Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results.

Sample - Initial RequestSample - Initial Request

API request

curl -X GET "<qualys_base_url>/ioc/incidents/searchAfter" --header
"accept: */*" --header "Authorization: Bearer <token>

Response

[
{
"hostName": "<host_name>",
"agentId": "XX76XXXa-bab5-4XXe-95XX-9XXX2eeXX66X",
"malwareFamilies": [
null,
"Heur.BZC.PZQ.Boxter.919.2F8E3E9D"
],
"sha256":
"XX953a4XXXcfd39d7b7XXX8d92e9a8fXX849d52c64036c2f6XXXfb2XX5a52XXX",
"malwareCategories": [
null,
"VIRUS"
],
"eventSource": "Anti-malware",
"fileEventCount": 1,
"operatingSystem": "Microsoft Windows 10 Enterprise 10.0.19045 Build
19045",
"detectedOn": "2023-08-10T07:31:47.000+0000",
"scoreSource": "Anti-malware",
"mutexEventCount": 0,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3",
"riskScore": 9,
"id": "XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX",
"behavior": 0,
"incidentStatus": "CLOSED",
"networkEventCount": 0,
"registryEventCount": 0,
"updatedOn": "2023-08-10T08:21:28.719Z",
"userName": "Unassigned",
"eventTypes": [
"FILE",
"PROCESS"
],
"sha256Set": [
null,
"XX953a4XXXcfd39d7b7XXX8d92e9a8fXX849d52c64036c2f6XXXfb2XX5a52XXX"
],
"incidentId": "XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX",
"exploit": 0,
"incidentNumber": 21657,
"incidentDescription": "Heur.BZC.PZQ.Boxter.919.2F8E3E9D",
"processEventCount": 1
},
..
]
    

Sample - Follow-up RequestSample - Follow-up Request

Next API Request

curl -X GET "<qualys_base_url>/ioc/incidents/searchAfter
?pageSize=50&searchAfterValues= 1691705672299,XdeXX9Xe-50XX-XX24-b4XXdXX2XX187XdX"
--header "accept: */*" --header "Authorization: Bearer
<token>"

Response

[
  {
    "hostName": "locXXXXst.loXXXXain",
    "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
    "malwareFamilies": [
      "CR_OCI_PUA",
      "BD.TestSignature"
    ],
    "techniqueNames": [
      "Masquerading: Match Legitimate Name or Location",
      "Service Stop",
      "System Owner/User Discovery"
    ],
    "malwareCategories": [
      "VIRUS",
      "worm"
    ],
    "eventSource": "Anti-malware",
    "fileEventCount": 0,
    "scoreChangeSource": 1,
    "operatingSystem": "Red Hat Enterprise Linux XXX",
    "detectedOn": "2025-01-27T05:30:52.000+0000",
    "platform": "LINUX",
    "scoreSource": "REVERSING_LAB",
    "mutexEventCount": 0,
    "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
    "techniqueIds": [
      "T1036.005",
      "T1033",
      "T1489"
    ],
    "riskScore": 7,
    "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
    "behavior": 0,
    "incidentStatus": "OPEN",
    "networkEventCount": 0,
    "registryEventCount": 0,
    "mitreRuleNames": [
      "Linux_T1033_5 System Owner/User Discovery",
      "Linux_T1489_3 Rsyslog Service Hang-Up Signal Actvitiy Detected",
      "Process Attempted to Masquerade Legitimate File Name"
    ],
    "tacticIds": [
      "TA0005",
      "TA0007",
      "TA0040"
    ],
    "updatedOn": "2025-01-27T11:50:20.268+0000",
    "userName": "Unassigned",
    "eventTypes": [
      "PROCESS",
      "FILE"
    ],
    "responseActions": [
      ""
    ],
    "tacticNames": [
      "Impact",
      "Defense Evasion",
      "Discovery"
    ],
    "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6",
    "exploit": 0,
    "incidentNumber": 110947,
    "incidentDescription": "CR_OCI_PUA",
    "processEventCount": 0
  },
  {
    "hostName": " locXXXXst.loXXXXain ",
    "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
    "malwareFamilies": [
      "CR_OCI_PUA",
      "BD.TestSignature"
    ],
    "techniqueNames": [
      "System Network Configuration Discovery: Internet Connection Discovery"
    ],
    "malwareCategories": [
      "VIRUS"
    ],
    "eventSource": "Anti-malware",
    "fileEventCount": 0,
    "scoreChangeSource": 0,
    "operatingSystem": "Red Hat Enterprise Linux 9.4",
    "detectedOn": "2025-01-27T12:34:54.000+0000",
    "platform": "LINUX",
    "scoreSource": "Anti-malware",
    "mutexEventCount": 0,
    "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
    "techniqueIds": [
      "T1016.001"
    ],
    "riskScore": 4,
    "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
    "behavior": 0,
    "incidentStatus": "OPEN",
    "networkEventCount": 0,
    "registryEventCount": 0,
    "mitreRuleNames": [
      "Linux_T1016_001_1 System Network Configuration Discovery: Internet Connection Discovery"
    ],
    "tacticIds": [
      "TA0007"
    ],
    "updatedOn": "2025-01-27T13:02:09.505+0000",
    "userName": "Unassigned",
    "tags": [
      {
        "name": "Cloud Agent",
        "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
      }
    ],
    "responseActions": [
      "ACCESS_DENIED"
    ],
    "tacticNames": [
      "Discovery"
    ],
    "incidentId": "34XXb8XX-2XX7-3XXb-bXXb-7XX8fXX78XX0",
    "exploit": 0,
    "incidentNumber": 110970,
    "processEventCount": 0
  }
]

