Closes the incident with the given id.
POST
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/Incidents/{id}/close
Parameter
Field |
Label in UI |
Type |
Description |
|---|---|---|---|
id |
- |
String |
The incident id to close. Mandatory Field |
incident_user_id |
- |
String |
ID of the user on whose behalf you want to close the incident. Use Users - FetchUsers to obtain value for this parameter. Mandatory Field |
Request Example
{
"data": {
"incident_user_id": "5a46xxxx"
}
}
Success Response
{
"status": "Success",
"message": "/monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
API Response
{
"request": {},
"logpoint_identifier": "7438xxx",
"pool_uuid": "ae7dxxx",
"response": {
"success": true,
"audit_data": [
{
"action": "incident closed",
"document": "Unusual_Login_Time"
}
],
"message": "Incident is closed"
}
}
Adds comment on the incident with the given id.
POST
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/Incidents/{id}/comment
Parameter
Field |
Label in UI |
Type |
Description |
|---|---|---|---|
comment |
Comment |
String |
Comment for the incident. Mandatory Field |
id |
- |
String |
The incident id to comment on. Mandatory Field |
incident_user_id |
- |
String |
ID of the user on whose behalf you want to comment on the incident. Use Users - FetchUsers to obtain value for this parameter. Mandatory Field |
Request Example
{
"data": {
"comment": "Newly Created Incident",
"incident_user_id": "5a46xxx"
}
}
Success Response
{
"status": "Success",
"message": "/monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
API Response
{
"request": {},
"logpoint_identifier": "7438xxx",
"pool_uuid": "ae7dxxx",
"response": {
"success": true,
"message": "Comment added."
}
}
Fetches all the logs of the incident of the given id.
POST
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/Incidents/{id}/fetchIncidentData
Parameter
Field |
Label in UI |
Type |
Description |
|---|---|---|---|
id |
- |
String |
ID of the incident whose logs you want to fetch. Mandatory Field |
Request Example
{
"data": {}
}
Success Response
{
"status": "Success",
"message": "/monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}/{data_node}-Logs/fetchLogData"
}
API Response
{
"request": {},
"logpoint_identifier": "2ea932a7bxxxxxxxxxxxxxxxxx34",
"pool_uuid": "4e78450xxxxxxxxxx867a",
"response": {
"success": true,
"rows": [
{
"log_ts": 176xxxxx44,
"_participating_events": [
{
"msg": "2025-11-04 09:19:00.86300 IndexSearcherBenchmarker; indexing speed; service=indexsearcher__logpoint; number_of_indexed_logs=0; time=60 s; indexing_mps=0; thread=Thread-2",
"log_ts": 17xxxxxx40,
"_type_str": "msg col_type device_name collected_at device_ip source_name _tz _enrich_policy device_address label norm_id service thread action object _fromV550 repo_name logpoint_name",
"device_name": "localhost",
"number_of_indexed_logs": "0",
"_offset": 133419,
"logpoint_name": "LogPoint",
"action": "indexing speed",
"device_address": "12x.xxx.1",
"repo_name": "_logpoint",
"indexing_mps": "0",
"source_name": "/opt/immune/var/log/benchmarker/indexsearcher__logpoint.log",
"_streamID": 0,
"col_ts": 176xxxxx47,
"_tz": "UTC",
"label": "Benchmarker",
"thread": "Thread-2",
"norm_id": "LogPoint",
"_identifier": "0",
"collected_at": "LogPoint",
"device_ip": "12x.xxx.1",
"_searcherAddress": "12x.xxx.1:5xx4",
"service": "indexsearcher__logpoint",
"_fromV550": "t",
"_enrich_policy": "None",
"index_ts": 17xxxxxx7,
"_type_num": "log_ts col_ts number_of_indexed_logs time indexing_mps sig_id _offset _identifier",
"time": "60",
"_type_ip": "device_ip",
"sig_id": "10537",
"col_type": "filesystem",
"object": "IndexSearcherBenchmarker"
}
]
}
]
}
}
Fetches the incidents based on filter conditions.
