# Endpoint Detection and Response (EDR) API
**Base URL**: https://dev-cloud.acronis.com/api/mdr/v1
## Endpoints
### GET /incidents
Returns a list of incidents.
The endpoint is is designed for use by MDR vendors to retrieve incidents for their customers and store them on their backend for future use.
It is not intended for building UIs or for direct user interaction.
Usage is quota-limited based on the size of the result set.
#### Security
The endpoint supports the following authorization methods: `OAuth 2.0`
For OAuth2 authorization method, one of the following scopes is required by the endpoint:
* `edr_mgmtsvc::incidents_viewer`
#### Request parameters
##### Query parameters
| Name | Description |
|------|-------------|
| `customer_id` | (Optional) A filter by customer IDs (specific customer tenant ID(s) or customer IDs of specified partner tenant ID).
If not specified, the tenant ID provided in the token will be used.
If the user is authenticated in the scope of the partner tenant or above, this parameter is required.
The HTTP error 400 Bad Request will be returned if the parameter is missing or non-compliant.
Supported operators:
* `= value`: filters by the specified value; Only customer level tenant ID is allowed.
* `or(value1, value2, ...)`: filters by any value in the specified set; Only customer level tenant IDs are allowed.
* `direct_children(partner_id)`: includes all customers that are direct children of the specified partner tenant ID.
* `descendants(partner_id)`: includes all customers that are descendant of the specified partner tenant ID.
**Type**: Union
**May be any of**:
1. Universally Unique Identifier.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`
2. **Type**: String |
| `incident_id` | (Optional) List of incident IDs.
Can only be used for single customer,
either specified in customer_id parameter or
extracted from the authentication token.
Supported operators:
* `= value`: filters by the specified value;
* `or(value1, value2, ...)`: filters by any value in the specified set.
**Type**: Union
**May be any of**:
1. Incident ID.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`
2. **Type**: String |
| `with_multi_workload` | (Optional) Include multi-workload incidents in the response.
If true, for multi-workload incidents the "workloads" field will be present
and root level WorkloadInfo fields will be omitted.
**Type**: Boolean
**Default**: false |
| `with_transferred` | (Optional) Include incidents that were transferred to another incident.
**Type**: Boolean
**Default**: true |
| `order` | (Optional) Sort order of the returned items.
Supported operators:
* `asc(customer_id), asc(created_at)`: ascending order of customer and then created_at.
**Type**: String |
| `cursor` | (Optional) The cursor that points to the next batch of records returned from the previous request.
All other filtering and sorting parameters MUST remain exactly the same between requests.
**Type**: String |
| `limit` | (Optional) Maximum number of items to return.
**Type**: Integer
**Minimum**: 1
**Maximum**: 1000
**Default**: 100 |
| `created_at` | (Optional) Filters by incident creation time range.
Supported operators:
* `range(date_from, date_to)`: filters by the specified inclusive date range;
* `ge(date_from)`: filters by the specified date and later;
**Type**: Union
**May be any of**:
1. **Type**: DateTime
2. **Type**: String |
| `updated_at` | (Optional) Filters by incident update time range.
Supported operators:
* `range(date_from, date_to)`: filters by the specified inclusive date range;
* `ge(date_from)`: filters by the specified date and later;
**Type**: Union
**May be any of**:
1. **Type**: DateTime
2. **Type**: String |
| `is_mitigated` | (Optional) Filters by threat status (mitigation status).
**Type**: Boolean |
| `mitigation_state` | (Optional) Filters by mitigation state.
Supported operators:
* `= value`: filters by the specified value;
* `or(value1, value2, ...)`: filters by any value in the specified set.
**Type**: Union
**May be any of**:
1. Determines whether the threat was mitigated.
**Type**: String
**Allowed values**:
- `NOT_MITIGATED`
- `MITIGATED`
- `AUTO_MITIGATED`
2. **Type**: String |
| `state` | (Optional) Filters by investigation state.
Supported operators:
* `= value`: filters by the specified value;
* `or(value1, value2, ...)`: filters by any value in the specified set.
