: Incident and Remediation API
Focus
Focus

Incident and Remediation API

Table of Contents

Incident and Remediation API

Learn about each example response and available response fields for incidents retrieval and remediation by an API client for Data Security.
A registered API client on Data Security can manage incident state and perform remediation actions based on the asset related to the corresponding incident:
All requests must use the region-specific host. The examples below use AMER region.

getIncidentState

Retrieves incident state. A GET request to the incident/api/incidents/{id}/state endpoint with incident_api scope is used to access the incident state.
Required Parameters
Path Parameter
Type
Description
incidentId
integer <int64>
Incident id
Response Fields
Field
Type
Description
state
String
Incident state, either open or closed.
category
String
Reason for the state of the corresponding incident.
resolved_by
String
Resolver’s name.
resolution_date
String
Date and time the incident was resolved.
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/incident/api/incidents/71780/state' -i -H 

'Authorization: Bearer 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN 

DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l 

kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Content-Type: 

application/json'
Example Response
{
    "state": "open",
    "category": "new",
    "resolved_by": null,
    "resolution_date": null
}

changeIncidentState

Modifies incident state. A POST request to the incident/api/incidents/{id}/state endpoint with incident_api scope is used to access the incident state.
Required Parameters
Path Parameter
Type
Description
incidentId
integer <int64>
Incident id
Body Parameter
Type
Description
state
String
Incident state. Only closed is allowed.
category
String
Reason for the closed state of the corresponding incident:
  • no_reason
  • business_justified
  • misidentified
Response Fields
Field
Type
Description
state
String
Incident state. Only closed is returned.
category
String
Reason for the closed state of the corresponding incident:
  • no_reason
  • business_justified
  • misidentified
resolved_by
String
Resolver’s name.
resolution_date
String
Date the incident was resolved.
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/incident/api/incidents/71780/state' -i -H 

'Authorization: Bearer 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN 

DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l 

kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' --header 'Content-Type: 

application/json' --data-raw '{
    "state":"closed",
    "category":"no_reason"
}'
Example Response
{
    "state": "closed",
    "category": "no_reason",
    "resolved_by": "api",
    "resolution_date": "2021-02-18T18:59:18.740Z"
}

quarantineAsset

Performs admin quarantine actions on the corresponding asset. A POST request to the remediation/api/assets/{id}/quarantine endpoint with remediation_api scope is used to quarantine the asset to the administrator’s folder, with the following limitations:
  • Quarantine and restore processes are asynchronous—Response does not mean that Data Security successfully quarantined the asset; rather, the acknowledgment indicates that the request is accepted and quarantine process will be triggered.
  • Remediation support—Not all SaaS applications support admin quarantine, nor for all asset types.
Required Parameters
Path Parameter
Type
Description
id
integer <int64>
Asset id
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/remediation/api/assets/{id}/quarantine' -i -H 

'Authorization: Bearer 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN 

DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l 

kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Content-Type: 

application/json'
Example Response
Status: 202 Accepted

restoreAsset

Reverts admin quarantine action for the corresponding asset. A POST request to the remediation/api/assets/{id}/restore endpoint with remediation_api scope is used to restore the quarantined asset.
Required Parameters
Path Parameter
Type
Description
id
integer <int64>
Asset id
Example Request
$ curl 'https://api.aperture.paloaltonetworks.com/remediation/api/assets/{id}/restore' -i -H 

'Authorization: Bearer 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJhcGlfYWNjZXNzIl0sImp0aSI6IjA5ZjljN 

DVkLTA1NTYtNDY4MS05YWFhLWM4MGNiNWQ5ZjRiYSIsInRlbmFudCI6InRlc3QgdGVuYW50IiwiY2xpZW50X2l 

kIjoiYWNtZSJ9.lQpl3taZros7xzQNVMRaOy7KIrKGkwNKmTPq667kJUQ' -H 'Content-Type: 

application/json'
Example Response
Status: 202 Accepted