Get a single alert or list of alerts with multiple events. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of alerts from the start of the result set.
Note: You can send a request to retrieve all or filtered results.
Required license: Cortex Xpanse Expander
authorization
String
required
{{api_key}}
x-xdr-auth-id
String
required
{{api_key_id}}
request_dataObject
A dictionary containing the API request fields. An empty dictionary returns all results.
filtersArray
An array of filter fields.
fieldString (Enum)
Identifies the alert fields the filter is matching.
operatorString (Enum)
String that identifies the comparison operator you want to use for this filter. Possible values:
- in— use with alert_id_list, alert_source, asm_alert_categories, case_id_list, business_units_list, cloud_management_status, tags, xpanse_policy_id, severity, integration_source
- gte— Filters data from a specific timestamp onwards. Use with creation_time, first_observed, last_observed.
- lte— Filters data up to a specific timestamp. Use with creation_time, first_observed, last_observed.
- range— Filters data between two specific timestamps. Use with first_observed, last_observed.
- relative_timestamp— Filters data relative to the current time (e.g., last 30 days). Use with first_observed, last_observed.
valueObject
Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:
- alert_id_list — List of integers. Each item in the list must be an alert ID.
- alert_source — List of strings.
- asm_alert_categories — List of strings. Example values: "Development Infrastructure", "Unpatched, Misconfigured, and end-of-life (EOL) systems".
- business_units_list — String or list of strings in the format "BU name" or "BU:BU name", for example “Acme & Co, Inc.” or “BU:Acme & Co, Inc.”
- case_id_list — List of integers. Each item in the list must be a case ID.
- cloud_management_status — String. Values are Managed Cloud, Unmanaged Cloud, and Not Applicable.
- creation_time — Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under the detection_timestamp field and represented in the console under the TIMESTAMP field.
- external_id_list— List of strings representing external IDs.
- first_observed — Values in milliseconds format
- with gte or lte operator, specify a specific date or time as a timestamp in milliseconds format
- with range operator, specify "to" and "from" values as timestamps in milliseconds format
"value": { "from": "{{previous30Days}}","to": "{{previous7Days}}"
- with relative_timestamp operator, specify time interval to look back on (24H, 7D, 30D, etc.) as a value in milliseconds format
- integration_source — Valid values: AWS, AZURE, GOOGLE, PRISMA_CLOUD
- last_observed — values in milliseconds format
- with gte or lte operator, specify a specific date or time as a timestamp in milliseconds format
- with range operator, specify "to" and "from" values as timestamps in milliseconds format, as follows
"value": { "from": "{{previous30Days}}","to": "{{previous7Days}}"
- with relative_timestamp operator, specify time interval to look back on (24H, 7D, 30D, etc.) as a value in milliseconds format
- severity — Valid values: low, medium, high, critical, informational
- status — Valid values: new, reopened, resolved_no_risk, resolved_risk_accepted, resolved_no_longer_observed, resolved_contested_asset, resolved_remediated_automatically, resolved, under_investigation.
- tags — List of strings indicating the tags to filter on in the format "tag-family:tag-name", for example "AR:registered to you".
- xpanse_policy_id — List of strings representing the xpanse policy IDs.
search_fromInteger
An integer representing the starting offset within the query result set from which you want alerts returned. Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
search_toInteger
An integer representing the end offset within the result set after which you do not want alerts returned. Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list. Use this field to specify the number of results on a page when using page token pagination.
Max value - 100
sortObject
Identifies the sort order for the result set.
fieldString (Enum)
Can either be severity or creation_time.
keywordString (Enum)
Can either be ASC (ascending order) or DESC (descending order). Case sensitive.
use_page_tokenBoolean
Use "use_page_token":true in the initial request to paginate the response data.
next_page_tokenString
If "use_page_token":true was included in the initial request, the response for that request will include a page token. Use "next_page_token":"string" to pass that page token into the next request to paginate the next set of data.