**Type**: Union
**May be any of**:
1. Incident investigation state.
**Type**: String
**Allowed values**:
- `NOT_STARTED`
- `INVESTIGATING`
- `TRIAGED`
- `FALSE_POSITIVE`
- `CLOSED`
2. **Type**: String |
| `severity` | (Optional) Filters by incident severity.
Supported operators:
* `= value`: filters by the specified value;
* `or(value1, value2, ...)`: filters by any value in the specified set.
**Type**: Union
**May be any of**:
1. Incident severity.
**Type**: String
**Allowed values**:
- `LOW`
- `MEDIUM`
- `HIGH`
- `CRITICAL`
2. **Type**: String |
| `positivity` | (Optional) Filters by positivity.
Supported operators:
* `range(min_value, max_value)`: filters by the specified inclusive range;
**Type**: Union
**May be any of**:
1. Positivity level.
**Type**: Float
**Minimum**: 0
**Maximum**: 10
**Format**: float
2. **Type**: String |
| `verdict` | (Optional) Filters by verdict.
**Type**: String
**Allowed values**:
- `SUSPICIOUS`
- `MALICIOUS` |
| `incident_category` | (Optional) Filters by Incident category.
Supported operators:
* `= value`: filters by the specified value;
* `or(value1, value2, ...)`: filters by any value in the specified set.
**Type**: Union
**May be any of**:
1. threat category.
**Type**: String
**Allowed values**:
- `MALWARE_DETECTED`
- `PROCESS_DETECTED`
- `MBR_ACTIVITY_BLOCKED`
- `URL_BLOCKED`
- `WEBSITE_URL_BLOCKED`
- `MS_DEFENDER`
- `THIRD_PARTY_OTHER`
- `UNKNOWN_CATEGORY`
2. **Type**: String |
| `workload_id` | (Optional) Filters by workload IDs.
Supported operators:
* `= value`: filters by the specified value;
* `or(value1, value2, ...)`: filters by any value in the specified set.
**Type**: Union
**May be any of**:
1. Workload ID.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`
2. **Type**: String |
| `analytics_source` | (Optional) Name of a component that use the API or a vendor name, used for API usage analytics only.
**Type**: String |
#### Responses
| Code | Description |
|------|-------------|
| `200` | List of incidents. |
| `429` | Results quota exceeded. |
| `400` | * Invalid input data.
* Assignee is not valid user.
* Workload ID is not valid or missing. |
| `401` | Unauthorized request. |
| `403` | Access denied due to insufficient permissions. |
| `500` | Unexpected server error.
Error can be raised by network infrastructure (for example, by Nginx).
In this case, the response can contain any body. |
### POST /incidents/investigation_state
Post update for an investigation state accompanied with comment or post a new comment for multiple incidents by MDR vendor.
#### Security
The endpoint supports the following authorization methods: `OAuth 2.0`
For OAuth2 authorization method, one of the following scopes is required by the endpoint:
* `edr_mgmtsvc::security_analyst`
* `edr_mgmtsvc::automation`
#### Request parameters
##### Headers
| Name | Description |
|------|-------------|
| `Idempotency-Key` | (Optional) Idempotent APIs enable clients to safely retry operations without worrying about the side-effects that the operation can cause.
For example, a client can safely **retry** an idempotent request in the event of a network connection error.
More information as defined in RFC 7231 can be found [here](https://tools.ietf.org/html/rfc7231#section-4.2.2).
To make a request idempotent, the client adds the header `Idempotency-Key` with unique data. It is RECOMMENDED to use `UUID v4` data.
The service is supposed to keep a cache of all the `Idempotency-Key` it has received in past requests to detect a duplicate requests from clients.
The cache can be cleared periodically and is at the discretion of the service but should be preserved for at least 3 hours.
If the server receives a request with the same Idempotency-Key, it returns the same response as for the original request.
If the original request is still being processed, the server waits for its completion before responding.
The server does not store the request if it fails initial validation.
