04-03-2025 09:48 AM
Hi all!
I see the docs (https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents) for get_incidents lists only eq/neq operators for the field 'status' and when implementing a new filter model for this endpoint I noticed we are successfully using the 'in' operator:
{'field': 'status', 'operator': 'in', 'value': ['new', 'under_investigation']}
# returns incidents with either 'new' or 'under_investigation' statusIs this officially supported?
I can't reproduce this affect using two filters like:
'filters': [{'field': 'status', 'operator': 'eq', 'value': 'new'},
{'field': 'status', 'operator': 'eq', 'value': 'under_investigation'}]
# returns empty results - I suspect due to AND concatenation of the filtersWe would like to keep strict implementations per the documentation and thus currently only accept 'eq'/'neq' operators for field: 'status'.
What would be the officially supported method to achieve the same results as 'status' 'in' <list>?
Do I need to use 'status' 'neq' for every status except 'new' and 'under_investigation'?
Thanks!
04-09-2025 06:26 AM
Hello @L.Nix028859 ,
We need to check this with product Team. Can you please open CS case for the same? Or please reach out to Accounts Team.
Regards,
Ashutosh
04-09-2025 07:13 AM
Hi Ashutosh,
I'd be happy to open a technical CS case. I will reference this discussion.
Thanks!
Lee
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
