Get Alerts

post /public_api/v2/alerts/get_alerts_multi_events

Get a single alert or list of alerts with multiple events. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of alerts from the start of the result set.

Note: You can send a request to retrieve all or filtered results.

Required license: Cortex Xpanse Expander

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" -H "authorization: authorization_example" -H "x-xdr-auth-id: xXdrAuthId_example" \
"https://api-yourfqdn/public_api/v2/alerts/get_alerts_multi_events" \
 -d '{
  "request_data" : {
    "search_from" : 0,
    "next_page_token" : "next_page_token",
    "filters" : [ {
      "field" : "field",
      "value" : [ "", "" ],
      "operator" : "operator"
    }, {
      "field" : "field",
      "value" : [ "", "" ],
      "operator" : "operator"
    } ],
    "sort" : {
      "field" : "field",
      "keyword" : "keyword"
    },
    "search_to" : 6,
    "use_page_token" : true
  }
}'
  

Request headers

authorization

required

String

api_key

Example: authorization_example

x-xdr-auth-id

required

String

api_key_id

Example: xXdrAuthId_example

Request

Body

optional

If no parameters are included, all results will be returned.

Example: {"request_data":{}}

request_data

required

A dictionary containing the API request fields.

An empty dictionary returns all results.

filters

optional

Array

An array of filter fields.

field

optional

String

Identifies the alert fields the filter is matching. Possible values are:

alert_id_list— List of integers representing Alert IDs. Use this filter to request a single alert.
alert_source
business_units_list
cloud_management_status
creation_time
external_id_list
severity
status
tags
xpanse_policy_id— Matches on the specified xpanse policy IDs. Xpanse policies are referred to as attack surface rules in the Expander UI.

operator

optional

String

String that identifies the comparison operator you want to use for this filter. Possible values:

in— use with alert_id_list, alert_source, business_units_list, cloud_management_status, tags, xpanse_policy_id, and severity.
gte/lte— use with creation_time only

value

optional

Array of objects

Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:

alert_id_list— List of integers. Each item in the list must be an alert ID.
alert_source— List of strings.
business_units_list— String or list of strings in the format "BU name" or "BU:BU name", for example “Acme & Co, Inc.” or “BU:Acme & Co, Inc.”
cloud_management_status— String. Values are Managed Cloud, Unmanaged Cloud, and Not Applicable.
creation_time— Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under the detection_timestamp field and represented in the console under the TIMESTAMP field.
external_id_list— List of strings representing external IDs.
severity— Valid values: low, medium, high, critical, informational
status— Valid values: new, resolved_no_risk, resolved_risk_accepted, resolved_no_longer_observed, resolved_contested_asset, resolved_remediated_automatically, resolved, under_investigation.
tags— List of strings indicating the tags to filter on in the format "tag-family:tag-name", for example "AR:registered to you".
xpanse_policy_id— List of strings representing the xpanse policy IDs.

search_from

optional

Integer

An integer representing the starting offset within the query result set from which you want alerts returned.

Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.

search_to

optional

Integer

An integer representing the end offset within the result set after which you do not want alerts returned.

Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list. Use this field to specify the number of results on a page when using page token pagination.

Max value - 100

sort

optional

Identifies the sort order for the result set. Sort is not supported when using the use_page_token/page_token fields.

field

optional

String

Can either be severity or creation_time.

keyword

optional

String

Can either be ASC (ascending order) or DESC (descending order). Case sensitive.

use_page_token

optional

Boolean

Use "use_page_token":true in the initial request to paginate the response data. Sort is not supported when using the use_page_token/next_page_token fields.

next_page_token

optional

String

If "use_page_token":true was included in the initial request, the response for that request will include a page token. Use "next_page_token":"string" to pass that page token into the next request to paginate the next set of data.

Responses

Successful response

Body

optional

total_count

optional

Integer

The number of total results of this filter without paging. If the filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.

result_count

optional

Integer

The number of alerts actually returned as result (integer).

alerts

optional

Array

A list of alerts.