**Type**: String |
##### Query parameters
| Name | Description |
|------|-------------|
| `workflow_id` | (Optional) Workflow ID in case if executed by workflow.
Requires "edr_mgmtsvc automation" scope.
Headers `X-Apigw-Session-User-Id`, `X-Apigw-Session-Login?` might be omitted.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `customer_id` | (Optional) Customer ID, if it isn't provided tenant_id from the authentication token is used.
Must be specified if the request is not authenticated with customer scoped token, i.e. partner level or root level.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `analytics_source` | (Optional) Name of a component that use the API or a vendor name, used for API usage analytics only.
**Type**: String |
##### Request body
**Media type**: application/json
**Schema definition**:
| Name | Description |
|------|-------------|
| `incident_ids` | Array of incident IDs.
May only be used when the customer_id matches tenant_id provided in the authentication token.
**Type**: Array of String
**Array type description:**
Incident ID.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `customer_incident_ids` | Array of customer and incident id pairs.
**Type**: Array of Object
**Array type description:**
**Type**: Object |
| `update` | The investigation state update by a MDR vendor.
**Type**: Object |
**Example**:
```json
{
"incident_ids": [
"f0a063E6-EA03-BaE7-A966-ebc90a1dbE5e"
],
"customer_incident_ids": [
{
"customer_id": "a2bCE6Da-FcD9-665D-d962-b5aaF3BFdC03",
"incident_id": "Eed9F8c6-3CE6-e4dD-ED7B-0B9E4AeDd6Ff"
}
],
"update": {
"comment": "",
"state": "NOT_STARTED",
"ticket_subject": "",
"assignee": "",
"assignee_id": "1E3F75AF-B80c-DcEc-1b29-04338CD339EC",
"ticket_id": "",
"priority": "LOW"
}
}
```
#### Responses
| Code | Description |
|------|-------------|
| `207` | Incident investigation state success per incident. |
| `200` | Invocation with the same Idempotency-Key has been already processed and resulted in 201 status.
Response body is the same as for the original request. |
| `400` | Request that failed initial validation would not to be stored for the future Idempotency checks. |
| `401` | Unauthorized request. |
| `403` | Access denied due to insufficient permissions. |
| `429` | Too many requests from the same IP. |
| `500` | Unexpected server error.
Error can be raised by network infrastructure (for example, by Nginx).
In this case, the response can contain any body. |
### GET /incidents/{incident_id}
Returns incident detailed info.
#### Security
The endpoint supports the following authorization methods: `OAuth 2.0`
For OAuth2 authorization method, one of the following scopes is required by the endpoint:
* `edr_mgmtsvc::incidents_viewer`
#### Request parameters
##### Headers
| Name | Description |
|------|-------------|
| `If-Modified-Since` | (Optional) **Type**: DateTime
**Format**: rfc2616 |
##### Query parameters
| Name | Description |
|------|-------------|
| `with_activities` | (Optional) Include activities in the response.
**Type**: Boolean
**Default**: true |
| `with_detections` | (Optional) Include detections in the response.
**Type**: Boolean
**Default**: true |
| `with_incident_actions` | (Optional) Include response actions in the response.
**Type**: Boolean
**Default**: false |
| `with_detection_per_type_limit` | (Optional) Limit the number of detections per detection type in the response.
If not provided, all detections are returned.
Note: for internal use only.
**Type**: Integer
**Minimum**: 1
**Maximum**: 1000 |
| `updated_since` | (Optional) Hint that permits skipping parts of the response (including detections and activities items)
that were NOT updated since supplied value.
**Type**: DateTime |
| `customer_id` | (Optional) Customer ID, if it isn't provided tenant_id from the authentication token is used.
Must be specified if the request is not authenticated with customer scoped token, i.e. partner level or root level.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `analytics_source` | (Optional) Name of a component that use the API or a vendor name, used for API usage analytics only.
