Name

Data type

Mandatory

Description

Value example

page

number

No

The page number. Starts with 1. The page size is 100 entries.

If the value is not specified or set to a value below 1, the 1 value is used.

1

id

string

No

The alert id.

If multiple values are specified, a list is formed to which the OR logical operator is applied.

If no alert with a specified id is found, this id value is ignored.

If no id value is specified, all alerts for the specified tenants are returned.

00000000-0000-0000-0000-000000000000

tenantID

string

Yes

The tenant id.

If multiple values are specified, a list is formed to which the OR logical operator is applied.

If the user does not have the Read right for any of the specified tenants, the query fails.

00000000-0000-0000-0000-000000000000

timestampField

string

No

The alert data field used to filter the list of alerts. Use the from and to values to specify the time interval.

createdAt

updatedAt

statusChangedAt

from

string

No

The start of the time interval used to filter the list of alerts, in RFC3339 format. Use the timestampField value to specify the alert data field.

2021-09-06T00:00:00Z

2021-09-06T00:00:00.000Z

2021-09-06T00:00:00Z+00:00

to

string

No

The end of the time interval used to filter the list of alerts, in RFC3339 format. Use the timestampField value to specify the alert data field.

2021-09-06T00:00:00Z

2021-09-06T00:00:00.000Z

2021-09-06T00:00:00Z+00:00

status

string

No

The alert status.

If multiple values are specified, a list is formed to which the OR logical operator is applied.

new

inProgress

inIncident

closed

withEvents

bool

No

Specifies whether to include normalized events from KUMA.

/xdr/api/v1/alerts?withEvents
/xdr/api/v1/alerts?withEvents=123

withAffected

bool

No

Specifies whether to include detailed data about assets and accounts related to the alerts.

/xdr/api/v1/alerts?withAffected

/xdr/api/v1/alerts?withAffected=123

withHistory

bool

No

Specifies whether to include data about changes made to the alerts.

/xdr/api/v1/alerts?withHistory

/xdr/api/v1/alerts?withHistory=123

{

"Total": 0,

"Alerts": [

{

"ID": 0,

"InternalID": "881dee1f-380d-4366-a2d8-094e0af4c3f6",

"TenantID": "string",

"Assets": [

{

"Data": {},

"ID": "string",

"IsAttacker": true,

"IsVictim": true,

"KSCServer": "string",

"Name": "string",

"Type": "host",

"HostInfo": {

"ID": "string",

"TenantID": "string",

"DisplayName": "string",

"AssetSource": "string",

"CreatedAt": 0,

"IsDeleted": true,

"IpAddress": [

"string"

],

"Fqdn": [

"string"

],

"MacAddress": [

"string"

],

"DirectCategories": [

"string"

],

"Weight": "low",

"CiiCategory": "notCII",

"OS": "string",

"OSVersion": "string",

"Sources": [

"ksc"

],

"LastVisible": 0,

"Products": [

{

"ProductVersion": "string",

"ProductName": "string"

}

],

"KSC": {

"GroupID": 0,

"GroupName": "string",

"StatusMask": [

0

],

"StatusID": 0,

"RtProtectionState": 0,

"EncryptionState": 0,

"AntiSpamStatus": 0,

"EmailAvStatus": 0,

"DlpStatus": 0,

"EdrStatus": 0,

"LastAvBasesUpdate": 0,

"LastInfoUpdate": 0,

"LastUpdate": 0,

"LastSystemStart": 0,

"VirtualServerID": 0

},

"KICS": {

"status": "string",

"risks": [

{

"ID": 0,

"Name": "string",

"Category": "string",

"Description": "string",

"DescriptionURL": "string",

"Severity": 0,

"Cvss": 0

}

],

"serverIP": "string",

"connectorID": 0,

"deviceID": 0,

"hardware": {

"Model": "string",

"Version": "string",

"Vendor": "string"

},

"software": {

"Model": "string",

"Version": "string",

"Vendor": "string"

}

}

},

"UserInfo": {

"osmpId": "string",

"tenantID": "string",

"tenantName": "string",

"domain": "string",

"cn": "string",

"displayName": "string",

"distinguishedName": "string",

"mail": "string",

"mailNickname": "string",

"mobile": "string",

"objectSID": "string",

"samAccountName": "string",

"samAccountType": "string",

"telephoneNumber": "string",

"userPrincipalName": "string",

"isArchived": true,

"memberOf": [

"string"

],

"title": "string",

"division": "string",

"department": "string",

"manager": "string",

"location": "string",

"company": "string",

"streetAddress": "string",

"physicalDeliveryOfficeName": "string",

"managedObjects": [

"string"

],

"userAccountControl": "string",

"whenCreated": 0,

"whenChanged": 0,

"accountExpires": 0,

"badPasswordTime": 0

}

}

],

"Assignee": {

"ID": "string",

"Name": "string"

},

"CreatedAt": "2024-01-16T09:55:50.417Z",

"DetectionTechnologies": [

"string"

],

"Extra": {

"additionalProp1": "string",

"additionalProp2": "string",

"additionalProp3": "string"

},

"IncidentID": "string",

"IncidentLinkType": "auto",

"FirstEventTime": "2024-01-16T09:55:50.417Z",

"LastEventTime": "2024-01-16T09:55:50.417Z",

"MITRETactics": [

{

"ID": "string"

}

],

"MITRETechniques": [

{

"ID": "string"

}

],

"Observables": [

{

"Details": "string",

"Type": "ip",

"Value": "string"

}

],

"OriginalEvents": [

{}

],

"Rules": [

{

"Confidence": "high",

"Custom": true,

"ID": "string",

"Name": "string",

"Severity": "critical",

"Type": "string"

}

],

"Severity": "critical",

"SourceCreatedAt": "2024-01-16T09:55:50.417Z",

"SourceID": "string",

"ExternalRef": "string",

"Status": "new",

"StatusChangedAt": "2024-01-16T09:55:50.417Z",

"StatusResolution": "truePositive",

"UpdatedAt": "2024-01-16T09:55:50.417Z"

"HistoryRecords": [

{

"entityID": "string",

"entityKind": "Alert",

"tenantID": "string",

"type": "alertAssigned",

"createdAt": "2024-03-12T11:10:59.329Z",

"params": {}

}

]

}

]

}

HTTP code

Description

message field value

details field value

400

The timestampField value is invalid.

invalid timestamp field

400

The from value is invalid.

cannot parse from

variable

400

The to value is invalid.

cannot parse to

variable

400

The id value is not in the UUID format.

400

The status value is invalid.

invalid status

403

The user does not have the required right in the Alerts and incidents functional area in any of the specified tenants.

access denied

500

Any other internal errors.

variable

variable