**Note: ** This endpoint is legacy. Use the Get Alerts Multi-Events v2 endpoint.
Get a list of alerts with multiple events. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of alerts from the start of the result set. Cortex XDR displays in the APIs response whether an PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.
Note: You can send a request to retrieve either all or filtered results.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events" \
-d '{
"request_data" : {
"filters" : [ {
"field" : "severity",
"operator" : "in",
"value" : [ "medium", "high" ]
} ],
"search_from" : 0,
"search_to" : 5,
"sort" : {
"field" : "severity",
"keyword" : "asc"
}
}
}'
{"request_data":{}}
Identifies the alert field the filter is matching. Filters are based on the following keywords:
alert_id_list
: List of integers representing the Alert IDs.alert_source
: List of strings representing the Alert sources.severity
: List of strings representing the Alert severities.creation_time
: Timestamp of the alert creation time.server_creation_time
: Timestamp of when Cortex XDR created the alert.external_id_list
: List of external IDs.
Identifies the comparison operator you want to use for this filter. Valid keywords are:
in
:
alert_id_list
,alert_source
,severity
, andexternal_id_list
.gte
/lte
creation_time
.
Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:
creation_time
: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under thedetection_timestamp
field, and represented in console under the TIMESTAMP field.alert_id_list
: Array of integers. Each item in the list must be an alert ID.severity
: Valid values arelow
,medium
,high
,critical
,informational
.external_id_list
: Array of strings.
Successful response
Bad Request. Got an invalid JSON.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
Unauthorized access. User does not have the required license type to run this API.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
Internal server error. A unified status for API communication type errors.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}