ThreatSync Management API

Version: 1.1.6

Introduction

The ThreatSync Management API is a RESTful API that you can use to manage your ThreatSync incidents and actions.

This API documentation explains how to access the ThreatSync Management API and includes examples to help you get started.

Get Started

This section describes how to submit requests to the ThreatSync Management API.

The ThreatSync Management API URL is:

https://{base API URL}/rest/threatsync/management/

The base URL for WatchGuard public APIs varies by region. The base API URL for your account appears on the Managed Access page in WatchGuard Cloud.

Path Parameters

Each WatchGuard public API has a version, expressed as <major>.<minor>.<patch>. You specify the major API version, such as v1, as part of the endpoint URI path.

All ThreatSync Management API endpoint URIs must include your WatchGuard Cloud account ID in the {accountid} path parameter.

Authentication

WatchGuard public APIs use the Open Authorization (OAuth) 2.0 authorization framework for token-based authentication. To use the ThreatSync Management API, you must first enable API access in your WatchGuard Cloud account and make an API request to generate an access token.

You must include the access token and your API Key in the header of each request you make to the ThreatSync Management API.

For more information, go to Authentication.

Request Headers

You must include this information in the header of each request you make to the ThreatSync Management API:

Content-Type	application/json
Accept	application/json
Authorization	The access token that you generate with the WatchGuard Authentication API. For more information, go to Authentication.
WatchGuard-API-Key	The API key associated with your WatchGuard Cloud account (shown on the Managed Access page in WatchGuard Cloud).

Pagination

Some GET endpoints that return a list of records support pagination through the sortBy, limit, and start_after request parameters:

sortBy
string

Specifies how to sort results. This can be the names of one or more response parameters, separated by commas.

Example: threatScore

limit

integer

Specifies the maximum number of records to retrieve in the response. The maximum is limited to 1000 records.

Example: 50

startAfter
string

Cursor value that identifies the record after which you want to retrieve records. This value must match the data returned in the response parameter you specify in the sortBy request parameter.

Example: 2023-02-12T23:05:28

You can use these parameters to construct queries for pages of results. When you include the sortBy and limit parameters in the request, the response includes a startAfter parameter that shows the data you can use to construct a request for the next page of results.

Retrieve a List of Incidents

/{v1}/{accountId}/incidents

Retrieves a list of ThreatSync incidents for an account.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

query string	Query string that enables you to search for records that match the specified data. Specify response parameter names and associated values to retrieve objects that match those values. Examples: threatScore:>5 && status:viewed category:malicious_url OR category:IPS OR category:IOA status:performed OR status:inProgress For more information about how to construct query strings, go to the Apache Lucene documentation.
sortBy string	Specifies how to sort results. This can be the names of one or more response parameters, separated by commas. Example: threatScore
sortOrder string	Specifies whether to sort the results in ascending or descending order. This can be one of these values: asc — Sort results in ascending order desc — Sort results in descending order If you do not specify a value, the API returns results in ascending order. Example: desc
groupBy string	Specifies the response parameter to group data by. Example: status
fields string	Specifies which response parameters to return in the results. If you do not specify a value, the API returns all response parameters. Example : id,threatScore,status
countOnly boolean	Specifies whether to retrieve only a count of records. Example: true
limit integer	Maximum number of records to retrieve in the response. The maximum is limited to 1000 records. Example: 50
startAfter string	Cursor value that identifies the record after which you want to retrieve records. This value must match the data returned in the response parameter you specify in the sortBy request parameter. Example: 2023-02-12T23:05:28
duration string	Duration of time in days to retrieve records for. Specify a number followed by the letter D. Example: 10D
tenants boolean	Specifies whether to retrieve data for both Service Provider and managed accounts. Set this value to `true` to retrieve data for all managed accounts and delegated accounts. The default value is false. Example: true
includeActions boolean	Specifies whether to include actions for an incident. The default value is false. Example: true
includeComments boolean	Specifies whether to include comments for an incident. The default value is false. Example: true

Example Request

This request retrieves a list of incidents for the specified account:

curl -X GET https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-123abc456/incidents?includeActions=true&includeComments=true&groupBy=status,&limit=1&query=threatScore:>0
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

This response contains incident data for account for the specified duration and limit:

{
    "groups": {
        "_default": [
            {
                "id": "co2e4rlg92tuks1lelmg",
                "account": "WGC-1-ac9d92c96cac4958b0ee",
                "category": "av",
                "type": "EICAR-Test-File (not a virus)",
                "timestamp": "2024-03-28T03:22:02Z",
                "threatScore": 1,
                "severity": "Low",
                "summary": "EICAR-Test-File (not a virus)",
                "description": "File was detected as a virus by Gateway AntiVirus.",
                "rule": "forward-proxy-ioc",
                "remediated": true,
                "entities": {
                    "50134": {
                        "type": "firebox",
                        "name": "Jenny-M270-DEAB",
                        "recommendedActions": [],
                        "actionPerformed": {
                            "command": "blockConnection",
                            "parameters": {
                                "srcAddr": "10.20.1.16",
                                "srcPort": 60733,
                                "dstAddr": "172.16.1.98",
                                "dstPort": 80
                            }
                        },
                        "threatDetails": {
                            "path": "/ips/eicar.txt",
                            "proxyAction": "HTTP-out.web.fpol_50134_QjQ3wb2zi4TF0tbuw",
                            "md5": "44d88612fea8a8f36de82e1278abb02f",
                            "protocol": "http",
                            "dstAddr": "172.16.1.98",
                            "dstInterface": "External",
                            "maliciousIp": "172.16.1.98",
                            "srcAddr": "10.20.1.16",
                            "policy": "Outgoing",
                            "host": "172.16.1.98",
                            "srcInterface": "Internal",
                            "srcPort": 60733,
                            "virus": "EICAR-Test-File (not a virus)",
                            "connectionTime": "2024-03-28T03:22:02Z",
                            "location": null,
                            "dstPort": 80
                        }
                    }
                },
                "user": null,
                "threatDetails": {
                    "path": "/ips/eicar.txt",
                    "proxyAction": "HTTP-out.web.fpol_50134_QjQ3wb2zi4TF0tbuw",
                    "md5": "44d88612fea8a8f36de82e1278abb02f",
                    "protocol": "http",
                    "dstAddr": "172.16.1.98",
                    "dstInterface": "External",
                    "maliciousIp": "172.16.1.98",
                    "srcAddr": "10.20.1.16",
                    "policy": "Outgoing",
                    "host": "172.16.1.98",
                    "srcInterface": "Internal",
                    "srcPort": 60733,
                    "virus": "EICAR-Test-File (not a virus)",
                    "connectionTime": "2024-03-28T03:22:02Z",
                    "location": null,
                    "dstPort": 80
                },
                "events": [
                    "co2e4rmccoa185i2ablg"
                ],
                "threatMetadata": [
                    "1",
                    "file",
                    "was",
                    "detected",
                    "as",
                    "a",
                    "virus",
                    "by",
                    "gateway",
                    "antivirus.",
                    "av",
                    "eicar-test-file",
                    "(not",
                    "virus)",
                    "firebox",
                    "jenny-m270-deab",
                    "block_connection",
                    "10.20.1.16",
                    "60733",
                    "172.16.1.98",
                    "80",
                    "/ips/eicar.txt",
                    "http-out.web.fpol_50134_qjq3wb2zi4tf0tbuw",
                    "44d88612fea8a8f36de82e1278abb02f",
                    "http",
                    "external",
                    "outgoing",
                    "internal",
                    "2024-03-28t03:22:02z"
                ],
                "entityIds": [
                    "50134"
                ],
                "occurrences": 1,
                "status": "new",
                "comments": [
                    {
                        "id": "8577afb3e4cb45e5abc8c4a1d9b21199",
                        "incidentId": "co2e4rlg92tuks1lelmg",
                        "account": "WGC-1-ac9d92c96cac4958b0ee",
                        "user": "175dcf77dcef3469_rw_id",
                        "creationTime": "2024-08-22T07:52:46Z",
                        "comment": "New comment sample1-from API"
                    }
                ],
                "actions": [
                    {
                        "id": "1593d3401bfb433ebae49078a5644329",
                        "account": "WGC-1-ac9d92c96cac4958b0ee",
                        "incidentId": "co2e4rlg92tuks1lelmg",
                        "entityId": "50134",
                        "entityType": "firebox",
                        "parameters": {
                            "srcAddr": "10.20.1.16",
                            "srcPort": 60733,
                            "dstAddr": "172.16.1.98",
                            "dstPort": 80
                        },
                        "irreversible": true,
                        "type": "source",
                        "errorMessage": null,
                        "responder": "Source",
                        "creationTime": "2024-03-28T03:22:22Z",
                        "command": "blockConnection",
                        "status": "performed",
                        "result": {},
                        "lastUpdateTime": "2024-03-28T03:22:22Z",
                        "history": [
                            {
                                "lastUpdateTime": "2024-03-28T03:22:22Z",
                                "status": "performed"
                            }
                        ]
                    }
                ]
            }
        ]
    },
    "count": 1
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