POST
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/Incidents/fetch
Parameter
Field |
Label in UI |
Type |
Description |
|---|---|---|---|
assigned_to_users |
USERS |
[String] |
List of IDs of the users who are assigned the incident. Optional Field |
attack_category |
ATTACK CATEGORY |
[String] |
List of attack categories. The API filters the incidents that match all the attack categories in the provided list. You can use the MitreAttack - FetchMitreAttacks API to fetch the details of the attack categories available in the Fabric-enabled LogPoint. Optional Field |
attack_tag |
ATTACK TAG |
[String] |
List of attack tags. The API filters the incidents that match all the attack tags in the provided list. You can use the MitreAttack - FetchMitreAttacks API to fetch the details of the attack tags available in the Fabric-enabled LogPoint. Optional Field |
end_date |
- |
int |
End Date in epoch. Mandatory only when start_date is present in the request. Optional Field |
log_source |
LOG SOURCES |
[String] |
List of log sources. The API filters the incidents that match all the log sources in the provided list. Optional Field |
name |
NAME (OR ID) |
String |
It can be name of the incident or ID of alertrule or ID of incident to fetch. It can be a regex. Optional Field |
risk |
RISK |
[String] |
List of the risk level of the Incident. Accepts values such as “low”, “medium”, “high” and “critical”. Optional Field |
start_date |
- |
int |
Start Date in epoch. Mandatory only when end_date is present in the request. Optional Field |
status |
STATUS |
[String] |
List of the status of the incident. Accepts values such as “resolved”, “unresolved” and “closed”. Optional Field |
type |
TYPE |
[String] |
List of types from which incident is generated. Accepts values such as “alert”, “search” and “UEBA”. Optional Field |
Request Example
{
"data": {
"assigned_to_users": [
"574fxxx",
"624fxxx"
],
"attack_category": [
"Defense Evasion",
"Persistence"
],
"attack_tag": [
"Security Account Manager",
"LSASS Memory"
],
"end_date": 1568943700,
"log_source": [
"log123",
"log233"
],
"name": "MyIncident",
"risk": [
"critical",
"high"
],
"start_date": 1538793210,
"status": [
"resolved",
"unresolved"
],
"type": [
"alert"
]
}
}
Success Response
{
"status": "Success",
"message": "/monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}/{data_node}"
}
API Response
{
"request": {},
"logpoint_identifier": "7438xxx",
"pool_uuid": "ae7dxxx",
"response": {
"success": true,
"rows": [
{
"type": "Alert",
"alert_obj_id": "688bxxx",
"alertrule_id": "cd46xxx",
"incident_id": "0ffxxx",
"name": "Unusual_Login_Time",
"description": "Out of the ordinary user login time.",
"username": "62e8xxx",
"user_id": "62e8xxx",
"assigned_to": "62e8xxx",
"detection_timestamp": 1753951894.5260806,
"loginspect_ip_dns": "10.45.9.198",
"logpoint_name": "LogPoint",
"status": "unresolved",
"comments": [],
"commentscount": 0,
"query": "device_name=*",
"repos": [
"127.0.0.1:5504/_LogPointAlerts",
"127.0.0.1:5504/_logpoint"
],
"time_range": [
1753951680,
1753951740
],
"throttle_enabled": false,
"attack_id": [],
"attack_tag": [],
"attack_category": [],
"metadata": [],
"log_source": [],
"notifications": [],
"manageable_by": [],
"risk": "medium",
"id": "688bxxx",
"search_link": "https://logpoint/#Logs/searchLogs?query=myQuery&repos=%5B%27127.0.0.1%3A5504%2F_LogPointAlerts%27%2C+%27127.0.0.1%3A5504%2F_logpoint%27%2C+%27127.0.0.1%3A5504%2Fdefault%27%5D&time_range=2025%2F07%2F21+09%3A10%3A08+To+2025%2F08%2F20+09%3A10%3A08"
},
...
]
}
}
List the contents of the incident data from given Incident.
Important
You should perform FetchIncidentData API request before GetIncidentData to get the updated incident data.
