Get Alerts

Cortex Xpanse REST API

post /public_api/v2/alerts/get_alerts_multi_events/

Note: You can send a request to retrieve all or filtered results.
Required license: **Cortex Xpanse Expander**

Get a single alert or list of alerts with multiple events. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of alerts from the start of the result set.

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" -H "authorization: {{api_key}}" -H "x-xdr-auth-id: {{api_key_id}}" \ "https://api-}/public_api/v2/alerts/get_alerts_multi_events/" \ -d '{ "request_data" : { "search_from" : 0, "next_page_token" : "next_page_token", "filters" : [ { "field" : "business_units_list", "value" : "AlertFilter_value", "operator" : "gte" }, { "field" : "business_units_list", "value" : "AlertFilter_value", "operator" : "gte" } ], "sort" : { "field" : "creation_time", "keyword" : "desc" }, "search_to" : 0, "use_page_token" : true } }'
Request headers
authorization
required
String
api-key
Example: {{api_key}}
x-xdr-auth-id
required
String
api-key-id
Example: {{api_key_id}}
Request
Body
required
If no parameters are included, all results will be returned.
Example: {"request_data":{"filters":[{"field":"business_units_list","operator":"gte","value":"string"}],"search_from":0,"search_to":100,"sort":{"field":"creation_time","keyword":"desc"},"use_page_token":true,"next_page_token":"string"}}
request_data
required
A dictionary containing the API request fields. An empty dictionary returns all results.
filters
optional
Array
An array of filter fields.
field
optional
String (Enum)
Identifies the alert fields the filter is matching.
Allowed values:
business_units_list
tags
asm_alert_categories
attack_surface_rule_id
alert_id_list
external_id_list
alert_source
creation_time
last_modified_ts
server_creation_time
severity
status
attack_surface_rule_name
host_name
xpanse_policy_id
case_id_list
cloud_management_status
integration_source
aws_cloud_tags
gcp_cloud_tags
azure_cloud_tags
first_observed
last_observed
operator
optional
String (Enum)

String that identifies the comparison operator you want to use for this filter. Possible values:

  • in— use with alert_id_list, alert_source, asm_alert_categories, case_id_list, business_units_list, cloud_management_status, tags, xpanse_policy_id, severity, integration_source
  • gte— Filters data from a specific timestamp onwards. Use with creation_time, first_observed, last_observed.
  • lte— Filters data up to a specific timestamp. Use with creation_time, first_observed, last_observed.
  • range— Filters data between two specific timestamps. Use with first_observed, last_observed.
  • relative_timestamp— Filters data relative to the current time (e.g., last 30 days). Use with first_observed, last_observed.
Allowed values:
gte
lte
in
eq
neq
range
relative_timestamp
value
optional

Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:

  • alert_id_list — List of integers. Each item in the list must be an alert ID.
  • alert_source — List of strings.
  • asm_alert_categories — List of strings. Example values: "Development Infrastructure", "Unpatched, Misconfigured, and end-of-life (EOL) systems".
  • business_units_list — String or list of strings in the format "BU name" or "BU:BU name", for example “Acme & Co, Inc.” or “BU:Acme & Co, Inc.”
  • case_id_list — List of integers. Each item in the list must be a case ID.
  • cloud_management_status — String. Values are Managed Cloud, Unmanaged Cloud, and Not Applicable.
  • creation_time — Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under the detection_timestamp field and represented in the console under the TIMESTAMP field.
  • external_id_list— List of strings representing external IDs.
  • first_observed — Values in milliseconds format
    • with gte or lte operator, specify a specific date or time as a timestamp in milliseconds format
    • with range operator, specify "to" and "from" values as timestamps in milliseconds format "value": { "from": "{{previous30Days}}","to": "{{previous7Days}}"
    • with relative_timestamp operator, specify time interval to look back on (24H, 7D, 30D, etc.) as a value in milliseconds format
  • integration_source — Valid values: AWS, AZURE, GOOGLE, PRISMA_CLOUD
  • last_observed — values in milliseconds format
    • with gte or lte operator, specify a specific date or time as a timestamp in milliseconds format
    • with range operator, specify "to" and "from" values as timestamps in milliseconds format, as follows "value": { "from": "{{previous30Days}}","to": "{{previous7Days}}"
    • with relative_timestamp operator, specify time interval to look back on (24H, 7D, 30D, etc.) as a value in milliseconds format
  • severity — Valid values: low, medium, high, critical, informational
  • status — Valid values: new, reopened, resolved_no_risk, resolved_risk_accepted, resolved_no_longer_observed, resolved_contested_asset, resolved_remediated_automatically, resolved, under_investigation.
  • tags — List of strings indicating the tags to filter on in the format "tag-family:tag-name", for example "AR:registered to you".
  • xpanse_policy_id — List of strings representing the xpanse policy IDs.
search_from
optional
Integer
An integer representing the starting offset within the query result set from which you want alerts returned. Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
An integer representing the end offset within the result set after which you do not want alerts returned. Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list. Use this field to specify the number of results on a page when using page token pagination.
Max value - 100
sort
optional
Object
Identifies the sort order for the result set.
field
optional
String (Enum)
Can either be severity or creation_time.
Allowed values:
creation_time
severity
server_creation_time
keyword
optional
String (Enum)
Can either be ASC (ascending order) or DESC (descending order). Case sensitive.
Allowed values:
ASC
asc
DESC
desc
use_page_token
optional
Boolean
Use "use_page_token":true in the initial request to paginate the response data.
next_page_token
optional
String
If "use_page_token":true was included in the initial request, the response for that request will include a page token. Use "next_page_token":"string" to pass that page token into the next request to paginate the next set of data.
Responses

Successful response

Body
reply
required
Object
total_count
required
Integer
The number of total results of this filter without paging. If the filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.
result_count
required
Integer
The number of alerts actually returned as result (integer).
alerts
optional
Array of objects
A list of alerts.
category
optional
String
project
optional
String
cloud_provider
optional
String
resource_sub_type
optional
String
resource_type
optional
String
action_country
optional
Array of strings
description
optional
String
events
optional
String
event_type
optional
String
is_whitelisted
optional
Boolean
image_name
optional
String
action_local_ip
optional
String
action_local_port
optional
String
mitre_tactic_id_and_name
optional
Array of strings
mitre_technique_id_and_name
optional
Array of strings
action_external_hostname
optional
String
action_remote_ip
optional
Array of strings
action_remote_port
optional
Array of integers
matching_service_rule_id
optional
String
starred
optional
Boolean
external_id
optional
String
severity
optional
String
matching_status
optional
String
end_match_attempt_ts
optional
String
local_insert_ts
optional
Integer
The UNIX timestamp that this record was written to the database
last_modified_ts
optional
Integer
The UNIX timestamp that this record was last modified
case_id
optional
Integer
deduplicate_tokens
optional
String
filter_rule_id
optional
String
event_id
optional
String
event_timestamp
optional
Array of integers
action_local_ip_v6
optional
String
action_remote_ip_v6
optional
Array of strings
alert_type
optional
String
resolution_status
optional
String
resolution_comment
optional
String
dynamic_fields
optional
String
tags
optional
Array of strings
malicious_urls
optional
String
asm_alert_categories
optional
Array of strings
aws_cloud_tags
optional
Array of strings
azure_cloud_tags
optional
Array of strings
gcp_cloud_tags
optional
Array of strings
last_observed
optional
Integer
country_codes
optional
Array of strings
cloud_providers
optional
Array of strings
ipv4_addresses
optional
Array of strings
ipv6_addresses
optional
Array of strings
domain_names
optional
Array of strings
service_ids
optional
Array of strings
website_ids
optional
Array of strings
asset_ids
optional
Array of strings
certificate
optional
Object
issuerName
optional
String
subjectName
optional
String
validNotBefore
optional
Integer
validNotAfter
optional
Integer
serialNumber
optional
String
port_protocol
optional
String
port_number
optional
Integer
cloud_management_status
optional
String
business_unit_hierarchies
optional
Array
attack_surface_rule_name
optional
String
remediation_guidance
optional
String
attack_surface_rule_id
optional
String
asset_identifiers
optional
Array of objects
domain
optional
String
certificate
optional
Object
issuerName
optional
String
subjectName
optional
String
validNotBefore
optional
Integer
validNotAfter
optional
Integer
serialNumber
optional
String
ipv4Address
optional
String
ipv6Address
optional
String
httpPath
optional
String
portNumber
optional
Integer
portProtocol
optional
String
firstObserved
optional
Integer
lastObserved
optional
Integer
integration_source
optional
String
alert_id
optional
String
detection_timestamp
optional
Integer
name
optional
String
endpoint_id
optional
String
host_ip
optional
String
host_name
optional
String
action
optional
String
source
optional
String
user_name
optional
String
mac_addresses
optional
String
action_pretty
optional
String
next_page_token
optional
String
This attribute is only returned if use_page_token is provided in the request with value true

Bad Request. Got an invalid JSON.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.

Unprocessable Entity

Body
code
optional
Integer
Error code
status
optional
String
Error name
message
optional
String
Error message
errors
optional
Object
Errors

Internal server error. A unified status for API communication type errors.

Body
reply
required
Object
The query results upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
err_extra
optional
String
Additional information describing the error.