items array	Array of incident items.
id string	Unique identifier of the incident record. Example: cjo38rng0qbgs12ehiqg
account string	Account ID the incident is associated with. Example: WGC-1-123abc456
category string	Category of the incident. This can be one of these values: AV Exploit IPS IOA Malicious Access Point Malicious URL Malware Unknown Program Example: malware
type string	Type of malware detected. Example: SecurityR.TestFile
timestamp string	Date and time the incident was created. Example: 2022-03-17T00:05:16Z
threatScore integer	Threat score of the incident. Example: 7
severity string	The risk score category. This can be one of these values: Critical — Scores of 9 or 10 High — Scores of 7 or 8 Medium — Scores of 4, 5, or 6 Low — Scores of 1, 2, or 3 Example: medium
description string	Description of the threat detected. Example: Intrusion was detected by the Firebox IPS engine
remediated boolean	Remediation status of the incident. Example: true
entities object	Details of the entity that the incident belongs to.
id string	Unique identifier for the entity. Example: 14359
type string	Type of entity. Example: Firebox
recommendedActions array	List of recommended actions that can be performed on the incident.
command string	Name of the recommended action to perform. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. unblockAddress — Removes an IP address from the Blocked Sites list of the account. isolate — Isolates an endpoint-protected computer. unIsolate — Unisolates an isolated computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. Example: isolate
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Required parameters: address — The IP address to block unblockAddress — Required parameters: address — The IP address to unblock isolate — No required parameters. unIsolate — No required parameters. killProcess — One of these parameters required: pid — The process ID. md5 — The md5 hash of the file. quarantineFile — Required parameters: md5 — The md5 hash of the file. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
actionPerformed array	List of actions performed at the source (Firebox or Endpoint) in response to the threat.
command string	Name of the action performed. This can be one of these values: blockConnection — The Firebox blocked a connection. blockProcess — The endpoint agent prevented a process from running. deleteFile — The endpoint agent deleted a file on the host computer. detected — The access point detected a threat. killProcess — The endpoint agent ended a running process on the host computer. Example: deleteFile
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockConnection — Parameters can include: srcAddr — The connection source address. srcPort — The connection source port. dstAddr — The connection destination address. dstPort — The connection destination address. blockProcess — Parameters can include: md5 — The MD5 hash associated with the process. deleteFile — Parameters can include: md5 — The MD5 hash of the deleted file. killProcess — Parameters can include md5 — The MD5 hash associated with the process.
threatDetails object	Threat details of an incident. The parameters depend on the type of threat and can include one or more of these values: Access Point deviceId — The device ID of the access point that detected the threat. threatWiredMac — The MAC address of the wired interface of the Rogue access point. rssi — The RSSI (Received Signal Strength Indicator) of the malicious access point. agentIp — The IP address of the access point that detected the threat. band — The wireless band used by the Rogue access point, such as 2.4 GHz or 5 GHz. channel — The wireless channel used by the Rogue access point. detectedbySerial — Serial number of the access point that detected the threat. account — Account ID the incident is associated with. serial — Serial number of the access point that detected the threat. threatWirelessMac — The BSSID/MAC address of the malicious Access point. detectedbyName — Name of the access point that detected the threat. id — Incident ID. threatSecurity — The security type of the SSID broadcast by the malicious access point. threatProtocol — The wireless protocol used by the malicious access point, such as 802.11ac. distance — The estimated distance of the detected malicious access point measured in feet and meters. timestamp — The time at which the access point detected the threat. detectedbyMac — The MAC address of the access point that detected the threat. threatSsid — The SSID broadcast by the malicious access point. threatType — The type of the threat. This can be one of these values: Evil Twin Rogue AP Suspected Rogue AP threatIp — The IP address of the malicious access point. threatBssid — The BSSID MAC address of the wireless interface of the malicious access point. threatReason — Indicates the reason why a device was classified as a malicious access point.. Endpoint malware — Name of the malware associated with the incident. file — Path of a local file on the computer associated with the incident. pid — ID of a process associated with an incident. md5 — MD5 hash of the file or process associated with an incident. Firebox srcAddr — IP address that was the source of the traffic. srcPort — The TCP or UDP port number used to send traffic. srcInterface — Name of the interface that was the source of the traffic. dstAddr — Destination IP address. dstPort — The TCP or UDP port number used to receive traffic. dstInterface — Name of the interface that was the destination of the traffic. protocol — Protocol used for the connection, such as TCP. policy — Name of the Firebox policy associated with traffic. proxyAction — Name of the Firebox proxy action associated with the traffic. maliciousIp — IP address of the connection identified as malicious. connectionTime — Time stamp of the connection. Firebox Threat Details by Category AV (Antivirus) attachment — Name of an attachment contained in an email message (IMAP). filename — Name of a file contained in an email message (POP3). host — Host name of an HTTP request. mailbox — Name of a mailbox on a mail server (IMAP and SMTP). md5 — The MD5 hash of the content. path — URL path of an HTTP request. virus — Name of the virus detected. IPS (Intrusion Prevention Service) host — Host name of an HTTP request. path — URL path of an HTTP request. signature — Name of the related IPS signature. Malicious IP source — Contains the value "Botnet" if the incident is related to a botnet attack Malicious URL maliciousUrl — The suspected malicious URL of an HTTP request. Malware attachment — Name of an attachment contained in an email message (IMAP). filename — Name of a file contained in an email message (POP3). host — Host name of an HTTP request. mailbox — Name of a mailbox on a mail server (IMAP and SMTP). md5 — MD5 hash of the content. path — URL path of an HTTP request. recipients — Recipients of the email message (SMTP). sender — Sender of the email message (SMTP). Example: "malware": "Demo.TestFile"
entityIds string	The ID of the entity. Example: 70513
status string	Specifies the status of the incident. This can be one of these values: archived — Incidents archived by an automation policy or manually archived. new — New incidents not yet reviewed. viewed — Reviewed incidents or incidents marked as read. Example: viewed
lastUpdateTime string	The date and time (UTC) when the incident was last changed. Example: 2023-07-21T05:31:41Z
updatedBy string	The name of the operator that updated the incident status. Or `system` if the update was in response to an automated action. Example: 6b857fba02a8c7ca_rw_id
comments array	List of comments.
id string	Unique identifier of a comment. Example: 8577afb3e4cb45e5abc8c4a1d9b21199
incidentId string	Unique identifier of an incident. Example: cq7m4paoksm0rb2o46ag
user string	The user name of the operator that initiated the comment request. Example: xdradmin
account string	Account ID the incident is associated with. Example: WGC-1-123abc456 or ACC-1234567
comment string	The comment added to the specified incident. Example: Sample comment
creationTime string	The time the comment was created. Example: 2023-09-27T06:44:34Z
lastUpdateTime string	The time the comment was last updated. Example: 2023-09-27T06:44:34Z
command string	Name of the action on the incident. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. blockConnection — The Firebox blocks a connection. blockProcess — The endpoint agent prevents a process from running. deleteFile — The endpoint agent deletes a file on the host computer. detected — The Access Point detects a threat. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: blockAddress
actionId string	Unique identifier of the action. Example: 6a53f515f5994e0983df9e47444c1fc7
context string	Specifies the context when the comment was added. This can be one of these values: action — Comment added when a new action was created. statusChange — Comment added when the status of the incident was updated. Example: action
newStatus string	The status of the incident. This can be one of these values: new — New incidents not yet reviewed. viewed — Reviewed incidents or incidents marked as read. archived — Incidents archived by an automation policy or manually archived. Example: new
actions array	Details for an action on an incident.
entityId string	The ID of the entity. Example: 70513
entityType string	Type of entity. This can be one of these values: Access Point Endpoint Firebox Example: firebox
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Required parameters: address — The IP address to block blockConnection — Parameters can include: srcAddr — The connection source address. srcPort — The connection source port. dstAddr — The connection destination address. dstPort — The connection destination address. blockProcess — Parameters can include: md5 — The MD5 hash associated with the process. deleteFile — Parameters can include: md5 — The MD5 hash of the deleted file. killProcess — One of these parameters required: pid — The process ID. md5 — The md5 hash of the file. isolate — No required parameters. quarantineFile — Required parameters: md5 — The md5 hash of the file. unblockAddress — Required parameters: address — The IP address to unblock. unIsolate — No required parameters. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
irreversible boolean	Indicates whether the action is irreversible. This can be one of two values: true false Example: false
type string	The type of action performed. Example: manual
responder string	The incident responder. This can be one of these values: Source — Action is taken by the endpoint. System — Action is initiated manually. ThreatSync — Action is initiated by an automation policy. Example: System
creationTime string	The time the action was created. Example: 2023-09-08T17:39:18Z
command string	Name of the action. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. blockConnection — The Firebox blocks a connection. blockProcess — The endpoint agent prevents a process from running. deleteFile — The endpoint agent deletes a file on the host computer. detected — The access point detects a threat. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: isolate
lastUpdateTime string	The date and time (UTC) when the action was last changed. Example: 2023-07-21T05:31:41Z
initiatedBy string	The user name of the operator that initiated the action. Example: 6b337fba02a8c7ca_rw_id
count integer	Total count of incidents. Example: 1
startAfter object	When you include the `sortBy` and `limit` parameters in the request, this parameter shows the data you can use to construct a request for the next page of results. Example: {"threatsyncIncidents": { "timestamp": "2023-08-24T08:36:34Z" }}

Retrieve a Specific Incident

/{v1}/{accountId}/incidents/{incidentId}

Retrieves a specific incident for an account by incident ID.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

incidentId
string
REQUIRED

The ID of an incident.