**Type**: String |
#### Responses
| Code | Description |
|------|-------------|
| `200` | Incident data. |
| `304` | Incident has not been modified since the If-Modified-Since header. |
| `410` | * Incident is obsolete, for example the affected workload was removed. |
| `400` | * Invalid input data.
* Assignee is not valid user.
* Workload ID is not valid or missing. |
| `401` | Unauthorized request. |
| `403` | Access denied due to insufficient permissions. |
| `429` | Too many requests from the same IP. |
| `500` | Unexpected server error.
Error can be raised by network infrastructure (for example, by Nginx).
In this case, the response can contain any body. |
| `404` | * Incident is not found. |
### POST /incidents/{incident_id}/investigation_state
Post update for an investigation state accompanied with comment or post a new comment for an incident by MDR vendor.
#### Security
The endpoint supports the following authorization methods: `OAuth 2.0`
For OAuth2 authorization method, one of the following scopes is required by the endpoint:
* `edr_mgmtsvc::security_analyst`
* `edr_mgmtsvc::automation`
#### Request parameters
##### Headers
| Name | Description |
|------|-------------|
| `Idempotency-Key` | (Optional) Idempotent APIs enable clients to safely retry operations without worrying about the side-effects that the operation can cause.
For example, a client can safely **retry** an idempotent request in the event of a network connection error.
More information as defined in RFC 7231 can be found [here](https://tools.ietf.org/html/rfc7231#section-4.2.2).
To make a request idempotent, the client adds the header `Idempotency-Key` with unique data. It is RECOMMENDED to use `UUID v4` data.
The service is supposed to keep a cache of all the `Idempotency-Key` it has received in past requests to detect a duplicate requests from clients.
The cache can be cleared periodically and is at the discretion of the service but should be preserved for at least 3 hours.
If the server receives a request with the same Idempotency-Key, it returns the same response as for the original request.
If the original request is still being processed, the server waits for its completion before responding.
The server does not store the request if it fails initial validation.
**Type**: String |
##### Query parameters
| Name | Description |
|------|-------------|
| `workflow_id` | (Optional) Workflow ID in case if executed by workflow.
Requires "edr_mgmtsvc automation" scope.
Headers `X-Apigw-Session-User-Id`, `X-Apigw-Session-Login?` might be omitted.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `customer_id` | (Optional) Customer ID, if it isn't provided tenant_id from the authentication token is used.
Must be specified if the request is not authenticated with customer scoped token, i.e. partner level or root level.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `analytics_source` | (Optional) Name of a component that use the API or a vendor name, used for API usage analytics only.
**Type**: String |
##### Request body
**Media type**: application/json
**Schema definition**:
| Name | Description |
|------|-------------|
| `comment` | Optional comment related to the incident update.
**Type**: String |
| `state` | Updated state of the investigation in an MDR system, may include MDR specific states.
It is up to the MDR application logic to apply MDR status to EDR.
**Type**: Union
**May be any of**:
1. Incident investigation state.
**Type**: String
**Allowed values**:
- `NOT_STARTED`
- `INVESTIGATING`
- `TRIAGED`
- `FALSE_POSITIVE`
- `CLOSED`
2. **Type**: String |
| `ticket_subject` | External ticket subject.
**Type**: String |
| `assignee` | Name of an external agent assigned to the ticket.
**Type**: String |
| `assignee_id` | User ID of agent assigned to the ticket.
Must contain an UUID of a registered user with access rights to the incident.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `ticket_id` | External ticket ID associated with the incident.
**Type**: String |
| `priority` | Priority assigned to the ticket.
**Type**: String
**Allowed values**:
- `LOW`
- `MEDIUM`
- `HIGH`
- `CRITICAL` |
**Example**:
```json
{
"comment": "",
"state": "NOT_STARTED",
"ticket_subject": "",
"assignee": "",
"assignee_id": "Dd3d92ac-70Ba-4Ee4-1e88-ab6b3Ee07FC6",
"ticket_id": "",
"priority": "LOW"
}
```
#### Responses
| Code | Description |
|------|-------------|
| `201` | Incident investigation state appended successfully. |
| `200` | Invocation with the same Idempotency-Key has been already processed and resulted in 201 status.
