Invoke Incident API
This section outline the ways to invoke Incident external API using two authentication methods: Basic Auth Token and Access Token Authentication. Using these methods, you can obtain the access token from the Incident and external API pages.
Authentication Methods
Basic Auth Token
The Basic Auth Token authentication allows you to retrieve incidents by sending a POST request with the appropriate credentials and headers. You need to pass your username and password using the Basic Authentication.
Endpoint: Retrieve Incidents
POST /v1/queryIncidents
Description
For an authenticated tenant, this API retrieves a list of incidents in ascending order based on the time they were last modified.
Request example
curl -u <username>:<password> -H 'Content-Type: application/json' \
https://www.myshn.net/shnapi/rest/external/api/v1/queryIncidents?limit=500 \
-d '{
"startTime": "2020-04-12T09:30:00.000",
"incidentCriteria": {
"categories": [
{
"incidentType": "Alert.Policy.Epo"
}
]
}
}
Query Parameters
| Parameter Name | Description |
|---|---|
| startTime | The start time for querying incidents. |
| incidentCriteria | Criteria to filter incidents, such as the incident type. |
Access Token Authentication
To access the Incident API, follow these steps to obtain the necessary access tokens:
Step 1: Get a Token Using User Credentials
Use the following curl command to obtain an initial token using your user credentials:
curl --location --request POST 'https://www.myshn.net/shnapi/rest/external/api/v1/token?grant_type=password&token_type=iam' \ --header 'bps-tenant-id: <BPSTenantId>'\ --header 'Authorization: Basic XXXXXXXXXXXXX'
NOTE:
- Make sure to replace
<BPSTenantId>with actual Tenant ID. - If you have multiple accounts in different tenants, use the header bps-tenant-id with the corresponding BPS ID in the header section. For further assistance on Tenant ID, contact Skyhigh Security Support.
Sample Response
{
"access_token": "5RaiBapusSMyxIZI8zaJGjyZLP02ccoY6biLTk2PiuaKmtlVAaa3t2qYk19m7zot",
"token_type": "bearer"
}
Step 2: Get Access Token Using IAM Token
Once you have the initial token, use the following curl command to obtain the final access token:
curl --location 'https://www.myshn.net/neo/neo-auth-service/oauth/token?grant_type=iam_token&skip_audit=true)' \
--header 'x-iam-token: <Token generated from Step 1>' \
--header 'Content-Type: application/json' \
--data '{}'
NOTE: Make sure to replace<Token generated from Step 1> with actual values.
Sample Response
{
"access_token": "5RaiBapusSMyxIZI8zaJGjyZLP02ccoY6biLTk2PiuaKmtlVAaa3t2qYk19m7zot",
"token_type": "bearer",
"refresh_token": "RaiBapusSMyxIZI8zaJGjyZLP02ccoY6biLTk2PiuaKmtlVAaa3t2qYk19m7zotQJRgqY5rcKtigcTz4QlXkv5ZIJ9q",
"expires_in": 899,
"scope": "read write",
"tenantName": "ravius14-pepp0",
"tenantID": 175343,
"user": "abc@gmail.com",
"userId": 200491,
"email": "abc@gmail.com",
"jti": "d3fe86ef-c27f-4514-b13d-fbec5a5d04cb"
}
Step 3: Query Incidents
Once you have the access token, you can query incidents using the following curlcommand to retrieve incidents:
curl --location 'https://www.myshn.net/shnapi/rest/external/api/v1/queryIncidents?limit=500' \
--header 'x-access-token: <Token from step 2>' \
--header 'Content-Type: application/json' \
--data '{ "startTime": "2025-04-01T00:00:00Z",
"endTime": "2025-04-03T00:00:00Z",
"incidentCriteria": {
"categories": [
{ "incidentType": "Alert.Policy" } ] } }'
NOTE: Make sure to replace<Token generated from Step 2> with actual values.
Query Parameters
| Parameter Name | Description |
|---|---|
| startTime | The start time for querying incidents. |
| endTime | The end time for querying incidents. |
| incidentCriteria | Criteria to filter incidents, such as the incident type. |
Sample Response
Success
On successfully retrieving the list of incidents based on the specified criteria, the system shall respond with:
200 OK
The body of the response indicates that the request was successful, and the incidents are returned with the details.