Example: c8p7nlhlgag91nihhiqg

Request Parameters

When you send a request to this endpoint, you can include these parameters:

includeActions
boolean

Specifies whether to include actions for an incident.

The default value is false.

Example: true

includeComments
boolean

Specifies whether to include comments for an incident.

The default value is false.

Example: true

Example Request

This request retrieves a specific incident for the specified account:

curl -X GET https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-123abc456/incidents/co2e4rlg92tuks1lelmg?includeActions=true&includeComments=true
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

This response contains incident data for the specified incident and details about the threat:

{
    "id": "co2e4rlg92tuks1lelmg",
    "account": "WGC-1-ac9d92c96cac4958b0ee",
    "category": "av",
    "type": "EICAR-Test-File (not a virus)",
    "timestamp": "2024-03-28T03:22:02Z",
    "threatScore": 1,
    "severity": "Low",
    "description": "File was detected as a virus by Gateway AntiVirus.",
    "remediated": true,
    "entities": {
        "50134": {
            "type": "firebox",
            "name": "Jenny-M270-DEAB",
            "recommendedActions": [],
            "actionPerformed": {
                "command": "blockConnection",
                "parameters": {
                    "srcAddr": "10.20.1.16",
                    "srcPort": 60733,
                    "dstAddr": "172.16.1.98",
                    "dstPort": 80
                }
            },
            "threatDetails": {
                "path": "/ips/eicar.txt",
                "proxyAction": "HTTP-out.web.fpol_50134_QjQ3wb2zi4TF0tbuw",
                "md5": "44d88612fea8a8f36de82e1278abb02f",
                "protocol": "http",
                "dstAddr": "172.16.1.98",
                "dstInterface": "External",
                "maliciousIp": "172.16.1.98",
                "srcAddr": "10.20.1.16",
                "policy": "Outgoing",
                "host": "172.16.1.98",
                "srcInterface": "Internal",
                "srcPort": 60733,
                "virus": "EICAR-Test-File (not a virus)",
                "connectionTime": "2024-03-28T03:22:02Z",
                "location": null,
                "dstPort": 80
            }
        }
    },
    "user": null,
    "entityIds": [
        "50134"
    ],
    "occurrences": 1,
    "status": "new",
    "comments": [
        {
            "id": "8577afb3e4cb45e5abc8c4a1d9b21199",
            "incidentId": "co2e4rlg92tuks1lelmg",
            "account": "WGC-1-ac9d92c96cac4958b0ee",
            "user": "175dcf77dcef3469_rw_id",
            "creationTime": "2024-08-22T07:52:46Z",
            "comment": "New comment sample1-from API"
        }
    ],
    "actions": [
        {
            "id": "1593d3401bfb433ebae49078a5644329",
            "account": "WGC-1-ac9d92c96cac4958b0ee",
            "incidentId": "co2e4rlg92tuks1lelmg",
            "entityId": "50134",
            "entityType": "firebox",
            "parameters": {
                "srcAddr": "10.20.1.16",
                "srcPort": 60733,
                "dstAddr": "172.16.1.98",
                "dstPort": 80
            },
            "irreversible": true,
            "type": "source",
            "errorMessage": null,
            "responder": "Source",
            "creationTime": "2024-03-28T03:22:22Z",
            "command": "blockConnection",
            "status": "performed",
            "result": {},
            "lastUpdateTime": "2024-03-28T03:22:22Z",
            "history": [
                {
                    "lastUpdateTime": "2024-03-28T03:22:22Z",
                    "status": "performed"
                }
            ]
        }
    ]
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

id string	ID of the incident. Example: cihb9v9jp69d29pts8eg
account string	Account ID the incident is associated with. Example: WGC-1-123abc456
category string	Category of the incident. This can be one of these values: AV Exploit IPS IOA Malicious Access Point Malicious URL Malware Unknown Program Example: exploit
type string	Type of malware. Example: VIRUS Eicar test string -1
timestamp string	Date and time the incident was created. Example: 2022-03-17T00:05:16Z
threatScore integer	Threat score of the incident. Example: 5
severity string	The risk score category. This can be one of these values: Critical — Scores of 9 or 10 High — Scores of 7 or 8 Medium — Scores of 4, 5, or 6 Low — Scores of 1, 2, or 3 Example: Medium
description string	Description of the threat detected. Example: Intrusion was detected by the Firebox IPS engine
remediated boolean	Remediation status of the incident. This can be one of two values: true false Example: false
entities object	Details of the entity that the incident belongs to. Example: type
id string	Unique identifier for the entity. Example: 14359
type string	Type of entity. Example: Endpoint
recommendedActions array	List of recommended actions that can be performed on the incident.
command string	Name of the recommended action to perform. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. unblockAddress — Removes an IP address from the Blocked Sites list of the account. isolate — Isolates an endpoint-protected computer. unIsolate — Unisolates an isolated computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. Example: isolate
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Required parameters: address — The IP address to block. unblockAddress — Required parameters: address — The IP address to unblock. isolate — No required parameters. unIsolate — No required parameters. killProcess — One of these parameters required: pid — The process ID. md5 — The md5 hash of the file. quarantineFile — Required parameters: md5 — The md5 hash of the file. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
actionPerformed array	List of actions performed at the source (Firebox or Endpoint) in response to the threat.
command string	Name of the action performed. This can be one of these values: blockConnection — The Firebox blocked a connection. blockProcess — The endpoint agent prevented a process from running. deleteFile — The endpoint agent deleted a file on the host computer. detected — The access point detected a threat. killProcess — The endpoint agent ended a running process on the host computer. Example: deleteFile
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockConnection — Parameters can include: srcAddr — The connection source address. srcPort — The connection source port. dstAddr — The connection destination address. dstPort — The connection destination address. blockProcess — Parameters can include: md5 — The MD5 hash associated with the process. deleteFile — Parameters can include: md5 — The MD5 hash of the deleted file. killProcess — Parameters can include md5 — The MD5 hash associated with the process.
threatDetails object	Threat details of an incident. The parameters depend on the type of threat and can include one or more of these values: Access Point deviceId — The device ID of the access point that detected the threat. threatWiredMac — The MAC address of the wired interface of the Rogue access point. rssi — The RSSI (Received Signal Strength Indicator) of the malicious access point. agentIp — The IP address of the access point that detected the threat. band — The wireless band used by the Rogue access point, such as 2.4 GHz or 5 GHz. channel — The wireless channel used by the Rogue access point. detectedbySerial — Serial number of the access point that detected the threat. account — Account ID the incident is associated with. serial — Serial number of the access point that detected the threat. threatWirelessMac — The BSSID/MAC address of the malicious Access point. detectedbyName — Name of the access point that detected the threat. id — Incident ID. threatSecurity — The security type of the SSID broadcast by the malicious access point. threatProtocol — The wireless protocol used by the malicious access point, such as 802.11ac. distance — The estimated distance of the detected malicious access point measured in feet and meters. timestamp — The time at which the access point detected the threat. detectedbyMac — The MAC address of the access point that detected the threat. threatSsid — The SSID broadcast by the malicious access point. threatType — The type of the threat. This can be one of these values: Evil Twin Rogue AP Suspected Rogue AP threatIp — The IP address of the malicious access point. threatBssid — The BSSID MAC address of the wireless interface of the malicious access point. threatReason — Indicates the reason why a device was classified as a malicious access point. Endpoint malware — Name of the malware associated with the incident. file — Path of a local file on the computer associated with the incident. pid — ID of a process associated with an incident. md5 — MD5 hash of the file or process associated with an incident. Firebox srcAddr — IP address that was the source of the traffic. srcPort — The TCP or UDP port number used to send traffic. srcInterface — Name of the interface that was the source of the traffic. dstAddr — Destination IP address. dstPort — The TCP or UDP port number used to receive traffic. dstInterface — Name of the interface that was the destination of the traffic. protocol — Protocol used for the connection, such as TCP. policy — Name of the Firebox policy associated with traffic. proxyAction — Name of the Firebox proxy action associated with the traffic. maliciousIp — IP address of the connection identified as malicious. connectionTime — Time stamp of the connection. Firebox Threat Details by Category AV (Antivirus) attachment — Name of an attachment contained in an email message (IMAP). filename — Name of a file contained in an email message (POP3). host — Host name of an HTTP request. mailbox — Name of a mailbox on a mail server (IMAP and SMTP). md5 — The MD5 hash of the content. path — URL path of an HTTP request. virus — Name of the virus detected. IPS (Intrusion Prevention Service) host — Host name of an HTTP request. path — URL path of an HTTP request. signature — Name of the related IPS signature. Malicious IP source — Contains the value "Botnet" if the incident is related to a botnet attack Malicious URL maliciousUrl — The suspected malicious URL of an HTTP request. Malware attachment — Name of an attachment contained in an email message (IMAP). filename — Name of a file contained in an email message (POP3). host — Host name of an HTTP request. mailbox — Name of a mailbox on a mail server (IMAP and SMTP). md5 — MD5 hash of the content. path — URL path of an HTTP request. recipients — Recipients of the email message (SMTP). sender — Sender of the email message (SMTP). Example: "malware": "Demo.TestFile"
entityIds string	The ID of the entity. Example: 70513
status string	Specifies the status of the incident. This can be one of these values: new — New incidents not yet reviewed. viewed — Reviewed incidents or incidents marked as read. archived — Incidents archived by an automation policy or manually archived. Example: viewed
comments array	List of comments.
id string	Unique identifier of a comment. Example: 8577afb3e4cb45e5abc8c4a1d9b21199
incidentId string	Unique identifier of an incident. Example: cq7m4paoksm0rb2o46ag
user string	The user name of the operator that initiated the comment request. Example: xdradmin
account string	Account ID the incident is associated with. Example: WGC-1-123abc456 or ACC-1234567
comment string	The comment added to the specified incident. Example: Sample comment
creationTime string	The time the comment was created. Example: 2023-09-27T06:44:34Z
lastUpdateTime string	The time the comment was last updated. Example: 2023-09-27T06:44:34Z
command string	Name of the action on the incident. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. blockConnection — The Firebox blocks a connection. blockProcess — The endpoint agent prevents a process from running. deleteFile — The endpoint agent deletes a file on the host computer. detected — The Access Point detects a threat. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: blockAddress
actionId string	Unique identifier of the action. Example: 6a53f515f5994e0983df9e47444c1fc7
context string	Specifies the context when the comment was added. This can be one of these values: action — Comment added when a new action was created. statusChange — Comment added when the status of the incident was updated. Example: action
newStatus string	The status of the incident. This can be one of these values: new — New incidents not yet reviewed. viewed — Reviewed incidents or incidents marked as read. archived — Incidents archived by an automation policy or manually archived. Example: new
actions array	Details for an action on an incident.
entityId string	The ID of the entity. Example: 70513
entityType string	Type of entity. This can be one of these values: Access Point Endpoint Firebox Example: firebox
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Required parameters: address — The IP address to block blockConnection — Parameters can include: srcAddr — The connection source address. srcPort — The connection source port. dstAddr — The connection destination address. dstPort — The connection destination address. blockProcess — Parameters can include: md5 — The MD5 hash associated with the process. deleteFile — Parameters can include: md5 — The MD5 hash of the deleted file. killProcess — One of these parameters required: pid — The process ID. md5 — The md5 hash of the file. isolate — No required parameters. quarantineFile — Required parameters: md5 — The md5 hash of the file. unblockAddress — Required parameters: address — The IP address to unblock. unIsolate — No required parameters. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
irreversible boolean	Indicates whether the action is irreversible. This can be one of two values: true false Example: false
type string	The type of action performed. Example: manual
responder string	The incident responder. This can be one of these values: Source — Action is taken by the endpoint. System — Action is initiated manually. ThreatSync — Action is initiated by an automation policy. Example: System
creationTime string	The time the action was created. Example: 2023-09-08T17:39:18Z
command string	Name of the action. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. blockConnection — The Firebox blocks a connection. blockProcess — The endpoint agent prevents a process from running. deleteFile — The endpoint agent deletes a file on the host computer. detected — The access point detects a threat. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: isolate
lastUpdateTime string	The date and time (UTC) when the action was last changed. Example: 2023-07-21T05:31:41Z
initiatedBy string	The user name of the operator that initiated the action. Example: 6b337fba02a8c7ca_rw_id

