Working with triggered alerts using the API
Overview
Check the list of available endpoints and methods to work with triggered alerts using the Alerts API:
Endpoints and methods | Description |
---|---|
GET | Get information about a triggered alert by ID. |
GET | Get a list of triggered alerts in your domain. |
GET | Get statistics from a set of alerts. |
GET | Get the status of a set of alerts. |
PUT | Update alert status by ID. |
PUT | Update alert status in bulk. |
PUT | Update the priority of a given alert. |
Endpoints and methods
GET/alerts/get
Get information about a triggered alert by ID.
To perform this request, your Devo user must have at least the Alerts (view) permission assigned. Learn more about roles and permissions in this article.
Request
Query string parameters
Query string parameters are optionally added after the path parameters, preceded by a question mark (?
) and separated by an ampersand (&)
Parameter | Type | Definition |
---|---|---|
|
| Enter the ID of the alert. How can I get the ID of a triggered alert? Triggered alert IDs are displayed in the Alerts area of the Devo platform. You can find them in the Alerts history table at the bottom of the Alerts dashboard tab. Learn more about this in Managing triggered alerts. You will also get the IDs of the triggered alerts in a domain using GET |
|
| Add this parameter and set it to Authorizing requests using the Note that if you use the Learn more about this in Authorizing Alerts API requests. |
|
| Add this parameter and set it to |
Example
Find below a request example in cURL language. This request will show details of the triggered alert with ID 123456
defined in the domain that corresponds to the given token. Learn how to authorize your request in this article.
curl -H "standAloneToken:YOUR_TOKEN" -X GET "https://api-us.devo.com/alerts/v1/alerts/get?id=123456"
Response
Check the list of available responses:
Code | Description |
---|---|
200 | Successful response. The response includes details about the triggered alert. {
"id": 123456,
"domain": "myDomain",
"priority": 4,
"context": "my.alert.demo.AWSConsoleLoginFailure",
"category": "my.context",
"srcPort": null,
"srcIp": null,
"srcHost": null,
"dstIp": null,
"dstPort": null,
"dstHost": null,
"protocol": null,
"username": "user@devo.com",
"application": null,
"engine": "pilot-8-pro-cloud-custom-aws-us-east-1",
"extraData": "{\"userIdentity_principalId\":\"AIDA3Y41I57DEUQSSBD1ZE\",\"mfaUsed\":\"No\",\"loginResponse\":\"Failure\",\"userIdentity_type\":\"IAMUser\",\"count\":\"1\",\"userName\":\"jason.green\",\"eventdate\":\"2023-04-03+13%3A39%3A00.0\"}",
"alertDate": null,
"status": 0,
"ack_status_date": null,
"createDate": 1680529252000,
"updateDate": null,
"scaled": false,
"digest": "5ad6c04d1f29125dfae0de480584f9c39362f4f3",
"uniquedigest": "f8ca95e3ed3c853b7f39dd39c099b8547c9e2f7b",
"postAlertAction": null,
"contextLabel": null,
"contextSubscription": null,
"shouldSend": false,
"alertOwner": null,
"fullExtraData": null,
"alertType": null,
"alertMitreTactics": null,
"alertMitreTechniques": null,
"alertPriority": null,
"alertDefinition": null,
"allExtraDataFields": null,
"tags": null,
"entities": null,
"commentsList": [],
"integrations": null,
"contexto": null
} |
400 | Error in request. |
401 | Unauthorized request. |
403 | Forbidden request. |
405 | Method not allowed. |
500 | Server error and Java exception. |
GET/v1/alerts/list
Get a list of triggered alerts in your domain.
To perform this request, your Devo user must have at least the Alerts (view) permission assigned. Learn more about roles and permissions in this article.
Request
Query string parameters
Query string parameters are optionally added after the path parameters, preceded by a question mark (?
) and separated by an ampersand (&).
