Get Alerts Multi-Events v2

Cortex XDR REST API

post /public_api/v2/alerts/get_alerts_multi_events

Get a list of alerts with multiple events. - The response is concatenated using AND condition (OR is not supported). - The maximum result set size is 100. - Offset is the zero-based number of alerts from the start of the result set.

Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.

Note: You can send a request to retrieve either all or filtered results.

Required license: ‚ÄčCortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ "https://api-yourfqdn/public_api/v2/alerts/get_alerts_multi_events" \ -d '{ "request_data" : { } }'
Request
Body
optional
request_data
required

A dictionary containing the API request fields.

An empty dictionary returns all results.

filters
optional
Array of filter fields.
Responses

OK

Body
reply
optional
JSON object containing the query result.
total_count
optional
Integer
The number of total results returned by this filter without paging. If the filter returns more than 9,999 the total_count value returned will be 9.999. You can use paging to view the entire set of data.
result_count
optional
Integer
The number of alerts actually returned as results.
alerts
optional
Array
A list of alerts.
agent_os_sub_type
optional
String
fw_app_category
optional
Object
fw_app_id
optional
Object
fw_app_subcategory
optional
Object
fw_app_technology
optional
Object
category
optional
String
causality_actor_process_command_line
optional
Array of strings
causality_actor_process_image_md5
optional
Array of strings
causality_actor_process_image_name
optional
Array of strings
causality_actor_process_image_path
optional
Array of strings
causality_actor_process_image_sha256
optional
Array of strings
causality_actor_process_signature_status
optional
Array of strings
causality_actor_process_signature_vendor
optional
Array of strings
causality_actor_causality_id
optional
Array of strings
identity_sub_type
optional
Object
identity_type
optional
Object
operation_name
optional
Object
project
optional
Object
cloud_provider
optional
Object
referenced_resource
optional
Object
resource_sub_type
optional
Object
resource_type
optional
Object
cluster_name
optional
Object
container_id
optional
Object
contains_featured_host
optional
Array of strings
contains_featured_ip
optional
Array of strings
contains_featured_user
optional
Array of strings
action_country
optional
Array of strings
description
optional
String
fw_interface_to
optional
Object
dns_query_name
optional
Object
agent_device_domain
optional
Object
fw_email_recipient
optional
Object
fw_email_sender
optional
Object
fw_email_subject
optional
Object
event_type
optional
Array of strings
is_whitelisted
optional
Boolean
action_file_macro_sha256
optional
Object
action_file_md5
optional
Object
action_file_name
optional
Object
action_file_path
optional
Object
action_file_sha256
optional
Object
fw_device_name
optional
Object
fw_rule_id
optional
Object
fw_rule
optional
Object
fw_serial_number
optional
Object
agent_fqdn
optional
Object
agent_os_type
optional
String
image_name
optional
Object
actor_process_image_name
optional
Array of strings
actor_process_command_line
optional
Array of strings
actor_process_image_md5
optional
Array of strings
actor_process_image_path
optional
Array of strings
actor_process_os_pid
optional
Array of integers
actor_process_image_sha256
optional
Array of strings
actor_process_signature_status
optional
Array of strings
actor_process_signature_vendor
optional
Array of strings
actor_thread_thread_id
optional
Array of integers
fw_is_phishing
optional
Array of strings
action_local_ip
optional
Object
action_local_port
optional
Object
fw_misc
optional
Object
mitre_tactic_id_and_name
optional
Array of strings
mitre_technique_id_and_name
optional
Array of strings
module_id
optional
Object
fw_vsys
optional
Object
os_actor_process_command_line
optional
Array of strings
os_actor_thread_thread_id
optional
Array of integers
os_actor_process_image_name
optional
Array of strings
os_actor_process_os_pid
optional
Array of integers
os_actor_process_image_sha256
optional
Array of strings
os_actor_process_signature_status
optional
Array of strings
os_actor_process_signature_vendor
optional
Array of strings
os_actor_effective_username
optional
Object
action_process_signature_status
optional
Array of strings
action_process_signature_vendor
optional
Object
action_registry_data
optional
Object
action_registry_full_key
optional
Object
action_external_hostname
optional
Object
action_remote_ip
optional
Object
action_remote_port
optional
Object
matching_service_rule_id
optional
String
fw_interface_from
optional
Object
starred
optional
Boolean
action_process_image_command_line
optional
Object
action_process_image_name
optional
Object
action_process_image_sha256
optional
Object
fw_url_domain
optional
Object
user_agent
optional
Object
fw_xff
optional
Object
external_id
optional
String
severity
optional
String
matching_status
optional
String
end_match_attempt_ts
optional
Object
local_insert_ts
optional
Integer
last_modified_ts
optional
Object
bioc_indicator
optional
Object
attempt_counter
optional
Integer
bioc_category_enum_key
optional
Object
case_id
optional
Integer
deduplicate_tokens
optional
Object
filter_rule_id
optional
Object
agent_version
optional
String
agent_ip_addresses_v6
optional
Object
agent_data_collection_status
optional
Object
agent_is_vdi
optional
Boolean
agent_install_type
optional
String
agent_host_boot_time
optional
Array of integers
event_sub_type
optional
Array of integers
association_strength
optional
Array of integers
dst_association_strength
optional
Object
story_id
optional
Object
event_id
optional
Array of strings
event_timestamp
optional
Array of integers
actor_process_instance_id
optional
Array of strings
actor_process_causality_id
optional
Array of strings
actor_causality_id
optional
Array of strings
causality_actor_process_execution_time
optional
Array of integers
action_registry_key_name
optional
Object
action_registry_value_name
optional
Object
action_local_ip_v6
optional
Object
action_remote_ip_v6
optional
Object
action_process_instance_id
optional
Object
action_process_causality_id
optional
Object
os_actor_process_instance_id
optional
Array of strings
os_actor_process_image_path
optional
Array of strings
os_actor_process_causality_id
optional
Array of strings
os_actor_causality_id
optional
Object
dst_agent_id
optional
Array of strings
dst_causality_actor_process_execution_time
optional
Object
dst_action_external_hostname
optional
Object
dst_action_country
optional
Object
dst_action_external_port
optional
Object
is_pcap
optional
Boolean
alert_type
optional
String
resolution_status
optional
String
resolution_comment
optional
Object
dynamic_fields
optional
Object
tags
optional
Array of strings
alert_id
optional
String
detection_timestamp
optional
Integer
name
optional
String
endpoint_id
optional
String
host_ip
optional
Array of strings
host_name
optional
String
action
optional
String
original_tags
optional
Array of strings
user_name
optional
Array of strings
mac_addresses
optional
Object
source
optional
Object
action_pretty
optional
String

Bad Request. Got an invalid JSON.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.