Alerts
List all alerts
Request
Definition
GET /api/v1/alerts
Headers
-
AuthorizationrequiredAuthentication token with privileges to view the resource.
Bearer {token}
Query string parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
paginate | boolean | Yes | If the result must be paginated. |
page | integer | Yes if paginate is true | Page index. |
page_size | integer | Yes if paginate is true | Number of items displayed per page. |
kind | integer | No | Filters the results whose alert type code matches the one entered. |
attack_code | string | No | Filters the results whose attack code matches the one entered. |
attack_code_list | array<string> | No | Filters the results whose attack code matches any of the list items. |
attack_name | string | No | Filters the results whose attack name matches the one entered. |
attack_name_list | array<string> | No | Filters the results whose attack name matches any of the list items. |
pattern | string | No | Filters the results whose pattern matches the one entered. |
pattern_search | string | No | Filters the results whose pattern matches all or part of the entered string. |
rq_host | string | No | Filters the results whose header Host matches the one entered. |
rq_host_list | array<string> | No | Filters the results whose header Host matches any of the list items. |
rq_host_search | string | No | Filters the results whose header Host entirely or partially matches with the entered string. |
detection_time_start | integer | No | Filters the results detected after the date entered. |
detection_time_end | integer | No | Filters the results detected before the date entered. |
first_seen_start | integer | No | Filters the results which first appeared after the date entered. |
first_seen_end | integer | No | Filters the results which first appeared before the date entered. |
last_seen_start | integer | No | Filters the results whose last appearance occurred after the date entered. |
last_seen_end | integer | No | Filters the results whose last appearance occurred before the date entered. |
client_address_list | array<string> | No | Filters the results that contain at least one of the IP addresses in the list. |
status_code_list | array<integer> | No | Filters the results which contain at least one of the status codes in the list. |
Response
Status codes
| Status code | Message |
|---|---|
| 200 | "List of alerts" |
| 400 | "Error with pagination fields" |
| 403 | "Forbidden" |
Body
- Attributes
- Example
-
data.alerts.attack_categorystringAttack category of the alert.
-
data.alerts.attack_codestringCode that identifies the attack type of the alert.
-
data.alerts.attack_namestringType of attack.
-
data.alerts.client_addressesarray<string>List of IP addresses responsible for reporting.
-
data.alerts.additional_info.cwearray<object>List of Common Weakness Enumeration associated with the alert.
-
data.alerts.detection_timeintegerDetection date.
-
data.alerts.first_seenintegerDate of the first appearance of the alert.
-
data.alerts.idstringAlert ID.
-
data.alerts.kindintegerCode that identifies the alert type. A value of
0indicates an Activity alert, while1indicates an Identity alert. -
data.alerts.last_seeninteger,Date of the last appearance of the alert.
-
data.alerts.patternstringMain trait common to the different transactions that identifies the attempted attack.
-
data.alerts.riskstringString that describes the risk level of the alert.
-
data.alerts.rq_hoststringHost header indicated in the request.
-
data.alerts.status_codesarray<integer>The response status codes of all the requests to which the alert refers.
-
data.alerts.target_specsobjectDetails of the target and context of the attack.
-
data.alerts.additional_infoobjectSome alert's additional informations.