Update Incident Status

/{v1}/{accountId}/incidents/{incidentID}

Updates the status of a specific incident.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

incidentId
string
REQUIRED

The ID of an incident.

Example: c8p7nlhlgag91nihhiqg

Request Body

status
string
REQUIRED

Updated incident status. Specify one of these values:

archived — Incidents archived by an automation policy or manual action.
new — New incidents not yet reviewed.
viewed — Reviewed incidents or incidents marked as read.

comment
string

Optional. Specifies a comment to add for the incident.

Example: Sample comment

Example Request

This request updates the status of the specified incident:

curl -X PATCH https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-123abc456/incidents/cise8cngkpcu8rsmvkp0
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		-d '{
               "status": "viewed"
               }'

Example Response

This response includes incident details and updated status for the specified incident.

{
    "id": "cise8cngkpcu8rsmvkp0",
    "account": "WGC-1-123abc456",
    "category": "malware",
    "type": "Demo.TestFile",
    "timestamp": "2023-07-20T07:37:22Z",
    "threatScore": 5,
    "severity": "Medium",
    "description": "File was detected as malware by local or remote technology in WatchGuard Endpoint Security.",
    "remediated": false,
    "entities": {
        "70513": {
            "type": "endpoint",
            "recommendedActions": [
                {
                    "command": "isolate"
                }
            ],
            "actionPerformed": {
                "command": "blockProcess",
                "parameters": {
                    "md5": "1CFB320E5F37CB2C7875F39D1F928239"
                }
            },
            "threatDetails": {
                "malware": "Demo.TestFile",
                "file": "PROFILE|\\Desktop\\Test\\DemoTestFile\\joke.EXE",
                "md5": "1CFB320E5F37CB2C7875F39D1F928239"
            }
        }
    },
    "entityIds": [
        "70513"
    ],
    "status": "viewed",
    "lastUpdateTime": "2023-09-28T20:41:21Z",
    "updatedBy": "6b447fba02a8c7ca_rw_id"
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

id string	Unique identifier of the incident record. Example: cjo38rng0qbgs12ehiqg
account string	Account ID the incident is associated with. Example: WGC-1-123abc456
category string	Category of the incident. This can be one of these values: AV Exploit IPS IOA Malicious Access Point Malicious URL Malware Unknown Program Example: ips
type string	Type of malware. Example: VIRUS Eicar test string -1
timestamp string	Date and time the incident was created. Example: 2022-03-17T00:05:16Z
threatScore integer	Threat score of the incident. Example: 5
severity string	The risk score category. This can be one of these values: Critical — Scores of 9 or 10 High — Scores of 7 or 8 Medium — Scores of 4, 5, or 6 Low — Scores of 1, 2, or 3 Example: Medium
description string	Description of the threat detected. Example: Intrusion was detected by the Firebox IPS engine
remediated boolean	Remediation status of the incident. This can be one of two values: true false Example: false
entities object	Details of the entity that the incident belongs to. Example: type
id string	Unique identifier for the entity. Example: 14359
type string	Type of entity. Example: Endpoint
recommendedActions array	List of recommended actions that can be performed on the incident.
command string	Name of the recommended action to perform. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. unblockAddress — Removes an IP address from the Blocked Sites list of the account. isolate — Isolates an endpoint-protected computer. unIsolate — Unisolates an isolated computer. killProcess — Ends a process on an endpoint-protected computer quarantineFile — Quarantines a file on an endpoint-protected computer. Example: isolate
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Required parameters: address — The IP address to block. unblockAddress — Required parameters: address — The IP address to unblock. isolate — No required parameters. unIsolate — No required parameters. killProcess — One of these parameters required: pid — The process ID. md5 — The md5 hash of the file. quarantineFile — Required parameters: md5 — The md5 hash of the file. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
actionPerformed array	List of actions performed at the source (Firebox or Endpoint) in response to the threat.
command string	Name of the action performed. This can be one of these values: blockConnection — The Firebox blocked a connection. blockProcess — The endpoint agent prevented a process from running. deleteFile — The endpoint agent deleted a file on the host computer. detected — The access point detected a threat. killProcess — The endpoint agent ended a running process on the host computer. Example: deleteFile
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockConnection — Parameters can include: srcAddr — The connection source address. srcPort — The connection source port. dstAddr — The connection destination address. dstPort — The connection destination address. blockProcess — Parameters can include: md5 — The MD5 hash associated with the process. deleteFile — Parameters can include: md5 — The MD5 hash of the deleted file. killProcess — Parameters can include md5 — The MD5 hash associated with the process.
threatDetails object	Threat details of an incident. The parameters depend on the type of threat and can be one or more of these values: Access Point deviceId — The device ID of the access point that detected the threat. threatWiredMac — The MAC address of the wired interface of the Rogue access point. rssi — The RSSI (Received Signal Strength Indicator) of the malicious access point. agentIp — The IP address of the access point that detected the threat. band — The wireless band used by the Rogue access point, such as 2.4 GHz or 5 GHz. channel — The wireless channel used by the Rogue access point. detectedbySerial — Serial number of the access point that detected the threat. account — Account ID the incident is associated with. serial — Serial number of the access point that detected the threat. threatWirelessMac — The BSSID/MAC address of the malicious Access point. detectedbyName — Name of the access point that detected the threat. id — Incident ID. threatSecurity — The security type of the SSID broadcast by the malicious access point. threatProtocol — The wireless protocol used by the malicious access point, such as 802.11ac. distance — The estimated distance of the detected malicious access point measured in feet and meters. timestamp — The time at which the access point detected the threat. detectedbyMac — The MAC address of the access point that detected the threat. threatSsid — The SSID broadcast by the malicious access point. threatType — The type of the threat. This can be one of these values: Evil Twin Rogue AP Suspected Rogue AP threatIp — The IP address of the malicious access point. threatBssid — The BSSID MAC address of the wireless interface of the malicious access point. threatReason — Indicates the reason why a device was classified as a malicious access point. Endpoint malware — Name of the malware associated with the incident. file — Path of a local file on the computer associated with the incident. pid — ID of a process associated with an incident. md5 — MD5 hash of the file or process associated with an incident. Firebox srcAddr — IP address that was the source of the traffic. srcPort — The TCP or UDP port number used to send traffic. srcInterface — Name of the interface that was the source of the traffic. dstAddr — Destination IP address. dstPort — The TCP or UDP port number used to receive traffic. dstInterface — Name of the interface that was the destination of the traffic. protocol — Protocol used for the connection, such as TCP. policy — Name of the Firebox policy associated with traffic. proxyAction — Name of the Firebox proxy action associated with the traffic. maliciousIp — IP address of the connection identified as malicious. connectionTime — Time stamp of the connection. Firebox Threat Details by Category AV (Antivirus) attachment — Name of an attachment contained in an email message (IMAP). filename — Name of a file contained in an email message (POP3). host — Host name of an HTTP request. mailbox — Name of a mailbox on a mail server (IMAP and SMTP). md5 — The MD5 hash of the content. path — URL path of an HTTP request. virus — Name of the virus detected. IPS (Intrusion Prevention Service) host — Host name of an HTTP request. path — URL path of an HTTP request. signature — Name of the related IPS signature. Malicious IP source — Contains the value "Botnet" if the incident is related to a botnet attack Malicious URL maliciousUrl — The suspected malicious URL of an HTTP request. Malware attachment — Name of an attachment contained in an email message (IMAP). filename — Name of a file contained in an email message (POP3). host — Host name of an HTTP request. mailbox — Name of a mailbox on a mail server (IMAP and SMTP). md5 — MD5 hash of the content. path — URL path of an HTTP request. recipients — Recipients of the email message (SMTP). sender — Sender of the email message (SMTP). Example: "malware": "Demo.TestFile"
entityIds string	The ID of the entity. Example: 70513
status string	Specifies the status of the incident. This can be one of these values: archived — Incidents archived by an automation policy or manually archived. new — New incidents not yet reviewed. viewed — Reviewed incidents or incidents marked as read. Example: viewed
lastUpdateTime string	The date and time (UTC) when the incident was last changed. Example: 2023-07-21T05:31:41Z
updatedBy string	The name of the operator that updated the incident status. Or `system` if the update was in response to an automated action. Example: 6b857fba02a8c7ca_rw_id

