Get Alerts Multi-Events v2

Cortex XSIAM REST API
post /public_api/v2/alerts/get_alerts_multi_events

Get a list of alerts with multiple events. - The response is concatenated using AND condition (OR is not supported). - The maximum result set size is 100. - Offset is the zero-based number of alerts from the start of the result set.

Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.

Note: You can send a request to retrieve either all or filtered results.

Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise or Cortex XSIAM Enterprise Plus

Request headers
Authorization
String
required
{api_key}
Example: authorization_example
x-xdr-auth-id
String
required
{api_key_id}
Example: xXdrAuthId_example
Body parameters
request_dataObject

A dictionary containing the API request fields.

An empty dictionary returns all results.

filtersArray

Array of filter fields.

[
fieldObject (Enum)

Alert field the filter is matching. Filters are based on the following keywords: - alert_id_list: List of integers of the Alert ID - alert_source: List of strings of the Alert source - severity: List of strings of the Alert severity - ceation_time: Timestamp of the creation time - server_creation_time: Timestamp of when Cortex XDR created the alert

Allowed values:"alert_id_list""alert_source""severity""creation_time""server_creation_time"
operatorObject (Enum)

Identifies the comparison operator you want to use for this filter. Possible values: in - permitted for alert_id, alert_source, and severity - gte / lte - Permitted only for `creation_time'

Allowed values:"in""gte""lte"
valueArray integer

Value that the filter must match. The contents of this field differ depending on the alert field that you specified for this filter.

]
REQUEST BODY
{ "request_data": { "filters": [ { "field": "severity", "operator": "in", "value": [ "medium", "high" ] } ] } }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v2/alerts/get_alerts_multi_events'
-d ''
Responses

OK

Body
replyObject

JSON object containing the query result.

total_countInteger

The number of total results returned by this filter without paging. If the filter returns more than 9,999 the total_count value returned will be 9.999. You can use paging to view the entire set of data.

result_countInteger

The number of alerts actually returned as results.

alertsArray

A list of alerts.

