Viewing a list of alerts
GET /xdr/api/v1/alerts
Returns a list of alerts for the specified tenants.
Example:
https://api.example.com/xdr/api/v1/alerts?tenantID=00000000-0000-0000-0000-000000000000&withHistory
Query parameters
Name |
Data type |
Mandatory |
Description |
Value example |
page |
number |
No |
The page number. Starts with 1. The page size is 100 entries. If the value is not specified or set to a value below 1, the 1 value is used. |
1 |
id |
string |
No |
The alert id. If multiple values are specified, a list is formed to which the OR logical operator is applied. If no alert with a specified id is found, this id value is ignored. If no id value is specified, all alerts for the specified tenants are returned. |
00000000-0000-0000-0000-000000000000 |
tenantID |
string |
Yes |
The tenant id. If multiple values are specified, a list is formed to which the OR logical operator is applied. If the user does not have the Read right for any of the specified tenants, the query fails. |
00000000-0000-0000-0000-000000000000 |
name |
string |
No |
The alert name. A case-insensitive regular expression (PCRE). |
alert ^My alert$ |
timestampField |
string |
No |
The alert data field used to sort (in descending order) and filter (the from and to parameters) the list of alerts. The default value is lastSeen. |
lastSeen firstSeen |
from |
string |
No |
The start of the time interval used to filter the list of alerts, in RFC3339 format. Use the timestampField value to specify the alert data field. |
2021-09-06T00:00:00Z 2021-09-06T00:00:00.000Z 2021-09-06T00:00:00Z+00:00 |
to |
string |
No |
The end of the time interval used to filter the list of alerts, in RFC3339 format. Use the timestampField value to specify the alert data field. |
2021-09-06T00:00:00Z 2021-09-06T00:00:00.000Z 2021-09-06T00:00:00Z+00:00 |
status |
string |
No |
The alert status. If multiple values are specified, a list is formed to which the OR logical operator is applied. |
new inProgress inIncident closed |
withEvents |
bool |
No |
Specifies whether to include normalized events from KUMA.
|
/xdr/api/v1/alerts?withEvents |
withAffected |
bool |
No |
Specifies whether to include detailed data about assets and accounts related to the alerts. |
/xdr/api/v1/alerts?withAffected /xdr/api/v1/alerts?withAffected=123 |
withHistory |
bool |
No |
Specifies whether to include data about changes made to the alerts. |
/xdr/api/v1/alerts?withHistory /xdr/api/v1/alerts?withHistory=123 |
Response
HTTP code: 200
Format: JSON
Example:
{
"Total": 0,
"Alerts": [
{
"ID": 0,
"InternalID": "881dee1f-380d-4366-a2d8-094e0af4c3f6",
"TenantID": "string",
"Assets": [
{
"Data": {},
"ID": "string",
"IsAttacker": true,
"IsVictim": true,
"KSCServer": "string",
"Name": "string",
"Type": "host",
"HostInfo": {
"ID": "string",
"TenantID": "string",
"DisplayName": "string",
"AssetSource": "string",
"CreatedAt": 0,
"IsDeleted": true,
"IpAddress": [
"string"
],
"Fqdn": [
"string"
],
"MacAddress": [
"string"
],
"DirectCategories": [
"string"
],
"Weight": "low",
"CiiCategory": "notCII",
"OS": "string",
"OSVersion": "string",
"Sources": [
"ksc"
],
"LastVisible": 0,
"Products": [
{
"ProductVersion": "string",
"ProductName": "string"
}
],
"KSC": {
"GroupID": 0,
"GroupName": "string",
"StatusMask": [
0
],
"StatusID": 0,
"RtProtectionState": 0,
"EncryptionState": 0,
"AntiSpamStatus": 0,
"EmailAvStatus": 0,
"DlpStatus": 0,
"EdrStatus": 0,
"LastAvBasesUpdate": 0,
"LastInfoUpdate": 0,
"LastUpdate": 0,
"LastSystemStart": 0,
"VirtualServerID": 0
},
"KICS": {
"status": "string",
"risks": [
{
"ID": 0,
"Name": "string",
"Category": "string",
"Description": "string",
"DescriptionURL": "string",
"Severity": 0,
"Cvss": 0
}
],
"serverIP": "string",
"connectorID": 0,
"deviceID": 0,
"hardware": {
"Model": "string",
"Version": "string",
"Vendor": "string"
},
"software": {
"Model": "string",
"Version": "string",
"Vendor": "string"
}
}
},
"UserInfo": {
"osmpId": "string",
"tenantID": "string",
"tenantName": "string",
"domain": "string",
"cn": "string",
"displayName": "string",
"distinguishedName": "string",
"mail": "string",
"mailNickname": "string",
"mobile": "string",
"objectSID": "string",
"samAccountName": "string",
"samAccountType": "string",
"telephoneNumber": "string",
"userPrincipalName": "string",
"isArchived": true,
"memberOf": [
"string"
],
"title": "string",
"division": "string",
"department": "string",
"manager": "string",
"location": "string",
"company": "string",
"streetAddress": "string",
"physicalDeliveryOfficeName": "string",
"managedObjects": [
"string"
],
"userAccountControl": "string",
"whenCreated": 0,
"whenChanged": 0,
"accountExpires": 0,
"badPasswordTime": 0
}
}
],
"Assignee": {
"ID": "string",
"Name": "string"
},
"CreatedAt": "2024-01-16T09:55:50.417Z",
"DetectionTechnologies": [
"string"
],
"Extra": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"IncidentID": "string",
"IncidentLinkType": "auto",
"FirstEventTime": "2024-01-16T09:55:50.417Z",
"LastEventTime": "2024-01-16T09:55:50.417Z",
"MITRETactics": [
{
"ID": "string"
}
],
"MITRETechniques": [
{
"ID": "string"
}
],
"Observables": [
{
"Details": "string",
"Type": "ip",
"Value": "string"
}
],
"OriginalEvents": [
{}
],
"Rules": [
{
"Confidence": "high",
"Custom": true,
"ID": "string",
"Name": "string",
"Severity": "critical",
"Type": "string"
}
],
"Severity": "critical",
"SourceCreatedAt": "2024-01-16T09:55:50.417Z",
"SourceID": "string",
"ExternalRef": "string",
"Status": "new",
"StatusChangedAt": "2024-01-16T09:55:50.417Z",
"StatusResolution": "truePositive",
"UpdatedAt": "2024-01-16T09:55:50.417Z"
"HistoryRecords": [
{
"entityID": "string",
"entityKind": "Alert",
"tenantID": "string",
"type": "alertAssigned",
"createdAt": "2024-03-12T11:10:59.329Z",
"params": {}
}
]
}
]
}
|
Possible errors
HTTP code |
Description |
|
|
400 |
The timestampField value is invalid. |
invalid timestamp field |
|
400 |
The from value is invalid. |
cannot parse from |
variable |
400 |
The to value is invalid. |
cannot parse to |
variable |
400 |
The id value is not in the UUID format. |
|
|
400 |
The status value is invalid. |
invalid status |
|
403 |
The user does not have the required right in the Alerts and incidents functional area in any of the specified tenants. |
access denied |
|
500 |
Any other internal errors. |
variable |
variable |