{
"data": {
"alerts": [
{
"additional_info": {
"cwe": [
{
"abstraction": "Pillar",
"id": "707",
"link": "https://cwe.mitre.org/data/definitions/707.html",
"name": "Improper Neutralization"
},
{
"abstraction": "Class",
"id": "74",
"link": "https://cwe.mitre.org/data/definitions/74.html",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)"
},
{
"abstraction": "Class",
"id": "77",
"link": "https://cwe.mitre.org/data/definitions/77.html",
"name": "Improper Neutralization of Special Elements used in a Command (Command Injection)"
}
]
},
"attack_category": "Injection",
"attack_code": "2-2-0",
"attack_name": "Command injection",
"client_addresses": [
"10.2.3.4",
"10.9.1.2"
],
"cve": null,
"detection_time": 1705497149071355,
"first_seen": 1651131895000000,
"id": "urWAuxxxxxqiCOydxxxxx+WmFXuyxPxxxxx£1sgxx1c=",
"kind": 0,
"last_seen": 1651131895000000,
"pattern": "rm -rf",
"risk": null,
"rq_host": "xxxxxxxxx.it",
"status_codes": [
404,
400
],
"target_specs": {
"parameter_value": [
{
"client_addresses": [
"10.9.1.2",
"10.2.3.4"
],
"payloads": [
"rm -rf"
],
"specs": {
"parameter_key": "key",
"path": "/example/of/path",
"request:Host": "xxxxxxxxx.it"
}
}
]
}
}
]
},
"message": "List of alerts",
"pagination": {
"first": 1,
"last": 1,
"page": 0,
"total_count": 1,
"total_pages": 1
},
"status": "ok"
}
List a specific alert
Request
Definition
GET /api/v1/alerts/{id}
Headers
-
AuthorizationrequiredAuthentication token with privileges to view the resource.
Bearer {token}
Response
Status codes
| Status code | Message |
|---|---|
| 200 | "Alert retrieved" |
| 400 | "Error retrieving alert" |
| 400 | "Error with pagination fields" |
| 403 | "Forbidden" |
Body
{
"data": {
"alert": {
"additional_info": {
"cwe": [
{
"abstraction": "Pillar",
"id": "707",
"link": "https://cwe.mitre.org/data/definitions/707.html",
"name": "Improper Neutralization"
},
{
"abstraction": "Class",
"id": "74",
"link": "https://cwe.mitre.org/data/definitions/74.html",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)"
},
{
"abstraction": "Class",
"id": "77",
"link": "https://cwe.mitre.org/data/definitions/77.html",
"name": "Improper Neutralization of Special Elements used in a Command (Command Injection)"
}
]
},
"attack_category": "Injection",
"attack_code": "2-2-0",
"attack_name": "Command injection",
"client_addresses": [
"10.2.3.4",
"10.2.9.1"
],
"cve": null,
"detection_time": 1705497151055122,
"first_seen": 1651131895000000,
"id": "urWAuxxxxxqiCOydxxxxx+WmFXuyxPxxxxx£1sgxx1c=",
"kind": 0,
"last_seen": 1651131895000000,
"pattern": "rm -rf",
"risk": null,
"rq_host": "xxxxxxxxx.it",
"status_codes": [
404,
400
],
"target_specs": {
"parameter_value": [
{
"client_addresses": [
"10.2.9.1",
"10.2.3.4"
],
"payloads": [
"rm -rf"
],
"specs": {
"parameter_key": "key",
"path": "example/of/path",
"request:Host": "xxxxxxxxx.it"
}
}
]
}
}
},
"message": "Alert retrieved",
"status": "ok"
}
Delete specific alert
Request
Definition
DELETE /api/v1/alerts/{alert_id}
Headers
-
AuthorizationrequiredAuthentication token with privileges to view the resource.
Bearer {token}
Response
Status codes
| Status code | Description |
|---|---|
| 200 | "Alerts deleted" |
| 400 | "Error deleting alerts" |
| 403 | "Forbidden" |
Body
{
"data": {
"alert_ids": [
"urWAuxxxxxqiCOydxxxxx+WmFXuyxPxxxxx£1sgxx1c="
]
},
"message": "Alerts deleted",
"status": "ok"
}
Delete multiple alerts
Request
Definition
DELETE /api/v1/alerts
Headers
-
AuthorizationrequiredAuthentication token with privileges to view the resource.
Bearer {token} -
Content-Typerequiredapplication/json
Request body
{
"alert_ids": [
"urWAuxxxxxqiCOydxxxxx+WmFXuyxPxxxxx£1sgxx1c="
]
}
Response
Status codes
| Status code | Description |
|---|---|
| 200 | "Alerts deleted" |
| 400 | "Error deleting alerts" |
| 403 | "Forbidden" |
Body
{
"data": {
"alert_ids": [
"urWAuxxxxxqiCOydxxxxx+WmFXuyxPxxxxx£1sgxx1c="
]
},
"message": "Alerts deleted",
"status": "ok"
}