Alerts
These are the API end points for retrieving alerts and profiles meta data.
End Points
Get Alerts
Alert Bulk Request
Alert Bulk Fetch
List Alert Profiles
Get Alerts
This API retrieves a list of alerts filtered by severity, time range, or profile IDs. Users submit a fetch request with the required parameters, and the server processes it, returning the results directly.
OAuth Scope : alerts.READ
Arguments
query
string
(Required)
Search query formed using the MetaData APIs.
start_time
string
(Required)
Start time range for Search in ISO 8601 date-time format. The value must be greater than or equal to 1970-01-01T00:00:00Z. Timezone offsets are supported.
end_time
string
(Required)
End time range for Search in ISO 8601 date-time format. The value must be greater than or equal to 1970-01-01T00:00:00Z. Timezone offsets are supported.
status
string
Filters alerts based on their status. Allowed values - open, in_progress, closed.
severity
string
Filters alerts based on severity levels. Allowed values - critical, trouble, attention.
profile_ids
array
List of profile IDs to filter the alerts. It can be retrieved using the List Alert Profile API.
Maximum: 100 alert profile IDs
Maximum: 100 alert profile IDs
response_type
string
Determines whether the response value should be based on the client or server value. Accepted values are `client` and `server`. Default value is 'server'.
cursor
string
To paginate the alerts using the cursor value received from the previous request. EventLog Analyzer's cursor stays live for five minutes, if not used.
⚠️ Note: Both query and cursor are not allowed together
⚠️ Note: Both query and cursor are not allowed together
parameters_data='{"field1":"value1","field2":"value2"}';
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/alerts"
type: POST
headers: headers_data
content-type: application/json
parameters: parameters_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\"field1\":\"value1\",\"field2\":\"value2\"}");
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/alerts")
.post(body)
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.addHeader("content-type", "application/json")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'POST',
headers: {
Authorization: 'Bearer REPLACE_BEARER_TOKEN',
'content-type': 'application/json'
},
body: '{"field1":"value1","field2":"value2"}'
};
fetch('http://localhost:8400/api/v2/alerts', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
payload = "{\"field1\":\"value1\",\"field2\":\"value2\"}"
headers = {
'Authorization': "Bearer REPLACE_BEARER_TOKEN",
'content-type': "application/json"
}
conn.request("POST", "/api/v2/alerts", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "POST",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/alerts",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN",
"content-type": "application/json"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.write(JSON.stringify({field1: 'value1', field2: 'value2'}));
req.end();
curl --request POST \
--url http://localhost:8400/api/v2/alerts \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
--header 'content-type: application/json' \
--data '{"field1":"value1","field2":"value2"}'
{
"query": " ( ( severity = \"success\" AND type = \"Security\" ) )",
"start_time": "2025-03-27T14:30:00Z",
"end_time": "2025-03-28T14:30:00Z",
"status": "open,in_progress,closed",
"severity": "critical,trouble,attention",
"profile_ids": [
100000000000003
],
"response_type": "client",
"cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA"
}
{
"data": [
{
"Display Name": {
"3000000443173": "Dev-Agent"
},
"Category": "dos attack entered defensive mode",
"Message": "microsoft-windows-eventlog : DoS Attack Entered Defensive Mode. Subject: Security ID: S-1-5-21-2477490969-972611893-3386141825-500 Account Name: administrator Domain Name: ELANEW2017 Logon ID: 0x8D71B\t9077",
"User Name": "n/a",
"Severity": "information",
"Time": "2025-03-01 22:57:00",
"Event ID": "5148",
"Source": "microsoft-windows-eventlog",
"Alert Severity": "TROUBLE",
"Log Source Type": "windows",
"Type": "security",
"Profile Name": "External Remote RDP Logon from Public IP",
"Log Source": "dev-agent"
},
"..."
],
"meta": {
"cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA",
"total_items": 250,
"items_in_current_page": 250
}
}
{
"error": {
"code": "07001110",
"title": "Bad Request",
"detail": "Something went wrong."
}
}
{
"code": "07001113",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired"
}
Alert Bulk Request
This API enables searches over a larger data range. Users can create a fetch request with relevant metadata, which the server processes by paginating the data into pages of 5,000 records each. The response includes a request ID and total page count, allowing users to retrieve specific pages using the request ID.
OAuth Scope : alerts.READ
Arguments
query
string
(Required)
Search query formed using the MetaData APIs.
start_time
string
(Required)
Start time range for Search in ISO 8601 date-time format. The value must be greater than or equal to 1970-01-01T00:00:00Z. Timezone offsets are supported.
end_time
string
(Required)
End time range for Search in ISO 8601 date-time format. The value must be greater than or equal to 1970-01-01T00:00:00Z. Timezone offsets are supported.
status
string
Filters alerts based on their status. Allowed values - open, in_progress, closed.
severity
string
Filters alerts based on severity levels. Allowed values - critical, trouble, attention.
profile_ids
array
List of profile IDs to filter the alerts. It can be retrieved using the List Alert Profile API.
