Get all Alerts

Cortex XDR REST API

post /public_api/v1/alerts/get_alerts_multi_events

Get a list of alerts with multiple events. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of alerts from the start of the result set. Cortex XDR displays in the APIs response whether an PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.

Note: You can send a request to retrieve either all or filtered results.

Required license: Cortex XSIAM Enterprise or Cortex XSIAM Enterprise Plus

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ "https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events" \ -d '{ "request_data" : { "filters" : [ { "field" : "severity", "operator" : "in", "value" : [ "medium", "high" ] } ], "search_from" : 0, "search_to" : 5, "sort" : { "field" : "severity", "keyword" : "asc" } } }'
Request
Body
optional
If no parameters are included, all results will be returned.
Example: {"request_data":{}}
request_data
optional
filters
optional
Array
An array of filter fields.
field
required
String (Enum)

Identifies the alert field the filter is matching. Filters are based on the following keywords:

  • alert_id_list: List of integers representing the Alert IDs.
  • alert_source: List of strings representing the Alert sources.
  • severity: List of strings representing the Alert severities.
  • creation_time: Timestamp of the alert creation time.
  • server_creation_time: Timestamp of when Cortex XDR created the alert.
  • external_id_list: List of external IDs.
Allowed values:
alert_id_list
alert_source
severity
creation_time
server_creation_time
external_id_list
operator
required
String (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords are: in:

  • alert_id_list, alert_source, severity, and external_id_list. gte / lte
  • creation_time.
Allowed values:
in
gte
lte
value
required
Array of objects

Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:

  • creation_time: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under the detection_timestamp field, and represented in console under the TIMESTAMP field.
  • alert_id_list: Array of integers. Each item in the list must be an alert ID.
  • severity: Valid values are low, medium, high, critical, informational.
  • external_id_list: Array of strings.
search_from
optional
Integer
An integer representing the starting offset within the query result set from which you want alerts returned. Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
An integer representing the end offset within the result set after which you do not want alerts returned. Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.
sort
optional
Identifies the sort order for the result set. By default the sort is defined as creation_time, desc.
field
optional
String (Enum)
Identifies how to sort the result set, either according to severity or creation time.
Allowed values:
severity
creation_time
keyword
required
String (Enum)
Defines whether to sort the results in ascending (asc) or descending (desc) order.
Allowed values:
asc
desc
Responses

Successful response

Body
total_count
optional
Integer
Number of total results of this filter without paging. If filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.
result_count
optional
Integer
Number of alerts actually returned as result.
alerts
optional
Array
external_id
optional
String
severity
optional
String
matching_status
optional
String
end_match_attempt_ts
optional
Integer
local_insert_ts
optional
Integer
bioc_indicator
optional
String
matching_service_rule_id
optional
String
attempt_counter
optional
Integer
bioc_category_enum_key
optional
String
is_whitelisted
optional
Boolean
starred
optional
Boolean
deduplicate_tokens
optional
String
filter_rule_id
optional
String
mitre_technique_id_and_name
optional
Array of strings
mitre_tactic_id_and_name
optional
Array of strings
agent_version
optional
String
agent_device_domain
optional
String
agent_fqdn
optional
String
agent_os_type
optional
String
agent_os_sub_type
optional
String
agent_data_collection_status
optional
Boolean
mac
optional
String
mac_address
optional
Array of strings
agent_is_vdi
optional
Boolean
contains_featured_host
optional
String (Enum)
Allowed values:
YES
NO
contains_featured_user
optional
String (Enum)
Allowed values:
YES
NO
contains_featured_ip
optional
String (Enum)
Allowed values:
YES
NO
events
optional
Array
agent_install_type
optional
String
agent_host_boot_time
optional
Integer
event_sub_type
optional
String
module_id
optional
String
association_strength
optional
String
dst_association_strength
optional
String
story_id
optional
String
event_id
optional
String
event_type
optional
String
event_timestamp
optional
Integer
actor_process_instance_id
optional
String
actor_process_image_path
optional
String
actor_process_image_name
optional
String
actor_process_command_line
optional
String
actor_process_signature_status
optional
String
actor_process_signature_vendor
optional
String
actor_process_image_sha256
optional
String
actor_process_image_md5
optional
String
actor_process_causality_id
optional
String
actor_causality_id
optional
String
actor_process_os_pid
optional
String
actor_thread_thread_id
optional
String
causality_actor_process_image_name
optional
String
causality_actor_process_command_line
optional
String
causality_actor_process_image_path
optional
String
causality_actor_process_signature_vendor
optional
String
causality_actor_process_signature_status
optional
String
causality_actor_causality_id
optional
String
causality_actor_process_execution_time
optional
Integer
causality_actor_process_image_md5
optional
String
causality_actor_process_image_sha256
optional
String
action_file_path
optional
String
action_file_name
optional
String
action_file_md5
optional
String
action_file_sha256
optional
String
action_file_macro_sha256
optional
String
action_registry_data
optional
String
action_registry_key_name
optional
String
action_registry_value_name
optional
String
action_registry_full_key
optional
String
action_local_ip
optional
String
action_local_port
optional
String
action_remote_ip
optional
String
action_remote_port
optional
String
action_external_hostname
optional
String
action_country
optional
String
action_process_instance_id
optional
String
action_process_causality_id
optional
String
action_process_image_name
optional
String
action_process_image_sha256
optional
String
action_process_image_command_line
optional
String
action_process_signature_status
optional
String
action_process_signature_vendor
optional
String
os_actor_effective_username
optional
String
os_actor_process_instance_id
optional
String
os_actor_process_image_path
optional
String
os_actor_process_image_name
optional
String
os_actor_process_command_line
optional
String
os_actor_process_signature_status
optional
String
os_actor_process_signature_vendor
optional
String
os_actor_process_image_sha256
optional
String
os_actor_process_causality_id
optional
String
os_actor_causality_id
optional
String
os_actor_process_os_pid
optional
String
os_actor_thread_thread_id
optional
String
fw_app_id
optional
String
fw_interface_from
optional
String
fw_interface_to
optional
String
fw_rule
optional
String
fw_rule_id
optional
String
fw_device_name
optional
String
fw_serial_number
optional
Integer
fw_url_domain
optional
String
fw_email_subject
optional
String
fw_email_sender
optional
String
fw_email_recipient
optional
String
fw_app_subcategory
optional
String
fw_app_category
optional
String
fw_app_technology
optional
String
fw_vsys
optional
String
fw_xff
optional
String
fw_misc
optional
String
fw_is_phishing
optional
String
dst_agent_id
optional
String
dst_causality_actor_process_execution_time
optional
Integer
dns_query_name
optional
String
dst_action_external_hostname
optional
String
dst_action_country
optional
String
dst_action_external_port
optional
String
user_name
optional
String
alert_id
optional
String
detection_timestamp
optional
Integer
name
optional
String
category
optional
String
endpoint_id
optional
String
description
optional
String
host_ip
optional
Array of strings
host_name
optional
String
source
optional
String
action
optional
String
action_pretty
optional
String
alert_id
optional
String
detection_timestamp
optional
Integer
name
optional
String
category
optional
String
endpoint_id
optional
String
description
optional
String
host_ip
optional
Array of strings
host_name
optional
String
source
optional
String
action
optional
String
action_pretty
optional
String
malicious_urls
optional
Array of strings
Malicious URL/s that have been detected in the destination or content of the accessed web page.

Bad Request. Got an invalid JSON.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.