Response body is the same as for the original request. |
| `400` | Request that failed initial validation would not to be stored for the future Idempotency checks. |
| `401` | Unauthorized request. |
| `403` | Access denied due to insufficient permissions. |
| `429` | Too many requests from the same IP. |
| `500` | Unexpected server error.
Error can be raised by network infrastructure (for example, by Nginx).
In this case, the response can contain any body. |
| `404` | * Incident is not found. |
### POST /incidents/{incident_id}/response_action
Perform a response action listed in Get IncidentDetails reply.
#### Security
The endpoint supports the following authorization methods: `OAuth 2.0`
For OAuth2 authorization method, one of the following scopes is required by the endpoint:
* `edr_mgmtsvc::security_analyst`
* `edr_mgmtsvc::automation`
#### Request parameters
##### Headers
| Name | Description |
|------|-------------|
| `Idempotency-Key` | (Optional) Idempotent APIs enable clients to safely retry operations without worrying about the side-effects that the operation can cause.
For example, a client can safely **retry** an idempotent request in the event of a network connection error.
More information as defined in RFC 7231 can be found [here](https://tools.ietf.org/html/rfc7231#section-4.2.2).
To make a request idempotent, the client adds the header `Idempotency-Key` with unique data. It is RECOMMENDED to use `UUID v4` data.
The service is supposed to keep a cache of all the `Idempotency-Key` it has received in past requests to detect a duplicate requests from clients.
The cache can be cleared periodically and is at the discretion of the service but should be preserved for at least 3 hours.
If the server receives a request with the same Idempotency-Key, it returns the same response as for the original request.
If the original request is still being processed, the server waits for its completion before responding.
The server does not store the request if it fails initial validation.
**Type**: String |
##### Query parameters
| Name | Description |
|------|-------------|
| `action` | (Required) Action, e.g., "WORKLOAD_ISOLATE", see ResponseAction.
**Type**: Union
**Allowed values**:
- `WORKLOAD_ISOLATE`
- `WORKLOAD_DEISOLATE`
- `ADD_ALL_PROCESS_FILE_URL_TO_ALLOW_LIST`
- `ADD_ALL_PROCESS_FILE_URL_TO_BLOCK_LIST`
- `PROCESS_STOP_TREE`
- `PROCESS_STOP`
- `PROCESS_FILE_QUARANTINE`
- `PROCESS_FILE_DELETE`
- `WORKLOAD_RESTART`
- `WORKLOAD_SHUTDOWN`
- `ADD_TO_BLOCK`
- `ADD_TO_ALLOW`
- `WORKLOAD_PATCH`
- `ACQUIRE_FORENSIC_BACKUP`
- `WORKLOAD_ROLLBACK`
**May be any of**:
1. Predefined Response Action type.
**Type**: String
**Allowed values**:
- `WORKLOAD_ISOLATE`
- `WORKLOAD_DEISOLATE`
- `WORKLOAD_RESTART`
- `WORKLOAD_SHUTDOWN`
- `ADD_ALL_PROCESS_FILE_URL_TO_ALLOW_LIST`
- `ADD_ALL_PROCESS_FILE_URL_TO_BLOCK_LIST`
- `PROCESS_STOP_TREE`
- `PROCESS_STOP`
- `PROCESS_FILE_QUARANTINE`
- `PROCESS_FILE_DELETE`
- `ADD_TO_BLOCK`
- `ADD_TO_ALLOW`
- `ACQUIRE_FORENSIC_BACKUP`
- `WORKLOAD_ROLLBACK`
- `WORKLOAD_PATCH`
2. **Type**: String |
| `comment` | (Optional) Optional comment related to the the action.
**Type**: String |
| `workload_id` | (Optional) Workload ID where the action should be performed.
If not provided, the action is performed on the workload associated with the incident.
Required for multi-workload incidents.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `workflow_id` | (Optional) Workflow ID in case if executed by workflow.
