post
/public_api/v2/alerts/get_alerts_multi_events/
Note: You can send a request to retrieve all or filtered results.
Required license: **Cortex Xpanse Expander**
Get a single alert or list of alerts with multiple events. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of alerts from the start of the result set.
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" -H "authorization: {{api_key}}" -H "x-xdr-auth-id: {{api_key_id}}" \
"https://api-}/public_api/v2/alerts/get_alerts_multi_events/" \
-d '{
"request_data" : {
"search_from" : 0,
"next_page_token" : "next_page_token",
"filters" : [ {
"field" : "business_units_list",
"value" : "AlertFilter_value",
"operator" : "gte"
}, {
"field" : "business_units_list",
"value" : "AlertFilter_value",
"operator" : "gte"
} ],
"sort" : {
"field" : "creation_time",
"keyword" : "desc"
},
"search_to" : 0,
"use_page_token" : true
}
}'
Request headers
authorization
required
String
api-key
Example:
{{api_key}}
x-xdr-auth-id
required
String
api-key-id
Example:
{{api_key_id}}
Request
Body
required
If no parameters are included, all results will be returned.
Example:
{"request_data":{"filters":[{"field":"business_units_list","operator":"gte","value":"string"}],"search_from":0,"search_to":100,"sort":{"field":"creation_time","keyword":"desc"},"use_page_token":true,"next_page_token":"string"}}
request_data
required
A dictionary containing the API request fields. An empty dictionary returns all results.
filters
optional
Array
An array of filter fields.
field
optional
String
(Enum)
Identifies the alert fields the filter is matching.
Allowed values:
business_units_list
tags
asm_alert_categories
attack_surface_rule_id
alert_id_list
external_id_list
alert_source
creation_time
last_modified_ts
server_creation_time
severity
status
attack_surface_rule_name
host_name
xpanse_policy_id
case_id_list
cloud_management_status
integration_source
aws_cloud_tags
gcp_cloud_tags
azure_cloud_tags
first_observed
last_observed
operator
optional
String
(Enum)
String that identifies the comparison operator you want to use for this filter. Possible values:
- in— use with
alert_id_list
,alert_source
,asm_alert_categories
,case_id_list
,business_units_list
,cloud_management_status
,tags
,xpanse_policy_id
,severity
,integration_source
- gte— Filters data from a specific timestamp onwards. Use with
creation_time
,first_observed
,last_observed
. - lte— Filters data up to a specific timestamp. Use with
creation_time
,first_observed
,last_observed
. - range— Filters data between two specific timestamps. Use with
first_observed
,last_observed
. - relative_timestamp— Filters data relative to the current time (e.g., last 30 days). Use with
first_observed
,last_observed
.
Allowed values:
gte
lte
in
eq
neq
range
relative_timestamp
value
optional
Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:
- alert_id_list — List of integers. Each item in the list must be an alert ID.
- alert_source — List of strings.
- asm_alert_categories — List of strings. Example values: "Development Infrastructure", "Unpatched, Misconfigured, and end-of-life (EOL) systems".
- business_units_list — String or list of strings in the format "BU name" or "BU:BU name", for example “Acme & Co, Inc.” or “BU:Acme & Co, Inc.”
- case_id_list — List of integers. Each item in the list must be a case ID.
- cloud_management_status — String. Values are
Managed Cloud
,Unmanaged Cloud
, andNot Applicable
. - creation_time — Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under the detection_timestamp field and represented in the console under the TIMESTAMP field.
- external_id_list— List of strings representing external IDs.
- first_observed — Values in milliseconds format
- with gte or lte operator, specify a specific date or time as a timestamp in milliseconds format
- with range operator, specify "to" and "from" values as timestamps in milliseconds format "value": { "from": "{{previous30Days}}","to": "{{previous7Days}}"
- with relative_timestamp operator, specify time interval to look back on (24H, 7D, 30D, etc.) as a value in milliseconds format
- integration_source — Valid values:
AWS
,AZURE
,GOOGLE
,PRISMA_CLOUD
- last_observed — values in milliseconds format
- with gte or lte operator, specify a specific date or time as a timestamp in milliseconds format
- with range operator, specify "to" and "from" values as timestamps in milliseconds format, as follows "value": { "from": "{{previous30Days}}","to": "{{previous7Days}}"
- with relative_timestamp operator, specify time interval to look back on (24H, 7D, 30D, etc.) as a value in milliseconds format
- severity — Valid values:
low
,medium
,high
,critical
,informational
- status — Valid values:
new
,reopened
,resolved_no_risk
,resolved_risk_accepted
,resolved_no_longer_observed
,resolved_contested_asset
,resolved_remediated_automatically
,resolved
,under_investigation
. - tags — List of strings indicating the tags to filter on in the format
"tag-family:tag-name"
, for example"AR:registered to you"
. - xpanse_policy_id — List of strings representing the xpanse policy IDs.
search_from
optional
Integer
An integer representing the starting offset within the query result set from which you want alerts returned. Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
An integer representing the end offset within the result set after which you do not want alerts returned. Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list. Use this field to specify the number of results on a page when using page token pagination.
Max value - 100
Max value - 100
sort
optional
Object
Identifies the sort order for the result set.
field
optional
String
(Enum)
Can either be
severity
or creation_time
.
Allowed values:
creation_time
severity
server_creation_time
keyword
optional
String
(Enum)
Can either be ASC (ascending order) or DESC (descending order). Case sensitive.
Allowed values:
ASC
asc
DESC
desc
use_page_token
optional
Boolean
Use
"use_page_token":true
in the initial request to paginate the response data.
next_page_token
optional
String
If
"use_page_token":true
was included in the initial request, the response for that request will include a page token. Use "next_page_token":"string"
to pass that page token into the next request to paginate the next set of data.
Responses