Retrieve a List of Actions for a Specific Incident

/{v1}/{accountId}/incidents/{incidentID}/actions

Retrieves a list of actions initiated for a specific incident.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

incidentId
string
REQUIRED

The ID of an incident.

Example: c8p7nlhlgag91nihhiqg

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

query string	Query string that enables you to search for records that match the specified data. Specify response parameter names and associated values to retrieve objects that match those values. Examples: threatScore:>5 && status:viewed category:malicious_url OR category:IPS OR category:IOA status:performed OR status:inProgress For more information about how to construct query strings, go to the Apache Lucene documentation.
sortBy string	Specifies how to sort results. This can be the names of one or more response parameters, separated by commas. Example: threatScore
sortOrder string	Specifies whether to sort the results in ascending or descending order. This can be one of these values: asc — Sort results in ascending order desc — Sort results in descending order If you do not specify a value, the API returns results in ascending order. Example: desc
groupBy string	Specifies the response parameter to group data by. Example: status
fields string	Specifies which response parameters to return in the results. If you do not specify a value, the API returns all response parameters. Example : id,summary,timestamp
countOnly boolean	Specifies whether to retrieve only a count of records. Example: true
limit integer	Maximum number of records to retrieve in the response. The maximum is limited to 1000 records. Example: 50
startAfter string	Cursor value that identifies the record after which you want to retrieve records. This value must match the data returned in the response parameter you specify in the `sortBy` request parameter. Example: 2023-02-12T23:05:28
duration string	Duration of time in days to retrieve records for. Specify a number followed by the letter D. Example: 10D

Example Request

This request retrieves a list of actions for the specified incident:

curl -X GET https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-123abc456/incidents/cjdk66vhk6vdk94iliog/actions 
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

This response includes a list of actions for the specified incident.

{
    "items": [
        {
            "id": "ce1a5e68c6a04e63942935a5853606f1",
            "account": "WGC-1-123abc456",
            "incidentId": "cjdk66vhk6vdk94iliog",
            "entityId": "70513",
            "entityType": "firebox",
            "parameters": {
                "address": "192.0.2.3"
            },
            "irreversible": false,
            "type": "manual",
            "errorMessage": "Unexpected error",
            "responder": "System",
            "creationTime": "2023-08-24T09:51:55Z",
            "command": "blockAddress",
            "status": "performed",
            "lastUpdateTime": "2023-08-24T09:51:59Z",
            "initiatedBy": "joy-castro",
            "history": [
                {
                    "lastUpdateTime": "2023-08-24T09:51:55Z",
                    "status": "inProgress"
                },
                {
                    "errorMessage": "Unexpected error",
                    "lastUpdateTime": "2023-08-24T09:51:59Z",
                    "status": "performed"
                }
            ],
            "result": {
                "status": "performed"
            }
        }
    ],
    "count": 1
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

items array	Array of actions.
id string	The ID of an action. Example: 94ea663ee6094a6fbbe71107f4c4c46f
account string	Account ID the incident is associated with. Example: WGC-1-123abc456
incidentId string	The ID of an incident. Example: cjdk66vhk6vdk94iliog
entityId string	The ID of the entity. Example: 70513
entityType string	Type of entity. This can be one of these values: Access Point Endpoint Firebox Example: firebox
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Required parameters: address — The IP address to block blockConnection — Parameters can include: srcAddr — The connection source address. srcPort — The connection source port. dstAddr — The connection destination address. dstPort — The connection destination address. blockProcess — Parameters can include: md5 — The MD5 hash associated with the process. deleteFile — Parameters can include: md5 — The MD5 hash of the deleted file. killProcess — One of these parameters required: pid — The process ID md5 — The md5 hash of the file isolate — No required parameters. quarantineFile — Required parameters: md5 — The md5 hash of the file unblockAddress — Required parameters: address — The IP address to unblock unIsolate — No required parameters. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
irreversible boolean	Indicates whether the action is irreversible. This can be one of two values: true false Example: false
type string	The type of action performed. Example: manual
errorMessage string	Error message from the action. Example: Unexpected error
responder string	The incident responder. This can be one of these values: Source — Action is taken by the endpoint. System — Action is initiated manually. ThreatSync — Action is initiated by an automation policy. Example: System
creationTime string	The date and time the item was created. Example: 2023-09-08T17:39:18Z
command string	Name of the action. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. blockConnection — The Firebox blocks a connection. blockProcess — The endpoint agent prevents a process from running. deleteFile — The endpoint agent deletes a file on the host computer. detected — The access point detects a threat. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: isolate
status string	The status of the action. Example: inProgress
lastUpdateTime string	The date and time (UTC) when the incident status was last changed. Example: 2023-07-21T05:31:41Z
initiatedBy string	The user name of the operator that initiated the action. Example: j-castro
history string	Historical details of the action performed on the incident. Example: lastUpdateTime
result string	The result of the action. Example: {"status": "performed"}
count integer	Total count of actions. Example: 1
startAfter object	When you include the `sortBy` and `limit` parameters in the request, this parameter shows the data you can use to construct a request for the next page of results. Example: {"threatsyncActions": { "entityId": "70512" }} Example: 1

Perform an Action for a Specific Incident

/{v1}/{accountId}/incidents/{incidentID}/actions

Performs an action for a specific incident.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

incidentId
string
REQUIRED

The ID of an incident.

Example: c8p7nlhlgag91nihhiqg

Request Body

command string REQUIRED	Specifies the action to perform. This can be one of these actions: blockAddress — Adds an IP address to the Blocked Sites list of the account. killProcess — Ends a process on an endpoint-protected computer. isolate — Isolates an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: blockAddress
parameters object REQUIRED	Parameters required to perform the action. These depend on the action you specify in the `command` parameter: blockAddress — Specify these required parameters: address — The IP address to block. isolate — No required parameters. killProcess — Specify one these required parameters: pid — The process ID. md5 — The md5 hash of the file. quarantineFile — Specify these required parameters: md5 — The md5 hash of the file. unIsolate — No required parameters. unblockAddress — Specify these required parameters: address — The IP address to unblock. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
entityId string	The ID of the entity to perform the action on. This request parameter is required for endpoint actions and optional for Firebox actions. Example: 70513
comment string	Specifies a comment to add for an action. Example: Sample comment

Example Request

This request adds an IP address to the list of IP addresses blocked by ThreatSync on eligible Fireboxes for the specified account:

curl -X POST https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-123abc456/incidents/ce74dbcb78af40258e4703e15dc40566/actions
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		-d '{
		"command": "blockAddress",
		    "parameters": {
	                "address": "100.100.100.3"
	            }'

Example Response

This response includes details about the action and the status of the action.

