Skip to main content

Alerts

List all alerts

Request

Definition

GET /api/v1/alerts

Headers

  • Authorization required

    Authentication token with privileges to view the resource.

    Bearer {token}

Query string parameters

ParameterTypeRequiredDescription
paginatebooleanYesIf the result must be paginated.
pageintegerYes if paginate is truePage index.
page_sizeintegerYes if paginate is trueNumber of items displayed per page.
kindintegerNoFilters the results whose alert type code matches the one entered.
attack_codestringNoFilters the results whose attack code matches the one entered.
attack_code_listarray<string>NoFilters the results whose attack code matches any of the list items.
attack_namestringNoFilters the results whose attack name matches the one entered.
attack_name_listarray<string>NoFilters the results whose attack name matches any of the list items.
patternstringNoFilters the results whose pattern matches the one entered.
pattern_searchstringNoFilters the results whose pattern matches all or part of the entered string.
rq_hoststringNoFilters the results whose header Host matches the one entered.
rq_host_listarray<string>NoFilters the results whose header Host matches any of the list items.
rq_host_searchstringNoFilters the results whose header Host entirely or partially matches with the entered string.
detection_time_startintegerNoFilters the results detected after the date entered.
detection_time_endintegerNoFilters the results detected before the date entered.
first_seen_startintegerNoFilters the results which first appeared after the date entered.
first_seen_endintegerNoFilters the results which first appeared before the date entered.
last_seen_startintegerNoFilters the results whose last appearance occurred after the date entered.
last_seen_endintegerNoFilters the results whose last appearance occurred before the date entered.
client_address_listarray<string>NoFilters the results that contain at least one of the IP addresses in the list.
status_code_listarray<integer>NoFilters the results which contain at least one of the status codes in the list.

Response

Status codes

Status codeMessage
200"List of alerts"
400"Error with pagination fields"
403"Forbidden"

Body

  • data.alerts.attack_category string

    Attack category of the alert.

  • data.alerts.attack_code string

    Code that identifies the attack type of the alert.

  • data.alerts.attack_name string

    Type of attack.

  • data.alerts.client_addresses array<string>

    List of IP addresses responsible for reporting.

  • data.alerts.additional_info.cwe array<object>

    List of Common Weakness Enumeration associated with the alert.

  • data.alerts.detection_time integer

    Detection date.

  • data.alerts.first_seen integer

    Date of the first appearance of the alert.

  • data.alerts.id string

    Alert ID.

  • data.alerts.kind integer

    Code that identifies the alert type. A value of 0 indicates an Activity alert, while 1 indicates an Identity alert.

  • data.alerts.last_seen integer,

    Date of the last appearance of the alert.

  • data.alerts.pattern string

    Main trait common to the different transactions that identifies the attempted attack.

  • data.alerts.risk string

    String that describes the risk level of the alert.

  • data.alerts.rq_host string

    Host header indicated in the request.

  • data.alerts.status_codes array<integer>

    The response status codes of all the requests to which the alert refers.

  • data.alerts.target_specs object

    Details of the target and context of the attack.

  • data.alerts.additional_info object

    Some alert's additional informations.

List a specific alert

Request

Definition

GET /api/v1/alerts/{id}

Headers

  • Authorization required

    Authentication token with privileges to view the resource.

    Bearer {token}

Response

Status codes

Status codeMessage
200"Alert retrieved"
400"Error retrieving alert"
400"Error with pagination fields"
403"Forbidden"

Body

  {
"data": {
"alert": {
"additional_info": {
"cwe": [
{
"abstraction": "Pillar",
"id": "707",
"link": "https://cwe.mitre.org/data/definitions/707.html",
"name": "Improper Neutralization"
},
{
"abstraction": "Class",
"id": "74",
"link": "https://cwe.mitre.org/data/definitions/74.html",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)"
},
{
"abstraction": "Class",
"id": "77",
"link": "https://cwe.mitre.org/data/definitions/77.html",
"name": "Improper Neutralization of Special Elements used in a Command (Command Injection)"
}
]
},
"attack_category": "Injection",
"attack_code": "2-2-0",
"attack_name": "Command injection",
"client_addresses": [
"10.2.3.4",
"10.2.9.1"
],
"cve": null,
"detection_time": 1705497151055122,
"first_seen": 1651131895000000,
"id": "urWAuxxxxxqiCOydxxxxx+WmFXuyxPxxxxx£1sgxx1c=",
"kind": 0,
"last_seen": 1651131895000000,
"pattern": "rm -rf",
"risk": null,
"rq_host": "xxxxxxxxx.it",
"status_codes": [
404,
400
],
"target_specs": {
"parameter_value": [
{
"client_addresses": [
"10.2.9.1",
"10.2.3.4"
],
"payloads": [
"rm -rf"
],
"specs": {
"parameter_key": "key",
"path": "example/of/path",
"request:Host": "xxxxxxxxx.it"
}
}
]
}
}
},
"message": "Alert retrieved",
"status": "ok"
}

Delete specific alert

Request

Definition

DELETE /api/v1/alerts/{alert_id}

Headers

  • Authorization required

    Authentication token with privileges to view the resource.

    Bearer {token}

Response

Status codes

Status codeDescription
200"Alerts deleted"
400"Error deleting alerts"
403"Forbidden"

Body

{
"data": {
"alert_ids": [
"urWAuxxxxxqiCOydxxxxx+WmFXuyxPxxxxx£1sgxx1c="
]
},
"message": "Alerts deleted",
"status": "ok"
}

Delete multiple alerts

Request

Definition

DELETE /api/v1/alerts

Headers

  • Authorization required

    Authentication token with privileges to view the resource.

    Bearer {token}
  • Content-Type required

    application/json

Request body

{
"alert_ids": [
"urWAuxxxxxqiCOydxxxxx+WmFXuyxPxxxxx£1sgxx1c="
]
}

Response

Status codes

Status codeDescription
200"Alerts deleted"
400"Error deleting alerts"
403"Forbidden"

Body

{
"data": {
"alert_ids": [
"urWAuxxxxxqiCOydxxxxx+WmFXuyxPxxxxx£1sgxx1c="
]
},
"message": "Alerts deleted",
"status": "ok"
}