post
/public_api/v1/alerts/get_alerts/
Get a list of alerts. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of alerts from the start of the result set. Cortex XDR displays in the APIs response whether an PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.
Note: You can send a request to retrieve either all or filtered results.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/alerts/get_alerts/" \
-d '{
"request_data" : {
"search_from" : 0,
"filters" : [ {
"field" : "alert_id_list",
"value" : [ "", "" ],
"operator" : "in"
}, {
"field" : "alert_id_list",
"value" : [ "", "" ],
"operator" : "in"
} ],
"sort" : {
"field" : "field",
"keyword" : "keyword"
},
"search_to" : 6
}
}'
Request
Body
optional
If no parameters are included, all results will be returned.
Example:
{"request_data":{}}
request_data
optional
filters
optional
Array
An array of filter fields.
field
required
String
(Enum)
Identifies the alert field the filter is matching. Filters are based on the following keywords:
alert_id_list: List of integers representing the Alert IDs.alert_source: List of strings representing the Alert sources.severity: List of strings representing the Alert severities.creation_time: Timestamp of the alert creation time.
Allowed values:
alert_id_list
alert_source
severity
creation_time
operator
required
String
(Enum)
Identifies the comparison operator you want to use for this filter. Valid keywords are:
in:
alert_id_list,alert_source, andseveritygte/ltecreation_time.
Allowed values:
in
gte
lte
value
required
Array
of objects
Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:
creation_time: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under thedetection_timestampfield, and represented in console under the TIMESTAMP field.alert_id_list: Array of integers. Each item in the list must be an alert ID.severity: Valid values arelow,medium,high,critical,informational.
search_from
optional
Integer
An integer representing the starting offset within the query result set from which you want alerts returned.
Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
An integer representing the end offset within the result set after which you do not want alerts returned.
Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.
sort
optional
Identifies the sort order for the result set. By default the sort is defined as creation_time, desc.
field
optional
String
Identifies how to sort the result set, either according to severity or creation time.
keyword
required
String
Defines whether to sort the results in ascending (asc) or descending (desc) order.
Responses
Successful response
Body
reply
optional
total_count
optional
Integer
Number of total results of this filter without paging. If filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.
result_count
optional
Integer
Number of alerts actually returned as result.
alerts
optional
Array
external_id
optional
String
severity
optional
String
matching_status
optional
String
end_match_attempt_ts
optional
Integer
local_insert_ts
optional
Integer
bioc_indicator
optional
Object
matching_service_rule_id
optional
Object
attempt_counter
optional
Integer
bioc_category_enum_key
optional
Object
is_whitelisted
optional
Boolean
starred
optional
Boolean
deduplicate_tokens
optional
Object
filter_rule_id
optional
Object
mitre_technique_id_and_name
optional
Array
of strings
mitre_tactic_id_and_name
optional
Array
of strings
agent_version
optional
String
agent_device_domain
optional
Object
agent_fqdn
optional
String
agent_os_type
optional
String
agent_os_sub_type
optional
String
agent_data_collection_status
optional
Boolean
mac
optional
Object
mac_address
optional
Array
of strings
agent_is_vdi
optional
Object
contains_featured_host
optional
Boolean
contains_featured_user
optional
Boolean
contains_featured_ip
optional
Boolean
events
optional
Array
agent_install_type
optional
String
agent_host_boot_time
optional
Object
event_sub_type
optional
Object
module_id
optional
String
association_strength
optional
Object
dst_association_strength
optional
Object
story_id
optional
Object
event_id
optional
Object
event_type
optional
String
event_timestamp
optional
Integer
actor_process_instance_id
optional
String
actor_process_image_path
optional
String
actor_process_image_name
optional
String
actor_process_command_line
optional
String
actor_process_signature_status
optional
String
actor_process_signature_vendor
optional
Object
actor_process_image_sha256
optional
String
actor_process_image_md5
optional
Object
actor_process_causality_id
optional
Object
actor_causality_id
optional
Object
actor_process_os_pid
optional
String
actor_thread_thread_id
optional
Object
causality_actor_process_image_name
optional
Object
causality_actor_process_command_line
optional
Object
causality_actor_process_image_path
optional
Object
causality_actor_process_signature_vendor
optional
Object
causality_actor_process_signature_status
optional
String
causality_actor_causality_id
optional
Object
causality_actor_process_execution_time
optional
Object
causality_actor_process_image_md5
optional
Object
causality_actor_process_image_sha256
optional
Object
action_file_path
optional
Object
action_file_name
optional
Object
action_file_md5
optional
Object
action_file_sha256
optional
Object
action_file_macro_sha256
optional
Object
action_registry_data
optional
Object
action_registry_key_name
optional
Object
action_registry_value_name
optional
Object
action_registry_full_key
optional
Object
action_local_ip
optional
Object
action_local_port
optional
Object
action_remote_ip
optional
Object
action_remote_port
optional
Object
action_external_hostname
optional
Object
action_country
optional
String
action_process_instance_id
optional
Object
action_process_causality_id
optional
Object
action_process_image_name
optional
Object
action_process_image_sha256
optional
Object
action_process_image_command_line
optional
Object
action_process_signature_status
optional
String
action_process_signature_vendor
optional
Object
os_actor_effective_username
optional
Object
os_actor_process_instance_id
optional
Object
os_actor_process_image_path
optional
Object
os_actor_process_image_name
optional
Object
os_actor_process_command_line
optional
Object
os_actor_process_signature_status
optional
String
os_actor_process_signature_vendor
optional
Object
os_actor_process_image_sha256
optional
Object
os_actor_process_causality_id
optional
Object
os_actor_causality_id
optional
Object
os_actor_process_os_pid
optional
Object
os_actor_thread_thread_id
optional
Object
fw_app_id
optional
Object
fw_interface_from
optional
Object
fw_interface_to
optional
Object
fw_rule
optional
Object
fw_rule_id
optional
Object
fw_device_name
optional
Object
fw_serial_number
optional
Object
fw_url_domain
optional
Object
fw_email_subject
optional
Object
fw_email_sender
optional
Object
fw_email_recipient
optional
Object
fw_app_subcategory
optional
Object
fw_app_category
optional
Object
fw_app_technology
optional
Object
fw_vsys
optional
Object
fw_xff
optional
Object
fw_misc
optional
Object
fw_is_phishing
optional
String
dst_agent_id
optional
Object
dst_causality_actor_process_execution_time
optional
Object
dns_query_name
optional
Object
dst_action_external_hostname
optional
Object
dst_action_country
optional
Object
dst_action_external_port
optional
Object
user_name
optional
Object
alert_id
optional
String
detection_timestamp
optional
Integer
name
optional
String
category
optional
String
endpoint_id
optional
String
description
optional
String
host_ip
optional
Array
of strings
host_name
optional
String
source
optional
String
action
optional
String
action_pretty
optional
String
Bad Request. Got an invalid JSON.
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Unauthorized access. User does not have the required license type to run this API.
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Internal server error. A unified status for API communication type errors.