[
agent_os_sub_typeString
fw_app_categoryObject
fw_app_idObject
fw_app_subcategoryObject
fw_app_technologyObject
categoryString
causality_actor_process_command_lineArray[string]
causality_actor_process_image_md5Array[string]
causality_actor_process_image_nameArray[string]
causality_actor_process_image_pathArray[string]
causality_actor_process_image_sha256Array[string]
causality_actor_process_signature_statusArray[string]
causality_actor_process_signature_vendorArray[string]
causality_actor_causality_idArray[string]
identity_sub_typeObject
identity_typeObject
operation_nameObject
projectObject
cloud_providerObject
referenced_resourceObject
resource_sub_typeObject
resource_typeObject
cluster_nameObject
container_idObject
contains_featured_hostArray[string]
contains_featured_ipArray[string]
contains_featured_userArray[string]
action_countryArray[string]
descriptionString
fw_interface_toObject
dns_query_nameObject
agent_device_domainObject
fw_email_recipientObject
fw_email_senderObject
fw_email_subjectObject
event_typeArray[string]
is_whitelistedBoolean
action_file_macro_sha256Object
action_file_md5Object
action_file_nameObject
action_file_pathObject
action_file_sha256Object
fw_device_nameObject
fw_rule_idObject
fw_ruleObject
fw_serial_numberObject
agent_fqdnObject
agent_os_typeString
image_nameObject
actor_process_image_nameArray[string]
actor_process_command_lineArray[string]
actor_process_image_md5Array[string]
actor_process_image_pathArray[string]
actor_process_os_pidArray[integer]
actor_process_image_sha256Array[string]
actor_process_signature_statusArray[string]
actor_process_signature_vendorArray[string]
actor_thread_thread_idArray[integer]
fw_is_phishingArray[string]
action_local_ipObject
action_local_portObject
fw_miscObject
mitre_tactic_id_and_nameArray[string]
mitre_technique_id_and_nameArray[string]
module_idObject
fw_vsysObject
os_actor_process_command_lineArray[string]
os_actor_thread_thread_idArray[integer]
os_actor_process_image_nameArray[string]
os_actor_process_os_pidArray[integer]
os_actor_process_image_sha256Array[string]
os_actor_process_signature_statusArray[string]
os_actor_process_signature_vendorArray[string]
os_actor_effective_usernameObject
action_process_signature_statusArray[string]
action_process_signature_vendorObject
action_registry_dataObject
action_registry_full_keyObject
action_external_hostnameObject
action_remote_ipObject
action_remote_portObject
matching_service_rule_idString
fw_interface_fromObject
starredBoolean
action_process_image_command_lineObject
action_process_image_nameObject
action_process_image_sha256Object
fw_url_domainObject
user_agentObject
fw_xffObject
external_idString
severityString
matching_statusString
end_match_attempt_tsObject
local_insert_tsInteger
last_modified_tsObject
bioc_indicatorObject
attempt_counterInteger
bioc_category_enum_keyObject
case_idInteger
deduplicate_tokensObject
filter_rule_idObject
agent_versionString
agent_ip_addresses_v6Object
agent_data_collection_statusObject
agent_is_vdiBoolean
agent_install_typeString
agent_host_boot_timeArray[integer]
event_sub_typeArray[integer]
association_strengthArray[integer]
dst_association_strengthObject
story_idObject
event_idArray[string]
event_timestampArray[integer]
actor_process_instance_idArray[string]
actor_process_causality_idArray[string]
actor_causality_idArray[string]
causality_actor_process_execution_timeArray[integer]
action_registry_key_nameObject
action_registry_value_nameObject
action_local_ip_v6Object
action_remote_ip_v6Object
action_process_instance_idObject
action_process_causality_idObject
os_actor_process_instance_idArray[string]
os_actor_process_image_pathArray[string]
os_actor_process_causality_idArray[string]
os_actor_causality_idObject
dst_agent_idArray[string]
dst_causality_actor_process_execution_timeObject
dst_action_external_hostnameObject
dst_action_countryObject
dst_action_external_portObject
is_pcapBoolean
alert_typeString
resolution_statusString
resolution_commentObject
dynamic_fieldsObject
tagsArray[string]
alert_idString
detection_timestampInteger
nameString
endpoint_idString
host_ipArray[string]
host_nameString
actionString
original_tagsArray[string]
user_nameArray[string]
mac_addressesObject
sourceObject
action_prettyString
]
RESPONSE
{ "reply": { "total_count": 0, "result_count": 0, "alerts": [ { "agent_os_sub_type": "agent_os_sub_type_example", "fw_app_category": {}, "fw_app_id": {}, "fw_app_subcategory": {}, "fw_app_technology": {}, "category": "category_example", "causality_actor_process_command_line": [ "causality_actor_process_command_line_example" ], "causality_actor_process_image_md5": [ "causality_actor_process_image_md5_example" ], "causality_actor_process_image_name": [ "causality_actor_process_image_name_example" ], "causality_actor_process_image_path": [ "causality_actor_process_image_path_example" ], "causality_actor_process_image_sha256": [ "causality_actor_process_image_sha256_example" ], "causality_actor_process_signature_status": [ "causality_actor_process_signature_status_example" ], "causality_actor_process_signature_vendor": [ "causality_actor_process_signature_vendor_example" ], "causality_actor_causality_id": [ "causality_actor_causality_id_example" ], "identity_sub_type": {}, "identity_type": {}, "operation_name": {}, "project": {}, "cloud_provider": {}, "referenced_resource": {}, "resource_sub_type": {}, "resource_type": {}, "cluster_name": {}, "container_id": {}, "contains_featured_host": [ "contains_featured_host_example" ], "contains_featured_ip": [ "contains_featured_ip_example" ], "contains_featured_user": [ "contains_featured_user_example" ], "action_country": [ "action_country_example" ], "description": "description_example", "fw_interface_to": {}, "dns_query_name": {}, "agent_device_domain": {}, "fw_email_recipient": {}, "fw_email_sender": {}, "fw_email_subject": {}, "event_type": [ "event_type_example" ], "is_whitelisted": false, "action_file_macro_sha256": {}, "action_file_md5": {}, "action_file_name": {}, "action_file_path": {}, "action_file_sha256": {}, "fw_device_name": {}, "fw_rule_id": {}, "fw_rule": {}, "fw_serial_number": {}, "agent_fqdn": {}, "agent_os_type": "agent_os_type_example", "image_name": {}, "actor_process_image_name": [ "actor_process_image_name_example" ], "actor_process_command_line": [ "actor_process_command_line_example" ], "actor_process_image_md5": [ "actor_process_image_md5_example" ], "actor_process_image_path": [ "actor_process_image_path_example" ], "actor_process_os_pid": [ 0 ], "actor_process_image_sha256": [ "actor_process_image_sha256_example" ], "actor_process_signature_status": [ "actor_process_signature_status_example" ], "actor_process_signature_vendor": [ "actor_process_signature_vendor_example" ], "actor_thread_thread_id": [ 0 ], "fw_is_phishing": [ "fw_is_phishing_example" ], "action_local_ip": {}, "action_local_port": {}, "fw_misc": {}, "mitre_tactic_id_and_name": [ "mitre_tactic_id_and_name_example" ], "mitre_technique_id_and_name": [ "mitre_technique_id_and_name_example" ], "module_id": {}, "fw_vsys": {}, "os_actor_process_command_line": [ "os_actor_process_command_line_example" ], "os_actor_thread_thread_id": [ 0 ], "os_actor_process_image_name": [ "os_actor_process_image_name_example" ], "os_actor_process_os_pid": [ 0 ], "os_actor_process_image_sha256": [ "os_actor_process_image_sha256_example" ], "os_actor_process_signature_status": [ "os_actor_process_signature_status_example" ], "os_actor_process_signature_vendor": [ "os_actor_process_signature_vendor_example" ], "os_actor_effective_username": {}, "action_process_signature_status": [ "action_process_signature_status_example" ], "action_process_signature_vendor": {}, "action_registry_data": {}, "action_registry_full_key": {}, "action_external_hostname": {}, "action_remote_ip": {}, "action_remote_port": {}, "matching_service_rule_id": "matching_service_rule_id_example", "fw_interface_from": {}, "starred": false, "action_process_image_command_line": {}, "action_process_image_name": {}, "action_process_image_sha256": {}, "fw_url_domain": {}, "user_agent": {}, "fw_xff": {}, "external_id": "external_id_example", "severity": "severity_example", "matching_status": "matching_status_example", "end_match_attempt_ts": {}, "local_insert_ts": 0, "last_modified_ts": {}, "bioc_indicator": {}, "attempt_counter": 0, "bioc_category_enum_key": {}, "case_id": 0, "deduplicate_tokens": {}, "filter_rule_id": {}, "agent_version": "agent_version_example", "agent_ip_addresses_v6": {}, "agent_data_collection_status": {}, "agent_is_vdi": false, "agent_install_type": "agent_install_type_example", "agent_host_boot_time": [ 0 ], "event_sub_type": [ 0 ], "association_strength": [ 0 ], "dst_association_strength": {}, "story_id": {}, "event_id": [ "event_id_example" ], "event_timestamp": [ 0 ], "actor_process_instance_id": [ "actor_process_instance_id_example" ], "actor_process_causality_id": [ "actor_process_causality_id_example" ], "actor_causality_id": [ "actor_causality_id_example" ], "causality_actor_process_execution_time": [ 0 ], "action_registry_key_name": {}, "action_registry_value_name": {}, "action_local_ip_v6": {}, "action_remote_ip_v6": {}, "action_process_instance_id": {}, "action_process_causality_id": {}, "os_actor_process_instance_id": [ "os_actor_process_instance_id_example" ], "os_actor_process_image_path": [ "os_actor_process_image_path_example" ], "os_actor_process_causality_id": [ "os_actor_process_causality_id_example" ], "os_actor_causality_id": {}, "dst_agent_id": [ "dst_agent_id_example" ], "dst_causality_actor_process_execution_time": {}, "dst_action_external_hostname": {}, "dst_action_country": {}, "dst_action_external_port": {}, "is_pcap": false, "alert_type": "alert_type_example", "resolution_status": "resolution_status_example", "resolution_comment": {}, "dynamic_fields": {}, "tags": [ "tags_example" ], "alert_id": "alert_id_example", "detection_timestamp": 0, "name": "name_example", "endpoint_id": "endpoint_id_example", "host_ip": [ "host_ip_example" ], "host_name": "host_name_example", "action": "action_example", "original_tags": [ "original_tags_example" ], "user_name": [ "user_name_example" ], "mac_addresses": {}, "source": {}, "action_pretty": "action_pretty_example" } ] } }

Bad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal server error. A unified status for API communication type errors.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }