Get all Alerts

Cortex XDR REST API
post /public_api/v1/alerts/get_alerts

Get a list of all or filtered alerts. The alerts listed are what remains after alert exclusions are applied by Cortex XDR.

  • Response is concatenated using AND condition (OR is not supported).
  • Maximum result set size is 100.
  • Offset is the zero-based number of alerts from the start of the result set. The response indicates whether an PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

Request headers
Authorization
String
required

{api_key}

Example: authorization_example
x-xdr-auth-id
String
required

{api_key_id}

Example: xXdrAuthId_example
Accept-Encoding
String

For retrieving a compressed gzipped response

Example: acceptEncoding_example
Default: gzip
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example' -H 'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/alerts/get_alerts'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"filters\":[{\"field\":\"alert_id_list\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"string\",\"keyword\":\"string\"}}}" headers = { 'Authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'Accept-Encoding': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/alerts/get_alerts", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/alerts/get_alerts") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["Accept-Encoding"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"filters\":[{\"field\":\"alert_id_list\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"string\",\"keyword\":\"string\"}}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "filters": [ { "field": "alert_id_list", "operator": "in", "value": "string" } ], "search_from": 0, "search_to": 0, "sort": { "field": "string", "keyword": "string" } } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/alerts/get_alerts"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/alerts/get_alerts") .header("Authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("Accept-Encoding", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"request_data\":{\"filters\":[{\"field\":\"alert_id_list\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"string\",\"keyword\":\"string\"}}}") .asString();
import Foundation let headers = [ "Authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "Accept-Encoding": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = ["request_data": [ "filters": [ [ "field": "alert_id_list", "operator": "in", "value": "string" ] ], "search_from": 0, "search_to": 0, "sort": [ "field": "string", "keyword": "string" ] ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/alerts/get_alerts")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/alerts/get_alerts", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"alert_id_list\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"string\",\"keyword\":\"string\"}}}", CURLOPT_HTTPHEADER => [ "Accept-Encoding: SOME_STRING_VALUE", "Authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/alerts/get_alerts"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"alert_id_list\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"string\",\"keyword\":\"string\"}}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/alerts/get_alerts"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"alert_id_list\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"string\",\"keyword\":\"string\"}}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
application/json
request_dataobject
filtersarray

An array of filter fields.

[
fieldobject (Enum)

Identifies the alert field the filter is matching. Filters are based on the following keywords:

  • alert_id_list: List of integers representing the alert IDs.
  • alert_source: List of strings representing the alert sources.
  • severity: List of strings representing the alert severities.
  • creation_time: Timestamp of when the alert was originally identified.
  • server_creation_time: Timestamp of when the alert was stored in the database.
Allowed values:"alert_id_list""alert_source""severity""creation_time""server_creation_time"
operatorobject (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords are: in:

  • alert_id_list, alert_source, and severity gte / lte
  • creation_time and server_creation_time
Allowed values:"in""gte""lte"
valuestring or array or integer

Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:

  • creation_time: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under the detection_timestamp field, and represented in console under the TIMESTAMP field.
  • server_creation_time: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is represented in XQL as local_insert_ts.
  • alert_id_list: Array of integers. Each item in the list must be an alert ID.
  • severity: Valid values are low, medium, high, critical.
]
search_frominteger

An integer representing the starting offset within the query result set from which you want alerts returned. Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.

search_tointeger

An integer representing the end offset within the result set after which you do not want alerts returned. Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.

sortobjectrequired

Identifies the sort order for the result set. By default the sort is defined as creation_time, desc.

fieldstring

Identifies how to sort the result set, either according to severity or creation time.

keywordstring

Defines whether to sort the results in ascending (asc) or descending (desc) order.

REQUEST
{ "request_data": {} }
{ "request_data": { "filters": [ { "field": "severity", "operator": "in", "value": [ "medium", "high" ] } ], "search_from": 0, "search_to": 5, "sort": { "field": "severity", "keyword": "asc" } } }
Responses

Successful response

Body
application/json
replyobject
total_countinteger

Number of total results of this filter without paging. If filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.

result_countinteger

Number of alerts actually returned as result.

