Fetching incidents

  1. Authenticate to the cloud platform via the Python shell.

    The following variables should be available now:

    >>> base_url  # the base URL of the API
    '<the Acronis data center URL>/api/mdr/v1'
    >>> auth  # the 'Authorization' header value with the access token
    {'Authorization': 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImMwMD...'}
    >>> tenant_id # the ID of the partner tenant that can be accessed with the token
    'ede9f834-70b3-476c-83d9-736f9f8c7dae'
    
  2. Specify a filter by customer IDs and store it in a variable named customer_id. The following options are available:

    1. If you need to fetch incidents of a specific customer, specify stored customer ID or fetch one using Account Management API v2:

      >>> customer_id = '41e19c11-2606-475d-b459-56a5509494ee'
      
    2. If you need to fetch incidents for multiple customers, specify a list of customer IDs using the or operator:

      >>> customer_id = 'or(41e19c11-2606-475d-b459-56a5509494ee,41e19c11-2606-475d-b459-56a5509494ef)'
      
    3. If you need to fetch incidents of customers in a partner, specify one of the following filtering operators:

      • direct_children(<partner_id>) - includes all customers that are direct children of the specified partner tenant ID.

      • descendants(<partner_id>) - includes all customers that are descendants of the specified partner tenant ID.

      Where <partner_id> is the ID of the partner tenant.

      For example, to fetch incidents for all customers that are direct children of the partner tenant with ID ede9f834-70b3-476c-83d9-736f9f8c7dae:

      >>> customer_id = 'direct_children(ede9f834-70b3-476c-83d9-736f9f8c7dae)'
      
  3. Define a variable named params, and then assign a dictionary with the query parameters to this variable:

    >>> params = {
    ...     'customer_id': customer_id,
    ...     'state': 'NOT_STARTED', # get all incidents that are not started
    ...     'is_mitigated': False, # get all incidents that are not mitigated
    ...     'cursor': None, # optional parameter with a cursor to the next page of the response
    ... }
    
  4. Send a GET request to the /incidents endpoint:

    >>> response = requests.get(f'{base_url}/incidents', headers=auth, params=params)
    
  5. Check the status code of the response:

    >>> response.status_code
    200
    

    Status code 200 means that the request is successful.

    Also, the response body contains the response contains the list of incidents and a cursor to the next page formatted as a JSON text. When converted to an object, it will look as follows:

    >>> pprint.pprint(response.json())
    {'cursor': 'obT6tj3_TUqL8E6vqce6qA==',
    'items': [{'agent_version': '1.0.272.0',
                'created_at': '2024-09-19T11:11:22.115829Z',
                'customer_id': 'fdd168cc-6c5b-4c0b-b908-0323895e74f3',
                'host_domain': 'DESKTOP-N6BRO6A',
                'host_name': 'DESKTOP-N6BRO6A',
                'incident_categories': ['MALWARE_DETECTED'],
                'incident_id': '8b4645f7-d742-470e-8368-9017d1156d8b',
                'incident_link': 'https://eu8-cloud.acronis.com/ui/#/endpoint-detection/customer/116/incidents/8b4645f7-d742-470e-8368-9017d1156d8b/investigation',
                'incident_short_id': 1,
                'incident_time': '2024-09-19T11:11:22.115829Z',
                'mitigation_state': 'NOT_MITIGATED',
                'positivity': 10,
                'severity': 'HIGH',
                'state': 'NOT_STARTED',
                'updated_at': '2024-09-24T09:41:36.39723Z',
                'verdict': 'MALICIOUS'},
            {'agent_version': '0.0.0.0',
                'created_at': '2024-09-20T05:23:22.794725Z',
                'customer_id': 'e71026a0-3676-435c-9e31-1aba91f0d63b',
                'host_name': 'bogdajs-Virtual-Machine.local',
                'incident_categories': ['MALWARE_DETECTED'],
                'incident_id': '6796cbbd-d755-401b-8fbe-70d73a3dfb64',
                'incident_link': 'https://eu8-cloud.acronis.com/ui/#/endpoint-detection/customer/186/incidents/6796cbbd-d755-401b-8fbe-70d73a3dfb64/investigation',
                'incident_short_id': 1,
                'incident_time': '2024-09-20T05:23:22.794725Z',
                'mitigation_state': 'NOT_MITIGATED',
                'positivity': 10,
                'severity': 'HIGH',
                'state': 'NOT_STARTED',
                'updated_at': '2024-09-20T05:23:22.794725Z',
                'verdict': 'MALICIOUS'}]}
    
  6. Store the list of incident IDs and customer IDs in a variable named incidents.

    >>> incidents = [{'incident_id': item['incident_id'], 'customer_id': item['customer_id']} for item in response.json()['items']]
    >>> incidents
    [
        {
            'incident_id': '41e19c11-2606-475d-b459-56a5509494ee',
            'customer_id': '64b40fe0-2051-4f11-8913-ecd9652e221c'
        },
        {
            'incident_id': '7560c5a0-d748-467b-807f-f794c322bbe4',
            'customer_id': 'f1065685-e276-484e-9527-e109e06ec236'
        }
    ]
    

    Note

    Each incident is associated with a specific customer ID. You must keep the pair to be able to perform actions on the incidents later.