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description

Incidents hostName String The hostname of the system.
  agentId UUID The unique identifier for the agent.
  malwareFamilies Array of Strings A list of detected malware families.
  techniqueNames Array of Strings A list of technique names used in attack.
  malwareCategories Array of Strings A list of malware categories.
  eventSource String The source of the event (Anti-malware or EDR).
  fileEventCount Integer The number of File events associated with the incident.
  scoreChangeSource Integer

The source of risk score change (E.g. Verdict change or SIDDHI or Sandbox).

  operatingSystem String

The Operating System and Version of the asset (E.g.  Red Hat Enterprise Linux 9.4).

  detectedOn Timestamp Timestamp when the incident was detected.
  platform String The platform on which the host is running (e.g., LINUX).
  scoreSource String The source of the risk score.
  mutexEventCount Integer The number of mutex-related events.
  customerId String A unique identifier for the customer.
  techniqueIds Array of Strings The list of MITRE ATT&CK technique IDs.
  riskScore Integer The risk score of the incident.
  id String A unique identifier for the incident.
  incidentStatus String The status of the incident (e.g. OPEN).
  networkEventCount Integer The number of network-related events.
  registryEventCount Integer The number of registry-related events.
  mitreRuleNames Array of Strings The list of MITRE rule names applied.
  tacticIds Array of Strings The list of MITRE ATT&CK tactic IDs.
  updatedOn Timestamp Timestamp when the incident was last updated.
  userName String The user to whom the incident is assigned.
  eventTypes Array of Strings The types events detected (e.g. PROCESS, FILE).
  responseActions Array of Strings Actions taken in response to the event.
  tacticNames Array of Strings The list of MITRE ATT&CK tactic names.
  incidentId String A unique identifier for the incident.
  incidentNumber Integer A numeric identifier for the incident.
  incidentDescription String Description of the incident.
  processEventCount Integer The number of process-related events.

Response Codes

The response codes for this API are as follows:

HTTP Status Code Description
200 | OK: Get data The request was successful, and the data was returned.
204 | No Content: All data received The request was successful, but there is no data to return.
400 | Bad Request: Data not found The request was invalid or malformed (e.g., missing parameters, invalid syntax).

V1.0

This API retrieves a large number of search results in smaller sections or batches.

This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation. 

GET/ioc/v1/incidents/searchAfter

Input Parameters for Fetch Events and IncidentsInput Parameters for Fetch Events and Incidents

Input Parameters

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken.

filter

Optional

String

Filter the incident list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query.

For example - incident.detectedon: ["2024-09-11T07:28:48.283Z" .. "2024-09-13T07:28:48.283Z"] AND incident.source: 'EDR'

You can filter incident based on the time they are detected the incident (incident.detectedon) or based on the time they are updated (incident.updatedon). It is recommended to use the "incident.detectedon" or "incident.updatedon" parameter if you want to fetch incident by date AND time. 

pageNumber

Optional

String

The pageNumber parameter returns the page to be returned. It starts from the value zero

pageSize

Optional

String

The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10.

include_attributes

Optional

String

include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes.