{
"headers": {},
"body": {
"responseInfo": {
"actualLimit": 2,
"apiElapsedMillis": 571,
"error": null,
"nextOffset": null,
"nextStartTime": "2025-04-01T07:20:52.478Z",
"source": "shnapi-0f655438168f4ee34.node.usprod.consul"
},
"incidents": [
{
"activityNames": [
"Created"
],
"actorId": "cde@gmail.com",
"actorIdType": "USER",
"incidentGroup": "Alert.Policy.Dlp",
"incidentGroupId": null,
"incidentId": "DLP-89265",
"incidentRiskScore": 3.0,
"incidentRiskSeverity": "low",
"incidentRiskSeverityId": 0,
"information": {
"collaborationSharedLink": false,
"contentItemCreatedOn": "2025-04-01T07:20:17.000Z",
"contentItemHierarchy": "0057F000007w3buQAA",
"contentItemId": "0D5GA00007Y5FUs0AN",
"contentItemName": "0D5GA00007Y5FUs0AN",
"contentItemParent": "0057F000007w3buQAA",
"contentItemSize": 5,
"contentItemType": "FILE",
"device": {
"ip": "0.0.0.0"
},
"eventId": "89544",
"externalCollaborators": [],
"externalCollaboratorsCount": 0,
"fileTypes": [
"ASCII Text"
],
"historicalUserRiskScore": 1,
"internalCollaborators": [],
"lastExecutedResponseLabel": "Deleted",
"matchLocations": [
"<MAIN>"
],
"policyId": 1854497,
"policyName": "OF-2288",
"primaryRuleGroup": "Rule group 1",
"source": "API",
"totalMatchCount": 1,
"uniqueMatchCount": 1,
"userAttributes": {}
},
"instanceId": 46662,
"instanceName": "Default",
"responses": [
"Deleted"
],
"serviceNames": [
"Salesforce"
],
"classificationNames": [],
"significantlyUpdatedAt": "2025-04-01T07:20:37.811Z",
"status": "new",
"timeCreated": "2025-04-01T07:20:17.000Z",
"timeModified": "2025-04-01T07:20:37.811Z"
},
{
"activityNames": [
"Modified"
],
"actorId": "cde@gmail.com",
"actorIdType": "USER",
"incidentGroup": "Alert.Policy.Dlp",
"incidentGroupId": null,
"incidentId": "DLP-89266",
"incidentRiskScore": 3.0,
"incidentRiskSeverity": "low",
"incidentRiskSeverityId": 0,
"information": {
"collaborationSharedLink": false,
"contentItemCreatedOn": "2025-04-01T07:20:17.000Z",
"contentItemHierarchy": "0057F000007w3buQAA",
"contentItemId": "068GA00001EYf1uYAD",
"contentItemName": "Confidential.docx",
"contentItemParent": "0057F000007w3buQAA",
"contentItemSize": 12995,
"contentItemType": "FILE",
"device": {
"ip": "0.0.0.0"
},
"eventId": "89545",
"externalCollaborators": [],
"externalCollaboratorsCount": 0,
"fileTypes": [
"Microsoft Word"
],
"historicalUserRiskScore": 1,
"internalCollaborators": [],
"lastExecutedResponseLabel": "Deleted",
"matchLocations": [
"<MAIN>"
],
"policyId": 1854497,
"policyName": "OF-2288",
"primaryRuleGroup": "Rule group 1",
"source": "API",
"totalMatchCount": 1,
"uniqueMatchCount": 1,
"userAttributes": {}
},
"instanceId": 46662,
"instanceName": "Default",
"responses": [
"Deleted"
],
"serviceNames": [
"Salesforce"
],
"classificationNames": [],
"significantlyUpdatedAt": "2025-04-01T07:20:52.477Z",
"status": "new",
"timeCreated": "2025-04-01T07:20:17.000Z",
"timeModified": "2025-04-01T07:20:52.477Z"
}
]
},
"statusCodeValue": 200,
"statusCode": "OK"
}