{
    "id": "ce74dbcb78af40258e4703e15dc40566",
    "account": "WGC-1-123abc456",
    "incidentId": "cjao3643buedbpar59pg",
    "entityId": "33196",
    "entityType": "firebox",
    "parameters": {
        "address": "100.100.100.3"
    },
    "irreversible": false,
    "type": "manual",
    "errorMessage": Unexpected error,
    "responder": "System",
    "creationTime": "2023-09-13T19:10:55Z",
    "command": "blockAddress",
    "status": "inProgress",
    "lastUpdateTime": "2023-09-13T19:10:55Z",
    "initiatedBy": "6b447fba02a8c7ca_rw_id",
    "history": [
        {
            "lastUpdateTime": "2023-09-13T19:10:55Z",
            "status": "inProgress"
        }
    ]
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

id string	Unique identifier of the action. Example: cjo38rng0qbgs12ehiqg
account string	Account ID the incident is associated with. Example: WGC-1-123abc456
incidentId string	The ID of an incident. Example: c8p7nlhlgag91nihhiqg
entityId string	The ID of the entity. Example: 70513
entityType string	Type of entity. This can be one of two values: Endpoint Firebox Example: firebox
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Required parameters: address — The IP address to block isolate — No required parameters. killProcess — One of these parameters required: pid — The process ID. md5 — The md5 hash of the file. quarantineFile — Required parameters: md5 — The md5 hash of the file. unblockAddress — Required parameters: address — The IP address to unblock unIsolate — No required parameters. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
irreversible boolean	Indicates whether the action is irreversible. This can be one of two values: true false Example: false
type string	The type of action performed. Example: manual
errorMessage string	Error message from the action. Example: Unexpected error
responder string	The incident responder. This can be one of these values: Source - Action is taken by the endpoint. System — Action is initiated manually. ThreatSync — Action is initiated by an automation policy. Example: System
creationTime string	The time the item was created. Example: 2023-09-08T17:39:18Z
command string	Name of the action to perform. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: isolate
status string	Status of the action. Example: inProgress
lastUpdateTime string	The date and time (UTC) when the incident was last changed. Example: 2023-07-21T05:31:41Z
initiatedBy string	The user name of the operator that initiated the action. Example: 6b337fba02a8c7ca_rw_id
history string	Historical details of the action performed on the incident. Example: {"lastUpdateTime": "2023-08-24T09:51:59Z", "status": "performed"}

Retrieve a Specific Action for a Specific Incident

/{v1}/{accountId}/incidents/{incidentID}/actions/{actionID}

Retrieves details of a specific action for a specified incident.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

incidentId
string
REQUIRED

The ID of an incident.

Example: cjjbnnnhk6vdk95da4kg

actionId
string
REQUIRED

The ID of an action.

Example: fc68d5d946e747a991a1e4388bbf7ef6

Example Request

This request retrieves a specific action for a specified incident:

curl -X GET https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-123abc456/incidents/cisi7nngkpcu8rsn5h20/actions/2652baf575784da0bf1da4a663d9fe0b 
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

This response contains information about a specific action for a specific incident:

{
    "id": "2652baf575784da0bf1da4a663d9fe0b",
    "account": "WGC-1-123abc456",
    "incidentId": "cisi7nngkpcu8rsn5h20",
    "entityId": "70513",
    "entityType": "firebox",
    "parameters": {
        "address": "10.139.50.212"
    },
    "irreversible": false,
    "type": "manual",
    "errorMessage": "",
    "responder": "System",
    "creationTime": "2023-09-18T18:19:10Z",
    "command": "blockAddress",
    "status": "performed",
    "lastUpdateTime": "2023-09-18T18:19:11Z",
    "initiatedBy": "6b447fba02a8c7ca_rw_id",
    "history": [
        {
            "lastUpdateTime": "2023-09-18T18:19:10Z",
            "status": "inProgress"
        },
    ],
    "result": {
        "status": "performed"
    }
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

id string	Unique identifier of the action. Example: cjo38rng0qbgs12ehiqg
account string	Account ID the incident is associated with. Example: WGC-1-123abc456
incidentId string	The ID of an incident. Example: c8p7nlhlgag91nihhiqg
entityId string	The ID of the entity. Example: 70513
entityType string	Type of entity. This can be one of these values: Access Point Endpoint Firebox Example: firebox
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Required parameters: address — The IP address to block blockConnection — Parameters can include: srcAddr — The connection source address. srcPort — The connection source port. dstAddr — The connection destination address. dstPort — The connection destination address. blockProcess — Parameters can include: md5 — The MD5 hash associated with the process. deleteFile — Parameters can include: md5 — The MD5 hash of the deleted file. killProcess — One of these parameters required: pid — The process ID md5 — The md5 hash of the file isolate — No required parameters. quarantineFile — Required parameters: md5 — The md5 hash of the file unblockAddress — Required parameters: address — The IP address to unblock unIsolate — No required parameters. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
irreversible boolean	Indicates whether the action is irreversible. This can be one of two values: true false Example: false
type string	The type of action performed. Example: manual
errorMessage string	Error message from the action. Example: Unexpected error
responder string	The incident responder. This can be one of these values: Source - Action is taken by the endpoint System — Action is initiated manually ThreatSync — Action is initiated by an automation policy Example: System
creationTime string	The time the item was created. Example: 2023-09-08T17:39:18Z
command string	Name of the action. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. blockConnection — The Firebox blocks a connection. blockProcess — The endpoint agent prevents a process from running. deleteFile — The endpoint agent deletes a file on the host computer. detected — The access point detects a threat. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: isolate
status string	Status of the action. Example: performed
lastUpdateTime string	The date and time (UTC) when the incident was last changed. Example: 2023-07-21T05:31:41Z
initiatedBy string	The user name of the operator that initiated the action. Example: s-nguyen-owner
history string	Historical details of the action performed on the incident. Example: {"lastUpdateTime": "2023-08-24T09:51:59Z", "status": "performed"}
result string	The result of the action. Example: {"status": "performed"}

Retrieve a List of Actions

/{v1}/{accountId}/actions

Retrieves a list of actions initiated for the specified account.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

query string	Query string that enables you to search for records that match the specified data. Specify response parameter names and associated values to retrieve objects that match those values. Examples: threatScore:>5 && status:viewed category:malicious_url OR category:IPS OR category:IOA status:performed OR status:inProgress For more information about how to construct query strings, go to the Apache Lucene documentation.
sortBy string	Specifies how to sort results. This can be the names of one or more response parameters, separated by commas. Example: threatScore
sortOrder string	Specifies whether to sort the results in ascending or descending order. This can be one of these values: asc — Sort results in ascending order desc — Sort results in descending order If you do not specify a value, the API returns results in ascending order. Example: desc
groupBy string	Specifies the parameter to group data by. Example: status
fields string	Specifies which response parameters to return in the results. If you do not specify a value, the API returns all response parameters. Example : id,summary,timestamp
countOnly boolean	Specifies whether to retrieve only a count of records. Example: true
limit integer	Maximum number of records to retrieve in the response. The maximum is limited to 1000 records. Example: 50
startAfter string	Cursor value that identifies the record after which you want to retrieve records. This value must match the data returned in the response parameter you specify in the `sortBy` request parameter. Example: 2023-02-12T23:05:28
duration string	Duration of time in days to retrieve records for. Specify a number followed by the letter D. Example: 10D

Example Request

This request retrieves actions for the specified account:

curl -X GET https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-123abc456/actions/
	-H 'Accept: application/json'
	-H 'Content-Type: application/json'
	-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
	-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

This response contains details of the actions for the account:

{
"items": [
    {
    "id": "415e795b6a354d8493f2f7d016fa885b",
    "account": "WGC-1-123abc456",
    "incidentId": "cisi7nngkpcu8rsn5h20",
    "entityId": "70513",
    "entityType": "firebox",
    "parameters": {
        "address": "10.139.50.212"
    	},
    "irreversible": false,
    "type": "manual",
    "errorMessage": "",
    "responder": "System",
    "creationTime": "2023-09-18T18:19:10Z",
    "command": "blockAddress",
    "status": "performed",
    "lastUpdateTime": "2023-09-18T18:19:11Z",
    "initiatedBy": "6b447fba02a8c7ca_rw_id",
    "history": [
        {
            "lastUpdateTime": "2023-09-18T18:19:10Z",
            "status": "inProgress"
        },
    	],
    "result": {
        "status": "performed"
    	}
    }
  ],
"count": 1
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

items array	List of actions.
id string	Unique identifier of the action. Example: cjo38rng0qbgs12ehiqg
account string	Account ID the incident is associated with. Example: WGC-1-123abc456
incidentId string	The ID of an incident. Example: cjnatpvg0qbgs12c6t0g
entityId string	The ID of the entity. Example: 70513
entityType string	Type of entity. This can be one of these values: Access Point Endpoint Firebox Example: firebox
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Required parameters: address — The IP address to block blockConnection — Parameters can include: srcAddr — The connection source address. srcPort — The connection source port. dstAddr — The connection destination address. dstPort — The connection destination address. blockProcess — Parameters can include: md5 — The MD5 hash associated with the process. deleteFile — Parameters can include: md5 — The MD5 hash of the deleted file. killProcess — One of these parameters required: pid — The process ID md5 — The md5 hash of the file isolate — No required parameters. quarantineFile — Required parameters: md5 — The md5 hash of the file unblockAddress — Required parameters: address — The IP address to unblock unIsolate — No required parameters. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
irreversible boolean	Indicates whether the action is irreversible. This can be one of two values: true false Example: false
type string	The type of action performed. Example: manual
errorMessage string	Error message from the action. Example: Unexpected error
responder string	The incident responder. This can be one of these values: Source — Action is taken by the endpoint. System — Action is initiated manually. ThreatSync — Action is initiated by an automation policy. Example: System
creationTime string	The time the item was created. Example: 2023-09-08T17:39:18Z
command string	Name of the action. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. blockConnection — The Firebox blocks a connection. blockProcess — The endpoint agent prevents a process from running. deleteFile — The endpoint agent deletes a file on the host computer. detected — The Access Point detects a threat. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: isolate
status string	Status of the action. Example: inProgress
lastUpdateTime string	The date and time (UTC) when the incident was last changed. Example: 2023-07-21T05:31:41Z
initiatedBy string	The user name of the operator that initiated the action. Example: 6b337fba02a8c7ca_rw_id
history string	Historical details of the action performed on the incident. Example: {"lastUpdateTime": "2023-08-24T09:51:59Z", "status": "performed"}
result string	The result of the action. Example: {"status": "performed"}
count integer	Total count of actions. Example: 1
startAfter object	When you include the `sortBy` and `limit` parameters in the request, this parameter shows the data you can use to construct a request for the next page of results. Example: {"threatsyncActions": { "entityId": "70512" }} Example: 1

Perform an Action

/{v1}/{accountId}/actions

Performs a specified action.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Body

command
string
REQUIRED

Specify one of these actions:

blockAddress — Adds an IP address to the Blocked Sites list of the account.
unblockAddress — Removes an IP address from the Blocked Sites list of the account.
isolate — Isolates an endpoint-protected computer.
unIsolate — Unisolates an isolated computer.
killProcess — Ends a process on an endpoint-protected computer.
quarantineFile — Quarantines a file on an endpoint-protected computer.