alertsarray
[
external_idstring
severitystring
matching_statusstring
end_match_attempt_tsinteger
local_insert_tsinteger
bioc_indicatorobject
matching_service_rule_idobject
attempt_counterinteger
bioc_category_enum_keyobject
is_whitelistedboolean
starredboolean
deduplicate_tokensobject
filter_rule_idobject
mitre_technique_id_and_namearray[string]
mitre_tactic_id_and_namearray[string]
agent_versionstring
agent_device_domainobject
agent_fqdnstring
agent_os_typestring
agent_os_sub_typestring
agent_data_collection_statusboolean
macobject
mac_addressarray[string]
agent_is_vdiobject
contains_featured_hostboolean
contains_featured_userboolean
contains_featured_ipboolean
eventsarray
[
agent_install_typestring
agent_host_boot_timeobject
event_sub_typeobject
module_idstring
association_strengthobject
dst_association_strengthobject
story_idobject
event_idobject
event_typestring
event_timestampinteger
actor_process_instance_idstring
actor_process_image_pathstring
actor_process_image_namestring
actor_process_command_linestring
actor_process_signature_statusstring
actor_process_signature_vendorobject
actor_process_image_sha256string
actor_process_image_md5object
actor_process_causality_idobject
actor_causality_idobject
actor_process_os_pidstring
actor_thread_thread_idobject
causality_actor_process_image_nameobject
causality_actor_process_command_lineobject
causality_actor_process_image_pathobject
causality_actor_process_signature_vendorobject
causality_actor_process_signature_statusstring
causality_actor_causality_idobject
causality_actor_process_execution_timeobject
causality_actor_process_image_md5object
causality_actor_process_image_sha256object
action_file_pathobject
action_file_nameobject
action_file_md5object
action_file_sha256object
action_file_macro_sha256object
action_registry_dataobject
action_registry_key_nameobject
action_registry_value_nameobject
action_registry_full_keyobject
action_local_ipobject
action_local_portobject
action_remote_ipobject
action_remote_portobject
action_external_hostnameobject
action_countrystring
action_process_instance_idobject
action_process_causality_idobject
action_process_image_nameobject
action_process_image_sha256object
action_process_image_command_lineobject
action_process_signature_statusstring
action_process_signature_vendorobject
os_actor_effective_usernameobject
os_actor_process_instance_idobject
os_actor_process_image_pathobject
os_actor_process_image_nameobject
os_actor_process_command_lineobject
os_actor_process_signature_statusstring
os_actor_process_signature_vendorobject
os_actor_process_image_sha256object
os_actor_process_causality_idobject
os_actor_causality_idobject
os_actor_process_os_pidobject
os_actor_thread_thread_idobject
fw_app_idobject
fw_interface_fromobject
fw_interface_toobject
fw_ruleobject
fw_rule_idobject
fw_device_nameobject
fw_serial_numberobject
fw_url_domainobject
fw_email_subjectobject
fw_email_senderobject
fw_email_recipientobject
fw_app_subcategoryobject
fw_app_categoryobject
fw_app_technologyobject
fw_vsysobject
fw_xffobject
fw_miscobject
fw_is_phishingstring
dst_agent_idobject
dst_causality_actor_process_execution_timeobject
dns_query_nameobject
dst_action_external_hostnameobject
dst_action_countryobject
dst_action_external_portobject
user_nameobject
]
alert_idstring
detection_timestampinteger
namestring
categorystring
endpoint_idstring
descriptionstring
host_iparray[string]
host_namestring
sourcestring
actionstring
action_prettystring
]
RESPONSE
{ "reply": { "total_count": 20834, "result_count": 1, "alerts": [ { "agent_os_sub_type": "6.3.9600", "fw_app_category": null, "fw_app_id": null, "fw_app_subcategory": null, "fw_app_technology": null, "causality_actor_process_command_line": null, "causality_actor_process_image_md5": null, "causality_actor_process_image_name": null, "causality_actor_process_image_path": null, "causality_actor_process_image_sha256": null, "causality_actor_process_signature_status": "N/A", "causality_actor_process_signature_vendor": null, "causality_actor_causality_id": null, "identity_sub_type": null, "identity_type": null, "operation_name": null, "project": null, "cloud_provider": null, "referenced_resource": null, "resource_sub_type": null, "resource_type": null, "cluster_name": null, "container_id": null, "contains_featured_host": "NO", "contains_featured_ip": "NO", "contains_featured_user": "NO", "action_country": "UNKNOWN", "fw_interface_to": null, "dns_query_name": null, "agent_device_domain": "attractions.disney.com", "fw_email_recipient": null, "fw_email_sender": null, "fw_email_subject": null, "event_type": null, "is_whitelisted": false, "action_file_macro_sha256": null, "action_file_md5": null, "action_file_name": null, "action_file_path": null, "action_file_sha256": null, "fw_device_name": null, "fw_rule_id": null, "fw_rule": null, "fw_serial_number": null, "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", "mac": "00:50:56:bb:34:34,00:50:56:bc:bc:2f", "agent_os_type": "Windows", "image_name": null, "actor_process_image_name": "10.91.72.115", "actor_process_command_line": null, "actor_process_image_md5": null, "actor_process_image_path": null, "actor_process_os_pid": null, "actor_process_image_sha256": null, "actor_process_signature_status": "N/A", "actor_process_signature_vendor": null, "actor_thread_thread_id": null, "fw_is_phishing": "N/A", "action_local_ip": null, "action_local_port": null, "fw_misc": null, "mitre_tactic_id_and_name": "TA0007 - Discovery", "mitre_technique_id_and_name": "T1012 - Query Registry", "module_id": "Behavioral Threat Protection", "fw_vsys": null, "os_actor_process_command_line": null, "os_actor_thread_thread_id": null, "os_actor_process_image_name": null, "os_actor_process_os_pid": null, "os_actor_process_image_sha256": null, "os_actor_process_signature_status": "N/A", "os_actor_process_signature_vendor": null, "os_actor_effective_username": null, "action_process_signature_status": "N/A", "action_process_signature_vendor": null, "action_registry_data": null, "action_registry_full_key": null, "action_external_hostname": null, "action_remote_ip": "10.71.62.215", "action_remote_port": null, "matching_service_rule_id": null, "fw_interface_from": null, "starred": false, "action_process_image_command_line": null, "action_process_image_name": null, "action_process_image_sha256": null, "fw_url_domain": null, "user_agent": null, "fw_xff": null, "alert_domain": "DOMAIN_SECURITY", "external_id": "7c96737d50f74c7b9487450426e9eafb", "severity": "high", "matching_status": "MATCHED", "end_match_attempt_ts": null, "local_insert_ts": 1706539597503, "last_modified_ts": 1706539706370, "bioc_indicator": null, "attempt_counter": 0, "bioc_category_enum_key": null, "case_id": 391722, "deduplicate_tokens": null, "filter_rule_id": null, "agent_version": "8.1.0.42616", "agent_ip_addresses_v6": null, "agent_data_collection_status": false, "agent_is_vdi": false, "agent_install_type": "STANDARD", "agent_host_boot_time": null, "event_sub_type": null, "association_strength": 50, "dst_association_strength": null, "story_id": null, "event_id": null, "event_timestamp": 1706540499609, "actor_process_instance_id": null, "actor_process_causality_id": null, "actor_causality_id": null, "causality_actor_process_execution_time": null, "action_registry_key_name": null, "action_registry_value_name": null, "action_local_ip_v6": null, "action_remote_ip_v6": null, "action_process_instance_id": null, "action_process_causality_id": null, "os_actor_process_instance_id": null, "os_actor_process_image_path": null, "os_actor_process_causality_id": null, "os_actor_causality_id": null, "dst_agent_id": null, "dst_causality_actor_process_execution_time": null, "dst_action_external_hostname": null, "dst_action_country": null, "dst_action_external_port": null, "is_pcap": false, "image_id": null, "container_name": null, "namespace": null, "alert_type": "Unclassified", "resolution_status": "STATUS_020_UNDER_INVESTIGATION", "resolution_comment": null, "dynamic_fields": null, "tags": "DS:PANW/XDR Agent", "malicious_urls": null, "dss_job_title": null, "dss_department": null, "dss_country": null, "dss_groups": null, "alert_id": "50023290705", "detection_timestamp": 1706540499609, "name": "Behavioral Threat", "category": "Malware", "endpoint_id": "866d9341c27a4df389b246d977d216ec", "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", "host_ip": "10.71.62.2,10.71.62.5", "host_name": "hostname", "source": "XDR Agent", "action": "REPORTED", "action_pretty": "Detected (Reported)", "user_name": null, "events_length": 1, "original_tags": "DS:PANW/XDR Agent" } ] } }

Bad Request. Got an invalid JSON.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Unauthorized access. User does not have the required license type to run this API.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Internal server error. A unified status for API communication type errors.