{
"request_data": {
"search_from": 0,
"next_page_token": "next_page_token",
"filters": [
{
"field": "business_units_list",
"value": "AlertFilter_value",
"operator": "gte"
},
{
"field": "business_units_list",
"value": "AlertFilter_value",
"operator": "gte"
}
],
"sort": {
"field": "creation_time",
"keyword": "desc"
},
"search_to": 0,
"use_page_token": true
}
}
{
"request_data": {
"filters": [
{
"field": "business_units_list",
"operator": "gte",
"value": "string"
}
],
"search_from": 0,
"search_to": 100,
"sort": {
"field": "creation_time",
"keyword": "desc"
},
"use_page_token": true,
"next_page_token": "string"
}
}
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'authorization: {{api_key}}'
-H
'x-xdr-auth-id: {{api_key_id}}'
'https://api-}/public_api/v2/alerts/get_alerts_multi_events/'
-d
'{
"request_data" : {
"search_from" : 0,
"next_page_token" : "next_page_token",
"filters" : [ {
"field" : "business_units_list",
"value" : "AlertFilter_value",
"operator" : "gte"
}, {
"field" : "business_units_list",
"value" : "AlertFilter_value",
"operator" : "gte"
} ],
"sort" : {
"field" : "creation_time",
"keyword" : "desc"
},
"search_to" : 0,
"use_page_token" : true
}
}'
Successful response
replyObjectrequired
total_countInteger
The number of total results of this filter without paging. If the filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.
result_countInteger
The number of alerts actually returned as result (integer).
alertsArray
A list of alerts.
categoryString
projectString
cloud_providerString
resource_sub_typeString
resource_typeString
action_countryArray[string]
descriptionString
eventsString
event_typeString
is_whitelistedBoolean
image_nameString
action_local_ipString
action_local_portString
mitre_tactic_id_and_nameArray[string]
mitre_technique_id_and_nameArray[string]
action_external_hostnameString
action_remote_ipArray[string]
action_remote_portArray[integer]
matching_service_rule_idString
starredBoolean
external_idString
severityString
matching_statusString
end_match_attempt_tsString
local_insert_tsInteger
The UNIX timestamp that this record was written to the database
last_modified_tsInteger
The UNIX timestamp that this record was last modified
case_idInteger
deduplicate_tokensString
filter_rule_idString
event_idString
event_timestampArray[integer]
action_local_ip_v6String
action_remote_ip_v6Array[string]
alert_typeString
resolution_statusString
resolution_commentString
dynamic_fieldsString
tagsArray[string]
malicious_urlsString
asm_alert_categoriesArray[string]
aws_cloud_tagsArray[string]
azure_cloud_tagsArray[string]
gcp_cloud_tagsArray[string]
last_observedInteger
country_codesArray[string]
cloud_providersArray[string]
ipv4_addressesArray[string]
ipv6_addressesArray[string]
domain_namesArray[string]
service_idsArray[string]
website_idsArray[string]
asset_idsArray[string]
certificateObject
issuerNameString
subjectNameString
validNotBeforeInteger
validNotAfterInteger
serialNumberString
port_protocolString
port_numberInteger
cloud_management_statusString
business_unit_hierarchiesArray
creation_timeInteger
familyString
family_aliasString
idString
is_activeInteger
nameString
parent_idString
update_timeInteger
attack_surface_rule_nameString
remediation_guidanceString
attack_surface_rule_idString
asset_identifiersArray
domainString
certificateObject
issuerNameString
subjectNameString
validNotBeforeInteger
validNotAfterInteger
serialNumberString
ipv4AddressString
ipv6AddressString
httpPathString
portNumberInteger
portProtocolString
firstObservedInteger
lastObservedInteger
integration_sourceString
alert_idString
detection_timestampInteger
nameString
endpoint_idString
host_ipString
host_nameString
actionString
sourceString
user_nameString
mac_addressesString
action_prettyString
next_page_tokenString
This attribute is only returned if use_page_token is provided in the request with value true
{
"reply": {
"total_count": 0,
"result_count": 0,
"alerts": [
{
"category": "category_example",
"project": "project_example",
"cloud_provider": "cloud_provider_example",
"resource_sub_type": "resource_sub_type_example",
"resource_type": "resource_type_example",
"action_country": [
"action_country_example"
],
"description": "description_example",
"events": "events_example",
"event_type": "event_type_example",