Example: isolate

parameters
object
REQUIRED

Parameters required to perform the action. These depend on the action you specify in the command parameter:

blockAddress — Specify these required parameters:
- address — The IP address to block.
unblockAddress — Specify these required parameters:
- address — The IP address to unblock.
isolate — No required parameters.
unIsolate — No required parameters.
killProcess — Specify one these required parameters:
- pid — The process ID.
- md5 — The md5 hash of the file.
quarantineFile — Specify these required parameters:
- md5 — The md5 hash of the file.

Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}

entityId
string

The ID of the entity to perform the action on.

This request parameter is required for endpoint actions, and optional for Firebox actions.

Example: 70513

Example Request

This request isolates the specified endpoint:

curl -X POST https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-123abc456/actions
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		-d '{
		    "command": "isolate",
		    "parameters": {},
                   "entityId": "411ad91f-d83a-4231-873d-35a25bafe9d8"
}'

Example Response

The response shows the details of the action performed:

{
    "id": "14e35fa04e4a4b40bde636d3166da58c",
    "account": "WGC-1-123abc456",
    "incidentId": null,
    "entityId": "411ad91f-d83a-4231-873d-35a25bafe9d8",
    "entityType": "endpoint",
    "parameters": {},
    "irreversible": false,
    "type": "manual",
    "errorMessage": Unexpected error,
    "responder": "System",
    "creationTime": "2023-09-15T19:36:20Z",
    "command": "isolate",
    "status": "inProgress",
    "lastUpdateTime": "2023-09-15T19:36:20Z",
    "initiatedBy": "6b447fba02a8c7ca_rw_id",
    "history": [
        {
            "lastUpdateTime": "2023-09-15T19:36:20Z",
            "status": "inProgress"
        }
    ]
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

id string	Unique identifier of the action. Example: 14e35fa04e4a4b40bde636d3166da58c
account string	Account ID the incident is associated with. Example: WGC-1-123abc456
incidentId string	The ID of an incident. Example: cjnatpvg0qbgs12c6t0g
entityId string	The ID of the entity. Example: 70513
entityType string	Type of entity. This can be one of two values: Endpoint Firebox Example: firebox
parameters object	Parameters required to perform the action. These depend on the action specified in the `command` parameter: blockAddress — Specify these required parameters: address — The IP address to block. unblockAddress — Specify these required parameters: address — The IP address to unblock. isolate — No required parameters. unIsolate — No required parameters. killProcess — Specify one these required parameters: pid — The process ID. md5 — The md5 hash of the file. quarantineFile — Specify these required parameters: md5 — The md5 hash of the file. Example: {"md5": "599951C2CCD2FD0C2E3181392712ECBA"}
irreversible boolean	Indicates whether the action is irreversible. This can be one of two values: true false Example: false
type string	The type of action performed. Example: manual
errorMessage string	Error message from the action. Example: Unexpected error
responder string	The incident responder. This can be one of these values: Source - Action is taken by the endpoint System — Action is initiated manually ThreatSync — Action is initiated by an automation policy Example: System
creationTime string	The time the item was created. Example: 2023-09-08T17:39:18Z
command string	Name of the command required to perform the action. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. unblockAddress — Removes an IP address from the Blocked Sites list of the account. isolate — Isolates an endpoint-protected computer. unIsolate — Unisolates an isolated computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. Example: isolate
status string	Status of the action. Example: inProgress
lastUpdateTime string	The date and time (UTC) when the incident was last changed. Example: 2023-07-21T05:31:41Z
initiatedBy string	The user name of the operator that initiated the action. Example: 6b337fba02a8c7ca_rw_id
history string	Historical details of the action performed on the incident. Example: {"lastUpdateTime": "2023-08-24T09:51:59Z", "status": "performed"}

Initiate a Transaction

/api/{v1}/transact

Submits multiple requests to ThreatSync Management API endpoints at the same time.

Request Body

path
string
REQUIRED

Path of the API endpoint to submit the request to.

Example: /v1/WGC-1-123abc456/incidents/cisi7nngkpcu8rsn5h20/actions

method
string
REQUIRED

HTTP method of the request.

Example: POST

data
object
REQUIRED

Request body to include with the request.

The data you must include depends on the API endpoint you specify in the path parameter. For detailed information, refer to the Example Request section for the endpoint.

Example Request

This request initiates a transaction to submit multiple requests.

curl -X POST https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/transact
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9L'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		-d '[
		  {
		   "path": "/v1/WGC-1-123abc456/incidents/cisi7nngkpcu8rsn5h20/actions",
                  "method": "POST",
                  "data": {
                      "command": "blockAddress",
                      "parameters": {
                        "address": "10.139.50.212"
                      },
                      "entityId": "70513"
        	  }
    },
    {
                  "path": "/v1/WGC-1-123abc456/actions",
                  "method": "POST",
                  "data": {
                      "command": "isolate",
                      "parameters": {},
                      "entityId": "411ad91f-d83a-4231-873d-35a25bafe9d8"
                      "comment": "Optional comment for a create action for an incident."
        }
    },
    {
                  "path": "/v1/WGC-1-123abc456/incidents/cise8cngkpcu8rsmvkp0",
                  "method": "PATCH",
                  "data": {
                      "status": "archived"
                      "comment": "Optional comment for an incident status update."
         }
    }
]'

Example Response

The response contains a list of responses for the requests in the transaction.

[
    {
        "id": "70e2feaa5b2e4f298dccbf345eaf99fb",
        "account": "WGC-123abc456",
        "incidentId": "cisi7nngkpcu8rsn5h20",
        "entityId": "70513",
        "entityType": "firebox",
        "parameters": {
            "address": "10.139.50.212"
        },
        "irreversible": false,
        "type": "manual",
        "errorMessage": Unexpected error,
        "responder": "System",
        "creationTime": "2023-09-08T17:39:18Z",
        "command": "blockAddress",
        "status": "inProgress",
        "lastUpdateTime": "2023-09-08T17:39:18Z",
        "initiatedBy": "6b437fba02a8c9ca_rw_id",
        "history": [
            {
                "lastUpdateTime": "2023-09-08T17:39:18Z",
                "status": "inProgress"
            }
        ]
    },
    {
        "id": "c05bdd3b355c46a9b5466452a33f2a6c",
        "account": "WGC-1-123abc456",
        "incidentId": null,
        "entityId": "411ad91f-d83a-4231-873d-35a25bafe9d8",
        "entityType": "endpoint",
        "parameters": {},
        "irreversible": false,
        "type": "manual",
        "errorMessage": Unexpected error,
        "responder": "System",
        "creationTime": "2023-09-08T17:39:18Z",
        "command": "isolate",
        "status": "inProgress",
        "lastUpdateTime": "2023-09-08T17:39:18Z",
        "initiatedBy": "6b447fba02a8c7ca_rw_id",
        "history": [
            {
                "lastUpdateTime": "2023-09-08T17:39:18Z",
                "status": "inProgress"
            }
        ]
    },
    {
        "id": "cise8cngkpcu8rsmvkp0",
        "account": "WGC-1-a8a27e50022f4b688a40",
        "category": "malware",
        "type": "Demo.TestFile",
        "timestamp": "2023-07-20T07:37:22Z",
        "threatScore": 5,
        "severity": "Medium",
        "description": "File was detected as malware by local or remote technology in WatchGuard Endpoint Security.",
        "remediated": false,
        "entities": {
            "70513": {
                "type": "endpoint",
                "recommendedActions": [
                    {
                        "command": "isolate"
                    }
                ],
                "actionPerformed": {
                    "command": "blockProcess",
                    "parameters": {
                        "md5": "1CFB320E5F37CB2C7875F39D1F928239"
                    }
                },
                "threatDetails": {
                    "malware": "Demo.TestFile",
                    "file": "PROFILE|\\Desktop\\Test\\DemoTestFile\\test.EXE",
                    "md5": "1CFB320E5F37CB2C7875F39D1F928239"
                }
            }
        },
        "entityIds": [
            "70513"
        ],
        "status": "archived",
        "lastUpdateTime": "2023-09-08T17:39:18Z",
        "updatedBy": "6b437fba02a8c9ca_rw_id"
    }
]

The data returned in the response depends on the requests included in the transaction. For detailed information, refer to the Example Response sections for the relevant endpoints.