GET
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/Incidents/IncidentData/{id}
Parameter
Field |
Label in UI |
Type |
Description |
|---|---|---|---|
id |
String |
Existing Incident id . |
Success Response
[
{
"log_ts": 176xxxxx68,
"_participating_events": [
{
"msg": "2025-11-04 09:19:28 Benchmarker; reporting speed; service=normalizer_2; actual_mps=1; doable_mps=1110;",
"log_ts": 176xxxx968,
"actual_mps": "1",
"doable_mps": "1110",
"_type_str": "msg col_type device_name collected_at device_ip source_name _tz _enrich_policy device_address label norm_id action object service _fromV550 repo_name logpoint_name",
"device_name": "localhost",
"_offset": 153972,
"logpoint_name": "LogPoint",
"action": "reporting speed",
"device_address": "127.xxx.1",
"repo_name": "_logpoint",
"source_name": "/opt/immune/var/log/benchmarker/normalizer_2.log",
"_streamID": 0,
"col_ts": 176xxxx68,
"_tz": "UTC",
"label": "Benchmarker",
"norm_id": "LogPoint",
"_identifier": "0",
"collected_at": "LogPoint",
"device_ip": "127.xxx.1",
"_searcherAddress": "12xx.1:5x74",
"service": "normalizer_2",
"_fromV550": "t",
"_enrich_policy": "None",
"index_ts": 176xxxx968,
"_type_num": "log_ts col_ts actual_mps doable_mps sig_id _offset _identifier",
"_type_ip": "device_ip",
"sig_id": "10505",
"col_type": "filesystem",
"object": "Benchmarker"
}
]
}
]
Reassigns the incident with the given id to a new user.
POST
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/Incidents/{id}/reassign
Parameter
Field |
Label in UI |
Type |
Description |
|---|---|---|---|
id |
- |
String |
The incident id to reassign. Mandatory Field |
incident_user_id |
- |
String |
ID of the user on whose behalf you want to reassign the incident. Use Users - FetchUsers to obtain value for this parameter. Mandatory Field |
Request Example
{
"data": {
"incident_user_id": "5a46xxx"
}
}
Success Response
{
"status": "Success",
"message": "/monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
API Response
{
"request": {},
"logpoint_identifier": "7438xxx",
"pool_uuid": "ae7dxxx",
"response": {
"success": true,
"message": "Incident is reassigned"
}
}
Reopens the incident with the given id.
POST
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/Incidents/{id}/reopen
Parameter
Field |
Label in UI |
Type |
Description |
|---|---|---|---|
id |
- |
String |
The incident id to reopen. Mandatory Field |
incident_user_id |
- |
String |
ID of the user on whose behalf you want to reopen the incident. Use Users - FetchUsers to obtain value for this parameter. Mandatory Field |
Request Example
{
"data": {
"incident_user_id": "5a46xxx"
}
}
Success Response
{
"status": "Success",
"message": "/monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
API Response
{
"request": {},
"logpoint_identifier": "74388xxx",
"pool_uuid": "ae7dxxx",
"response": {
"success": true,
"message": "Incident is reopened"
}
}
Resolves the incident with the given id.
POST
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/Incidents/{id}/resolve
Parameter
Field |
Label in UI |
Type |
Description |
|---|---|---|---|
id |
- |
String |
The incident id to resolve. Mandatory Field |
incident_user_id |
- |
String |
ID of the user on whose behalf you want to resolve the incident. Use Users - FetchUsers to obtain value for this parameter. Mandatory Field |
Request Example
{
"data": {
"incident_user_id": "5a46xxx"
}
}
Success Response
{
"status": "Success",
"message": "/monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
API Response
{
"request": {},
"logpoint_identifier": "74388xxx",
"pool_uuid": "ae7daxxx",
"response": {
"success": true,
"message": "Incident is resolved"
}
}
Manually trigger notifications for the incident with the given ID.
POST
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/Incidents/{id}/sendForInvestigation
Parameter
Field |
Label in UI |
Type |
Description |
|---|---|---|---|
id |
- |
String |
ID of the incident. Use the Incidents - FetchIncidents API to obtain the value of this parameter. Mandatory Field |
incident_user_id |
- |
String |
ID of the user on whose behalf you want to trigger the incident notification. Use the Users - FetchUsers API to obtain value for this parameter. Mandatory Field |
Request Example
{
"data": {
"incident_user_id": "5a466xxx"
}
}
Success Response
{
"status": "Success",
"message": "/monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
API Response
{
"request": {},
"logpoint_identifier": "8101xxx",
"pool_uuid": "e665xxx",
"response": {
"success": true,
"message": "Successfully sent for investigation"
}
}