Fetching incident details and response actions

  1. Authenticate to the cloud platform via the Python shell.

    The following variables should be available now:

    >>> base_url  # the base URL of the API
    '<the Acronis data center URL>/api/mdr/v1'
    >>> auth  # the 'Authorization' header value with the access token
    {'Authorization': 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImMwMD...'}
    >>> tenant_id # the ID of the partner tenant that can be accessed with the token
    'ede9f834-70b3-476c-83d9-736f9f8c7dae'
    
  2. Fetch the incident which actions you want to get by following the Fetching incidents procedure.

    As a result, you should have an incident ID and a customer ID that you will use in the following steps:

    >>> incident_id
    '41e19c11-2606-475d-b459-56a5509494ee'
    >>> customer_id
    '64b40fe0-2051-4f11-8913-ecd9652e221c'
    
  3. Define a variable named params, and then assign an object with request parameters to this variable:

    >>> params = {
    ...     'customer_id': customer_id,
    ...     'with_activities': False, # optional parameter to include activities in the response
    ...     'with_detections': False, # optional parameter to include detections in the response
    ...     'with_response_actions': True, # optional parameter to include response actions in the response
    ... }
    
  4. Send a GET request to the /incidents/{incident_id} endpoint:

    >>> response = requests.get(f'{base_url}/incidents/{incident_id}', headers=auth, params=params)
    
  5. Check the status code of the response:

    >>> response.status_code
    200
    

    Status code 200 means that the request is successful.

    Also, the response body contains the response contains the incident details with available response actions formatted as a JSON text. When converted to an object, it will look as follows:

    >>> pprint.pprint(response.json())
    {'agent_version': '24.10.38581',
    'assignee_id': '00000000-0000-0000-0000-000000000000',
    'created_at': '2024-09-19T11:11:22.115829Z',
    'customer_id': 'fdd168cc-6c5b-4c0b-b908-0323895e74f3',
    'host_address': '10.144.1.22',
    'host_domain': 'DESKTOP-N6BRO6A',
    'host_name': 'DESKTOP-N6BRO6A',
    'incident_categories': ['MALWARE_DETECTED'],
    'incident_id': '8b4645f7-d742-470e-8368-9017d1156d8b',
    'incident_link': 'https://eu8-cloud.acronis.com/ui/#/endpoint-detection/customer/116/incidents/8b4645f7-d742-470e-8368-9017d1156d8b/investigation',
    'incident_short_id': 1,
    'incident_time': '2024-09-19T11:11:22.115829Z',
    'mitigation_state': 'NOT_MITIGATED',
    'positivity': 10,
    'response_actions': [{'action': 'WORKLOAD_ISOLATE',
                        'description': 'Isolate a specific workload from the '
                                        'network',
                        'display_name': 'Isolate workload',
                        'uri': 'https://eu8-cloud.acronis.com/api/mdr/v1/incidents/8b4645f7-d742-470e-8368-9017d1156d8b/response_action?action=WORKLOAD_ISOLATE'},
                        {'action': 'WORKLOAD_RESTART',
                        'description': 'Initiate a restart of a specific '
                                        'workload',
                        'display_name': 'Restart workload',
                        'query_parameters': {'delay': {'description': 'delay '
                                                                        'the '
                                                                        'restart '
                                                                        'of a '
                                                                        'system '
                                                                        'in '
                                                                        'minutes',
                                                        'maximum': 60,
                                                        'minimum': 0,
                                                        'type': 'number'}},
                        'uri': 'https://eu8-cloud.acronis.com/api/mdr/v1/incidents/8b4645f7-d742-470e-8368-9017d1156d8b/response_action?action=WORKLOAD_RESTART'},
                        {'action': 'WORKLOAD_SHUTDOWN',
                        'description': 'Shut down a specific workload',
                        'display_name': 'Power off workload',
                        'uri': 'https://eu8-cloud.acronis.com/api/mdr/v1/incidents/8b4645f7-d742-470e-8368-9017d1156d8b/response_action?action=WORKLOAD_SHUTDOWN'}],
    'severity': 'HIGH',
    'state': 'NOT_STARTED',
    'updated_at': '2024-09-24T09:41:36.39723Z',
    'verdict': 'MALICIOUS'}
    
  6. Store the list of response actions in a variable named response_actions.

    >>> response_actions = response.json()['response_actions']
    >>> response_actions
    [
        {
            "action": "WORKLOAD_ISOLATE",
            "uri": "https://eu8-cloud.acronis.com/api/mdr/v1/incidents/8b4645f7-d742-470e-8368-9017d1156d8b/response_action?action=WORKLOAD_ISOLATE",
            "description": "Isolate a specific workload from the network",
            "display_name": "Isolate workload"
        },
        {
            "action": "WORKLOAD_RESTART",
            "uri": "https://eu8-cloud.acronis.com/api/mdr/v1/incidents/8b4645f7-d742-470e-8368-9017d1156d8b/response_action?action=WORKLOAD_RESTART",
            "query_parameters": {
                "delay": {
                    "type": "number",
                    "description": "delay the restart of a system in minutes",
                    "minimum": 0,
                    "maximum": 60
                }
            },
            "description": "Initiate a restart of a specific workload",
            "display_name": "Restart workload"
        },
        {
            "action": "WORKLOAD_SHUTDOWN",
            "uri": "https://eu8-cloud.acronis.com/api/mdr/v1/incidents/8b4645f7-d742-470e-8368-9017d1156d8b/response_action?action=WORKLOAD_SHUTDOWN",
            "description": "Shut down a specific workload",
            "display_name": "Power off workload"
        }
    ]