For example: include_attributes = _type, _id, processName

exclude_attributes

Optional

String

exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list.

For example: exclude_attributes = _type, _id, processName

Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded.

searchAfterValues

Optional

Array

Enter a value for pagination to start fetching the next set of results.

For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax

Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results.

Sample - Initial RequestSample - Initial Request

API request

curl -X GET "<qualys_base_url>/ioc/v1/incidents/searchAfter" --header
"accept: */*" --header "Authorization: Bearer <token>

Response

[
{
"hostName": "<host_name>",
"agentId": "XX76XXXa-bab5-4XXe-95XX-9XXX2eeXX66X",
"malwareFamilies": [
null,
"Heur.BZC.PZQ.Boxter.919.2F8E3E9D"
],
"sha256":
"XX953a4XXXcfd39d7b7XXX8d92e9a8fXX849d52c64036c2f6XXXfb2XX5a52XXX",
"malwareCategories": [
null,
"VIRUS"
],
"eventSource": "Anti-malware",
"fileEventCount": 1,
"operatingSystem": "Microsoft Windows 10 Enterprise 10.0.19045 Build
19045",
"detectedOn": "2023-08-10T07:31:47.000+0000",
"scoreSource": "Anti-malware",
"mutexEventCount": 0,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3",
"riskScore": 9,
"id": "XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX",
"behavior": 0,
"incidentStatus": "CLOSED",
"networkEventCount": 0,
"registryEventCount": 0,
"updatedOn": "2023-08-10T08:21:28.719Z",
"userName": "Unassigned",
"eventTypes": [
"FILE",
"PROCESS"
],
"sha256Set": [
null,
"XX953a4XXXcfd39d7b7XXX8d92e9a8fXX849d52c64036c2f6XXXfb2XX5a52XXX"
],
"incidentId": "XXc42aXX-03XX-XXdd-aXX8-42fXXXd7cXXX",
"exploit": 0,
"incidentNumber": 21657,
"incidentDescription": "Heur.BZC.PZQ.Boxter.919.2F8E3E9D",
"processEventCount": 1
},
..
]
    

Sample - Follow-up RequestSample - Follow-up Request

Next API Request

curl -X GET "<qualys_base_url>/ioc/v1/incidents/searchAfter
?pageSize=50&searchAfterValues= 1691705672299,XdeXX9Xe-50XX-XX24-b4XXdXX2XX187XdX"
--header "accept: */*" --header "Authorization: Bearer
<token>"