"is_whitelisted": false,
"image_name": "image_name_example",
"action_local_ip": "action_local_ip_example",
"action_local_port": "action_local_port_example",
"mitre_tactic_id_and_name": [
"mitre_tactic_id_and_name_example"
],
"mitre_technique_id_and_name": [
"mitre_technique_id_and_name_example"
],
"action_external_hostname": "action_external_hostname_example",
"action_remote_ip": [
"action_remote_ip_example"
],
"action_remote_port": [
0
],
"matching_service_rule_id": "matching_service_rule_id_example",
"starred": false,
"external_id": "external_id_example",
"severity": "severity_example",
"matching_status": "matching_status_example",
"end_match_attempt_ts": "end_match_attempt_ts_example",
"local_insert_ts": 0,
"last_modified_ts": 0,
"case_id": 0,
"deduplicate_tokens": "deduplicate_tokens_example",
"filter_rule_id": "filter_rule_id_example",
"event_id": "event_id_example",
"event_timestamp": [
0
],
"action_local_ip_v6": "action_local_ip_v6_example",
"action_remote_ip_v6": [
"action_remote_ip_v6_example"
],
"alert_type": "alert_type_example",
"resolution_status": "resolution_status_example",
"resolution_comment": "resolution_comment_example",
"dynamic_fields": "dynamic_fields_example",
"tags": [
"tags_example"
],
"malicious_urls": "malicious_urls_example",
"asm_alert_categories": [
"asm_alert_categories_example"
],
"aws_cloud_tags": [
"aws_cloud_tags_example"
],
"azure_cloud_tags": [
"azure_cloud_tags_example"
],
"gcp_cloud_tags": [
"gcp_cloud_tags_example"
],
"last_observed": 0,
"country_codes": [
"country_codes_example"
],
"cloud_providers": [
"cloud_providers_example"
],
"ipv4_addresses": [
"ipv4_addresses_example"
],
"ipv6_addresses": [
"ipv6_addresses_example"
],
"domain_names": [
"domain_names_example"
],
"service_ids": [
"service_ids_example"
],
"website_ids": [
"website_ids_example"
],
"asset_ids": [
"asset_ids_example"
],
"certificate": {
"issuerName": "issuerName_example",
"subjectName": "subjectName_example",
"validNotBefore": 0,
"validNotAfter": 0,
"serialNumber": "serialNumber_example"
},
"port_protocol": "port_protocol_example",
"port_number": 0,
"cloud_management_status": "cloud_management_status_example",
"business_unit_hierarchies": [
[
{
"creation_time": 0,
"family": "family_example",
"family_alias": "family_alias_example",
"id": "id_example",
"is_active": 0,
"name": "name_example",
"parent_id": "parent_id_example",
"update_time": 0
}
]
],
"attack_surface_rule_name": "attack_surface_rule_name_example",
"remediation_guidance": "remediation_guidance_example",
"attack_surface_rule_id": "attack_surface_rule_id_example",
"asset_identifiers": [
{
"domain": "domain_example",
"certificate": {
"issuerName": "issuerName_example",
"subjectName": "subjectName_example",
"validNotBefore": 0,
"validNotAfter": 0,
"serialNumber": "serialNumber_example"
},
"ipv4Address": "ipv4Address_example",
"ipv6Address": "ipv6Address_example",
"httpPath": "httpPath_example",
"portNumber": 0,
"portProtocol": "portProtocol_example",
"firstObserved": 0,
"lastObserved": 0
}
],
"integration_source": "integration_source_example",
"alert_id": "alert_id_example",
"detection_timestamp": 0,
"name": "name_example",
"endpoint_id": "endpoint_id_example",
"host_ip": "host_ip_example",
"host_name": "host_name_example",
"action": "action_example",
"source": "source_example",
"user_name": "user_name_example",
"mac_addresses": "mac_addresses_example",
"action_pretty": "action_pretty_example"
}
],
"next_page_token": "next_page_token_example"
}
}Bad Request. Got an invalid JSON.
replyObject
The query results upon error.
{
"reply": {}
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
replyObject
The query results upon error.
{
"reply": {}
}Unauthorized access. User does not have the required license type to run this API.
replyObject
The query results upon error.
{
"reply": {}
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
replyObject
The query results upon error.
{
"reply": {}
}Unprocessable Entity
codeInteger
Error code
statusString
Error name
messageString
Error message
errorsObject
Errors
{
"code": 0,
"status": "status_example",
"message": "message_example",
"errors": {}
}Internal server error. A unified status for API communication type errors.
replyObject
The query results upon error.
{
"reply": {}
}