Maximum: 100 alert profile IDs
Maximum: 100 alert profile IDs
parameters_data='{"field1":"value1","field2":"value2"}';
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/alerts/bulk"
type: POST
headers: headers_data
content-type: application/json
parameters: parameters_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\"field1\":\"value1\",\"field2\":\"value2\"}");
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/alerts/bulk")
.post(body)
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.addHeader("content-type", "application/json")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'POST',
headers: {
Authorization: 'Bearer REPLACE_BEARER_TOKEN',
'content-type': 'application/json'
},
body: '{"field1":"value1","field2":"value2"}'
};
fetch('http://localhost:8400/api/v2/alerts/bulk', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
payload = "{\"field1\":\"value1\",\"field2\":\"value2\"}"
headers = {
'Authorization': "Bearer REPLACE_BEARER_TOKEN",
'content-type': "application/json"
}
conn.request("POST", "/api/v2/alerts/bulk", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "POST",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/alerts/bulk",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN",
"content-type": "application/json"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.write(JSON.stringify({field1: 'value1', field2: 'value2'}));
req.end();
curl --request POST \
--url http://localhost:8400/api/v2/alerts/bulk \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
--header 'content-type: application/json' \
--data '{"field1":"value1","field2":"value2"}'
{
"query": " ( ( severity = \"success\" AND type = \"Security\" ) )",
"start_time": "2025-03-27T14:30:00Z",
"end_time": "2025-03-28T14:30:00Z",
"status": "open,in_progress,closed",
"severity": "critical,trouble,attention",
"profile_ids": [
100000000000003
]
}
{
"data": {
"message": "Request submitted",
"request_id": "Azgefrtg_bNhbSdjeueooudw"
}
}
{
"code": "07001113",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired"
}
{
"error": {
"code": "07001110",
"title": "Bad Request",
"detail": "Something went wrong."
}
}
Alert Bulk Fetch
This API is used to fetch the response of a specific page.
OAuth Scope : alerts.READ
Query Parameters
request_id
string
(Required)
Request ID to Fetch Search Results
page_no
integer
(Required)
Page Number
response_type
string
Determines whether the response value should be based on the client or server value. Accepted values are `client` and `server`. Default value is 'server'.
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/alerts/bulk?request_id=1678000017823297&page_no=1"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/alerts/bulk?request_id=1678000017823297&page_no=1")
.get()
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.build();
Response response = client.newCall(request).execute();
const options = {method: 'GET', headers: {Authorization: 'Bearer REPLACE_BEARER_TOKEN'}};
fetch('http://localhost:8400/api/v2/alerts/bulk?request_id=1678000017823297&page_no=1', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
headers = { 'Authorization': "Bearer REPLACE_BEARER_TOKEN" }
conn.request("GET", "/api/v2/alerts/bulk?request_id=1678000017823297&page_no=1", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "GET",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/alerts/bulk?request_id=1678000017823297&page_no=1",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'http://localhost:8400/api/v2/alerts/bulk?request_id=1678000017823297&page_no=1' \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN'
{
"data": [
{
"DisplayName": {
"3000000443173": "Dev-Agent"
},
"Category": "downgrade attacks",
"Message": "lsasrv : Downgrade Attacks...",
"UserName": "n/a",
"Severity": "information",
"Time": "2025-03-01 22:57:00",
"EventID": "40960",
"Source": "lsasrv",
"AlertSeverity": "TROUBLE",
"LogSourceType": "windows",
"Type": "security",
"ProfileName": "External Remote RDP Logon from Public IP",
"LogSource": "dev-agent"
}
],
"meta": {
"next_page": 2,
"total_items": 8000,
"items_in_current_page": 5000
}
}
{
"code": "07001113",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired"
}
{
"error": {
"code": "07001110",
"title": "Bad Request",
"detail": "Something went wrong."
}
}
List Alert Profiles
This API retrieves a list of alert profiles.
OAuth Scope : alerts.READ
Query Parameters
severity
string
Filters alerts based on severity levels. Allowed values - critical, trouble, attention.
status
string
Filters alerts based on their status. Allowed values - enabled, disabled.
profile_type
integer
Filters alerts based on profile type. Allowed values - pre_defined, custom, compliance, correlation, sigma.
from
integer
The starting index of the response range.
limit
integer
The number of alert profiles to return in the search response. Users can specify a value up to a maximum of 1,000.
response_type
string
Determines whether the response value should be based on the client or server value. Accepted values are `client` and `server`. Default value is 'server'.
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/alerts/profile"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/alerts/profile")
.get()
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.build();
Response response = client.newCall(request).execute();
const options = {method: 'GET', headers: {Authorization: 'Bearer REPLACE_BEARER_TOKEN'}};
fetch('http://localhost:8400/api/v2/alerts/profile', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
headers = { 'Authorization': "Bearer REPLACE_BEARER_TOKEN" }
conn.request("GET", "/api/v2/alerts/profile", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "GET",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/alerts/profile",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url http://localhost:8400/api/v2/alerts/profile \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN'
{
"data": [
{
"severity": "Critical",
"notification_type": [],
"profile_name": "custom alert 1",
"profile_type": "Custom Alert Profile",
"profile_id": 3000000435591
}
]
}
{
"code": "07001113",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired"
}
{
"error": {
"code": "07001110",
"title": "Bad Request",
"detail": "Something went wrong."
}
}