New API Endpoint: Get Incident Updates
We have added a new endpoint to the Elements API that provides programmatic access to incident update history.
Endpoint Details
GET /incidents/v1/updates
Description
This endpoint retrieves the complete history of changes made to a specific incident (Broad Context Detection). Each update represents a modification to the incident over its lifecycle, including status changes, detection additions, comments, and other modifications.
Key Capabilities
Update Types Tracked
- Status changes (patch)
- Detection additions, removals, and modifications
- User comments
- Response actions
- Incident merges
- Risk level adjustments
- Category changes
- Threat investigation and validation results
State Tracking
Each update includes stateBefore and stateAfter objects, allowing you to see exactly what changed. This includes status, resolution, risk level, and categories.
Origin Information
Updates include source information indicating whether the change was made by:
- A user (with display name)
- An automated engine
- A response action
Pagination Support
Results can be paginated using anchor-based navigation, with a configurable limit of 1-100 updates per request (default 50).
Filtering
Filter updates by type to retrieve only relevant changes (e.g., only comments or only status changes).
Customer Benefits
- Complete Audit Trail: Access the full history of incident modifications for compliance and reporting purposes.
- Accountability: Identify who made specific changes to incidents through origin tracking.
- Integration Support: Build automated workflows that respond to specific types of incident updates.
- Change Analysis: Compare before and after states to understand the evolution of an incident.
- Efficient Data Retrieval: Use type filtering to retrieve only relevant updates, reducing unnecessary data transfer.
- Scalability: Pagination support allows handling incidents with extensive update histories.
Read more from the Elements API specification page under "Get Incident Updates".