Response

[
  {
    "hostName": "locXXXXst.loXXXXain",
    "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
    "malwareFamilies": [
      "CR_OCI_PUA",
      "BD.TestSignature"
    ],
    "techniqueNames": [
      "Masquerading: Match Legitimate Name or Location",
      "Service Stop",
      "System Owner/User Discovery"
    ],
    "malwareCategories": [
      "VIRUS",
      "worm"
    ],
    "eventSource": "Anti-malware",
    "fileEventCount": 0,
    "scoreChangeSource": 1,
    "operatingSystem": "Red Hat Enterprise Linux XXX",
    "detectedOn": "2025-01-27T05:30:52.000+0000",
    "platform": "LINUX",
    "scoreSource": "REVERSING_LAB",
    "mutexEventCount": 0,
    "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
    "techniqueIds": [
      "T1036.005",
      "T1033",
      "T1489"
    ],
    "riskScore": 7,
    "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
    "behavior": 0,
    "incidentStatus": "OPEN",
    "networkEventCount": 0,
    "registryEventCount": 0,
    "mitreRuleNames": [
      "Linux_T1033_5 System Owner/User Discovery",
      "Linux_T1489_3 Rsyslog Service Hang-Up Signal Actvitiy Detected",
      "Process Attempted to Masquerade Legitimate File Name"
    ],
    "tacticIds": [
      "TA0005",
      "TA0007",
      "TA0040"
    ],
    "updatedOn": "2025-01-27T11:50:20.268+0000",
    "userName": "Unassigned",
    "eventTypes": [
      "PROCESS",
      "FILE"
    ],
    "responseActions": [
      ""
    ],
    "tacticNames": [
      "Impact",
      "Defense Evasion",
      "Discovery"
    ],
    "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6",
    "exploit": 0,
    "incidentNumber": 110947,
    "incidentDescription": "CR_OCI_PUA",
    "processEventCount": 0
  },
  {
    "hostName": " locXXXXst.loXXXXain ",
    "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
    "malwareFamilies": [
      "CR_OCI_PUA",
      "BD.TestSignature"
    ],
    "techniqueNames": [
      "System Network Configuration Discovery: Internet Connection Discovery"
    ],
    "malwareCategories": [
      "VIRUS"
    ],
    "eventSource": "Anti-malware",
    "fileEventCount": 0,
    "scoreChangeSource": 0,
    "operatingSystem": "Red Hat Enterprise Linux 9.4",
    "detectedOn": "2025-01-27T12:34:54.000+0000",
    "platform": "LINUX",
    "scoreSource": "Anti-malware",
    "mutexEventCount": 0,
    "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
    "techniqueIds": [
      "T1016.001"
    ],
    "riskScore": 4,
    "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
    "behavior": 0,
    "incidentStatus": "OPEN",
    "networkEventCount": 0,
    "registryEventCount": 0,
    "mitreRuleNames": [
      "Linux_T1016_001_1 System Network Configuration Discovery: Internet Connection Discovery"
    ],
    "tacticIds": [
      "TA0007"
    ],
    "updatedOn": "2025-01-27T13:02:09.505+0000",
    "userName": "Unassigned",
    "tags": [
      {
        "name": "Cloud Agent",
        "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
      }
    ],
    "responseActions": [
      "ACCESS_DENIED"
    ],
    "tacticNames": [
      "Discovery"
    ],
    "incidentId": "34XXb8XX-2XX7-3XXb-bXXb-7XX8fXX78XX0",
    "exploit": 0,
    "incidentNumber": 110970,
    "processEventCount": 0
  }
]

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description

Incidents hostName String The hostname of the system.
  agentId UUID The unique identifier for the agent.
  malwareFamilies Array of Strings A list of detected malware families.
  techniqueNames Array of Strings A list of technique names used in attack.
  malwareCategories Array of Strings A list of malware categories.
  eventSource String The source of the event (Anti-malware or EDR).
  fileEventCount Integer The number of File events associated with the incident.
  scoreChangeSource Integer

The source of risk score change (E.g. Verdict change or SIDDHI or Sandbox).

  operatingSystem String

The Operating System and Version of the asset (E.g.  Red Hat Enterprise Linux 9.4).

  detectedOn Timestamp Timestamp when the incident was detected.
  platform String The platform on which the host is running (e.g., LINUX).
  scoreSource String The source of the risk score.
  mutexEventCount Integer The number of mutex-related events.
  customerId String A unique identifier for the customer.
  techniqueIds Array of Strings The list of MITRE ATT&CK technique IDs.
  riskScore Integer The risk score of the incident.
  id String A unique identifier for the incident.
  incidentStatus String The status of the incident (e.g. OPEN).
  networkEventCount Integer The number of network-related events.
  registryEventCount Integer The number of registry-related events.
  mitreRuleNames Array of Strings The list of MITRE rule names applied.
  tacticIds Array of Strings The list of MITRE ATT&CK tactic IDs.
  updatedOn Timestamp Timestamp when the incident was last updated.
  userName String The user to whom the incident is assigned.
  eventTypes Array of Strings The types events detected (e.g. PROCESS, FILE).
  responseActions Array of Strings Actions taken in response to the event.
  tacticNames Array of Strings The list of MITRE ATT&CK tactic names.
  incidentId String A unique identifier for the incident.
  incidentNumber Integer A numeric identifier for the incident.
  incidentDescription String Description of the incident.
  processEventCount Integer The number of process-related events.

Response Codes

The response codes for this API are as follows:

HTTP Status Code Description
200 | OK: Get data The request was successful, and the data was returned.
204 | No Content: All data received The request was successful, but there is no data to return.
400 | Bad Request: Data not found The request was invalid or malformed (e.g., missing parameters, invalid syntax).

API Version History

The following table depicts the information about the different versions of this API along with the status:

API Version API Status Release Date
/ioc/incidents/searchAfter Active  
/ioc/v1/incidents/searchAfter Active May 2025