Requires "edr_mgmtsvc automation" scope.
Headers `X-Apigw-Session-User-Id`, `X-Apigw-Session-Login?` might be omitted.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `customer_id` | (Optional) Customer ID, if it isn't provided tenant_id from the authentication token is used.
Must be specified if the request is not authenticated with customer scoped token, i.e. partner level or root level.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `analytics_source` | (Optional) Name of a component that use the API or a vendor name, used for API usage analytics only.
**Type**: String |
| `delay` | (Required) Delay in minutes before action is performed.
**Type**: Number
**Minimum**: 0
**Maximum**: 60 |
| `policy_id` | (Required) Protection policy ID.
**Type**: String |
| `files` | (Optional) List of file IDs to add to allow/block list.
**Type**: Array of String
**Array type description:**
Unique identifier of an entity in the EDR system.
**Type**: String
**Max length**: 128 |
| `processes` | (Optional) List of process image file IDs to add to allow/block list.
**Type**: Array of String
**Array type description:**
Unique identifier of an entity in the EDR system.
**Type**: String
**Max length**: 128 |
| `urls` | (Optional) List of URL IDs to add to allow/block list.
**Type**: Array of String
**Array type description:**
Unique identifier of an entity in the EDR system.
**Type**: String
**Max length**: 128 |
| `exclusion_description` | (Optional) Description of the exclusion.
**Type**: String |
| `patch_id` | (Required) Patch unique identifier.
**Type**: String |
| `backup_location` | (Required) Backup location.
**Type**: String |
| `archive_name` | (Optional) Backup archive name.
**Type**: String |
| `credentials_id` | (Optional) Credential object unique identifier. It will be omitted if backup it is not encrypted.
**Type**: String |
| `forensic_dump_mode` | (Required) Forensic backup memory dump type.
**Type**: String
**Allowed values**:
- `RAW`
- `KERNEL` |
| `forensic_running_processes_snapshot` | (Required) Whether forensic backup should be done by snapshotting the running processes.
**Type**: Boolean |
| `restore_point_name` | (Optional) Human-readable string to display.
**Type**: String |
#### Responses
| Code | Description |
|------|-------------|
| `201` | Response Action was successfully initiated. |
| `200` | Invocation with the same Idempotency-Key has been already processed and resulted in 201 status.
Response body is the same as for the original request. |
| `400` | Request that failed initial validation would not to be stored for the future Idempotency checks. |
| `401` | Unauthorized request. |
| `403` | Access denied due to insufficient permissions. |
| `429` | Too many requests from the same IP. |
| `500` | Unexpected server error.
Error can be raised by network infrastructure (for example, by Nginx).
In this case, the response can contain any body. |
| `404` | * Incident is not found. |
### GET /incidents/{incident_id}/response_action
Get Detailed status of initiated action.
#### Security
The endpoint supports the following authorization methods: `OAuth 2.0`
For OAuth2 authorization method, one of the following scopes is required by the endpoint:
* `edr_mgmtsvc::incidents_viewer`
#### Request parameters
##### Query parameters
| Name | Description |
|------|-------------|
| `activity_id` | (Required) Activity ID corresponding to the initiated response action.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `customer_id` | (Optional) Customer ID, if it isn't provided tenant_id from the authentication token is used.
Must be specified if the request is not authenticated with customer scoped token, i.e. partner level or root level.
**Type**: String
**Pattern**: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$` |
| `analytics_source` | (Optional) Name of a component that use the API or a vendor name, used for API usage analytics only.
**Type**: String |
#### Responses
| Code | Description |
|------|-------------|
| `200` | Response Action status. |
| `400` | * Invalid input data.
* Assignee is not valid user.
* Workload ID is not valid or missing. |
| `401` | Unauthorized request. |
| `403` | Access denied due to insufficient permissions. |
| `429` | Too many requests from the same IP. |
| `500` | Unexpected server error.
Error can be raised by network infrastructure (for example, by Nginx).
In this case, the response can contain any body. |
| `404` | * Incident is not found. |