Retrieve a List of Comments for an Incident

/{v1}/{accountId}/incidents/{incidentId}/comments

Retrieves a list of comments for a specific incident.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

incidentId
string
REQUIRED

The ID of an incident.

Example: cg0f0s2h7skomt847f1g

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

sortOrder string	Specifies whether to sort the results in ascending or descending order. This can be one of these values: asc — Sort results in ascending order desc — Sort results in descending order If you do not specify a value, the API returns results in ascending order. Example: desc
sortBy string	Specifies how to sort results. This can be the names of one or more response parameters, separated by commas. Example: creationTime,id
groupBy string	Specifies the response parameter to group data by. You can group the data by id, account, incidentId, actionId, user, comment, creationTime, lastUpdateTime, context, or newStatus. Example: id
fields string	Specifies which response parameters to return in the results. If you do not specify a value, the API returns all response parameters. Example: id,account,incidentId,actionId,user,comment,creationTime,command,lastUpdateTime,context,newStatus
limit integer	Maximum number of records to retrieve in the response. The maximum limit is 1000 records. Example: 50
duration string	Duration of time in days to retrieve records for. Specify a number followed by the letter D. Example: 10D
startAfter string	Cursor value that identifies the record after which you want to retrieve records. This value must match the data returned in the response parameter you specify in the sortBy request parameter. Example: 2023-02-12T23:05:28

Example Request

This request retrieves a list of comments for a specific incident:

curl -X GET https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-ac9d92c96cac4958b0ee/incidents/co2e4rlg92tuks1lelmg/comments
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

This response contains comment data for the specified incident:

{
    "items": [
        {
            "id": "8577afb3e4cb45e5abc8c4a1d9b21199",
            "incidentId": "co2e4rlg92tuks1lelmg",
            "account": "WGC-1-ac9d92c96cac4958b0ee",
            "user": "175dcf77dcef3469_rw_id",
            "creationTime": "2024-08-22T07:52:46Z",
            "comment": "New comment sample1-from API"
        },
        {
            "id": "c568a7c737254d29b2976b63740fc6d3",
            "incidentId": "co2e4rlg92tuks1lelmg",
            "account": "WGC-1-ac9d92c96cac4958b0ee",
            "user": "175dcf77dcef3469_rw_id",
            "creationTime": "2024-09-11T09:05:35Z",
            "lastUpdateTime": "2024-09-11T09:09:36Z",
            "comment": "Sample Comment 2"
        }
    ],
    "count": 2
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

items array	Array of incident comments.
id string	Unique identifier of a comment. Example: 903b824302b4419cac6ac4b0ead6719d
incidentId string	Unique identifier of an incident. Example: cq7m4paoksm0rb2o46ag
user string	The user name of the operator that added the comment. Example: xdradmin
account string	Account ID the incident is associated with. Example: WGC-1-123abc456 or ACC-1234567
comment string	The comment added to the specified incident. Example: Sample comment
creationTime string	The time the comment was created. Example: 2023-09-27T06:44:34Z
lastUpdateTime string	The time the comment was last updated. Example: 2023-09-27T06:44:34Z
command string	Name of the action performed on the incident. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. blockConnection — The Firebox blocks a connection. blockProcess — The endpoint agent prevents a process from running. deleteFile — The endpoint agent deletes a file on the host computer. detected — The Access Point detects a threat. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: blockAddress
actionId string	Unique identifier of the action. Example: 6a53f515f5994e0983df9e47444c1fc7
context string	Specifies the context when the comment was added. This can be one of these values: action — Comment added when a new action was created. statusChange — Comment added when the status of the incident was updated. Example: action
newStatus string	The status of the incident. This can be one of these values: new - New incidents not yet reviewed. viewed - Reviewed incidents or incidents marked as read. archived - Incidents archived by an automation policy or manually archived. Example: new
count integer	Total count of comments. Example: 1

Create a Comment for an Incident

/{v1}/{accountId}/incidents/{incidentId}/comments

Creates a comment for a specific incident.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

incidentId
string
REQUIRED

The ID of an incident.

Example: cg0f0s2h7skomt847f1g

Request Body

comment
string
REQUIRED

Comment for an incident.

Example: Sample comment

Example Request

This request creates a comment for the specified incident:

curl -X POST https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-ac9d92c96cac4958b0ee/incidents/co2e4rlg92tuks1lelmg/comments
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		-d '{
			"comment": "sample comment"
			}

Example Response

This response includes the new comment and the incident details:

{
    "id": "c568a7c737254d29b2976b63740fc6d3",
    "incidentId": "co2e4rlg92tuks1lelmg",
    "account": "WGC-1-ac9d92c96cac4958b0ee",
    "user": "175dcf77dcef3469_rw_id",
    "creationTime": "2024-09-11T09:05:35Z",
    "comment": "sample comment"
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

items array	Array of incident items.
id string	Unique identifier of a comment. Example: 903b824302b4419cac6ac4b0ead6719dcjo38rng0qbgs12ehiqg
incidentId string	Unique identifier of an incident. Example: cq7m4paoksm0rb2o46ag
user string	The user name of the operator that initiated the comment request. Example: xdradmin
account string	Account ID the incident is associated with. Example: WGC-1-123abc456 or ACC-1234567
comment string	The comment added to the specified incident. Example: Sample comment
creationTime string	The time the comment was created. Example: 2023-09-27T06:44:34Z

Update a Specific Comment

/{v1}/{accountId}/incidents/{incidentId}/comments/{commentId}

Updates a specific comment for a specific incident.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

incidentId
string
REQUIRED

The ID of an incident.

Example: cg0f0s2h7skomt847f1g

commentId
string
REQUIRED

The ID of a comment.

Example: 6026c9e0e7fb44a39bd3ee540e37ef41

Request Body

comment
string
REQUIRED

Updated comment for an incident.

Example: updated comment

Example Request

This request updates the specified comment for the specified incident:

curl -X PATCH https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-ac9d92c96cac4958b0ee/incidents/co2e4rlg92tuks1lelmg/comments/c568a7c737254d29b2976b63740fc6d3
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		-d '{
			"comment": "updated comment"
			}

Example Response

This response includes incident details and updated status for the specified comment:

{
    "id": "c568a7c737254d29b2976b63740fc6d3",
    "incidentId": "co2e4rlg92tuks1lelmg",
    "account": "WGC-1-ac9d92c96cac4958b0ee",
    "user": "175dcf77dcef3469_rw_id",
    "creationTime": "2024-09-11T09:05:35Z",
    "lastUpdateTime": "2024-09-11T09:09:36Z",
    "comment": "updated comment"
}

This table lists and describes the data returned in the response:

Some responses might not include all data.

items array	Array of incident items.
id string	Unique identifier of a comment. Example: 903b824302b4419cac6ac4b0ead6719dcjo38rng0qbgs12ehiqg
incidentId string	Unique identifier of an incident. Example: cq7m4paoksm0rb2o46ag
user string	The user name of the operator that initiated the comment request. Example: xdradmin
account string	Account ID the incident is associated with. Example: WGC-1-123abc456 or ACC-1234567
comment string	The comment added to the specified incident. Example: Sample comment
creationTime string	The time the comment was created. Example: 2023-09-27T06:44:34Z
lastUpdateTime string	The time the comment was last updated. Example: 2023-09-27T06:44:34Z
command string	Name of the action on the incident. This can be one of these values: blockAddress — Adds an IP address to the Blocked Sites list of the account. blockConnection — The Firebox blocks a connection. blockProcess — The endpoint agent prevents a process from running. deleteFile — The endpoint agent deletes a file on the host computer. detected — The Access Point detects a threat. isolate — Isolates an endpoint-protected computer. killProcess — Ends a process on an endpoint-protected computer. quarantineFile — Quarantines a file on an endpoint-protected computer. unblockAddress — Removes an IP address from the Blocked Sites list of the account. unIsolate — Unisolates an isolated computer. Example: blockAddress
actionId string	Unique identifier of the action. Example: 6a53f515f5994e0983df9e47444c1fc7
context string	Context type whether an incident status is updated or a new action is created. The possible values are action and statusChange. Example: action
newStatus string	The status of the incident. This can be one of these values: new - New incidents not yet reviewed. viewed - Reviewed incidents or incidents marked as read. archived - Incidents archived by an automation policy or manually archived. Example: new

Delete a Specific Comment

/{v1}/{accountId}/incidents/{incidentId}/comments/{commentId}

Deletes a specific comment for a specific incident.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

incidentId
string
REQUIRED

The ID of an incident.

Example: cg0f0s2h7skomt847f1g

commentId
string
REQUIRED

The ID of a comment.

Example: 6026c9e0e7fb44a39bd3ee540e37ef41

Example Request

This request deletes a comment for the specified incident:

curl -X DELETE https://api.usa.cloud.watchguard.com/rest/threatsync/management/v1/WGC-1-ac9d92c96cac4958b0ee/incidents/co2e4rlg92tuks1lelmg/comments/c568a7c737254d29b2976b63740fc6d3
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: AMYPsgsKmn/6tfkV2XBVFwdB9BvmHTEa/mP+fg+9'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

If the deletion succeeds, the API returns a 204 status code.