search cancel

EDR Incidents Resource API limitation

book

Article ID: 240054

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

EDR Incidents Resource API query is not retrieving all the incidents exported through EDR GUI.

Cause

By default the EDR Incidents Resource API (/atpapi/v2/incidents) limits the output to last 30 days if neither start_time nor end_time

For security reason the time range cannot be greater then 30 days.

As workaround EDR can be queried by using consecutive time ranges and concatenating the results into a single file output.

 

 

Resolution

EDR is working as design. Refer to API portal for further details.
https://apidocs.securitycloud.symantec.com/#