Limits:
Parameter | Type | Definition |
---|---|---|
|
| Maximum number of elements returned in the response. |
|
| Position of the first element in the returned list. You will retrieve a subset of records starting with the offset value. Enter |
|
| Filters all alerts triggered after this date. This must by an epoch time in milliseconds. |
|
| Filters all alerts triggered before this date. This must by an epoch time in milliseconds. |
|
| Order the alerts by a specific field. Must be one of the following:
|
|
| Set this parameter to |
|
| Set this parameter to |
Example
Find below a request example in cURL language. This request will show details of the alerts triggered in the time range indicated in the domain that corresponds to the given token. We want a maximum of 3 alerts to be returned. Learn how to authorize your request in this article.
curl -H 'standAloneToken:YOUR_TOKEN' -X GET "https://api-us.devo.com/alerts/v1/alerts/list?limit=3&offset=0&from=1654008600000&to=1654008900000"
Response
Check the list of available responses:
Code | Description |
---|---|
200 | Successful response. The response includes the list of alerts triggered in the period indicated. [
{
"id": 0,
"domain": "string",
"priority": 0,
"context": "string",
"category": "string",
"srcPort": 0,
"srcIp": "string",
"srcHost": "string",
"dstIp": "string",
"dstPort": 0,
"dstHost": "string",
"protocol": "string",
"username": "string",
"application": "string",
"engine": "string",
"extraData": "string",
"alertDate": "2022-07-19T09:00:49.052Z",
"status": 0,
"ack_status_date": "2022-07-19T09:00:49.052Z",
"createDate": "2022-07-19T09:00:49.052Z",
"updateDate": "2022-07-19T09:00:49.052Z",
"scaled": true,
"digest": "string",
"uniquedigest": "string",
"contexto": {
"id": 0,
"pilotContextId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"category": {
"id": 0,
"name": "string",
"owner": "string",
"subCategories": [
{
"id": 0,
"name": "string",
"hasContext": true,
"alert_category_id": 0,
"contextList": [
"string"
]
}
]
},
"subCategory": {
"id": 0,
"name": "string",
"hasContext": true,
"alert_category_id": 0,
"contextList": [
"string"
]
},
"application_id": 0,
"defaultParams": "string",
"includefields": "string",
"excludefields": "string"
},
"postAlertAction": "string",
"contextLabel": "string",
"contextSubscription": 0,
"shouldSend": true,
"alertOwner": "string",
"fullExtraData": "string",
"alertType": "string",
"alertMitreTactics": "string",
"alertMitreTechniques": "string",
"alertPriority": "string",
"alertDefinition": {
"id": "string",
"creationDate": "2022-07-19T09:00:49.052Z",
"name": "string",
"message": "string",
"description": "string",
"categoryId": "string",
"subcategory": "string",
"subcategoryId": "string",
"isActive": true,
"isFavorite": true,
"isAlertChain": true,
"alertCorrelationContext": {
"id": "string",
"nameId": "string",
"ownerEmail": "string",
"querySourceCode": "string",
"priority": 0,
"correlationTrigger": {
"kind": "string"
}
},
"actionPolicyId": [
"string"
]
},
"allExtraDataFields": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"tags": [
"string"
],
"entities": [
{
"id": "string",
"hostname": "string",
"url": "string",
"ip": "string",
"mac": "string",
"name": "string",
"location": {
"locationCountry": "string",
"locationCity": "string",
"locationState": "string",
"locationLat": 0,
"locationLon": 0
},
"email": "string",
"windowsDomain": "string",
"account": "string",
"hash": "string",
"impact": "string",
"creationDate": 0,
"modificationDate": 0,
"json": "string",
"domain": "string",
"extraDataMaps": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"entityType": "SOURCEIP",
"entitySuperTypes": [
"DOMAIN"
],
"entityFamily": "SYSTEM",
"direction": "NONE",
"internalEntity": true
}
],
"commentsList": [
{
"id": 0,
"author": {
"id": 0,
"user": {
"id": "string",
"email": "string",
"username": "string",
"telephone": "string",
"pwd": "string",
"status": 0,
"validation_token": "string",
"defaultDomain": "string",
"updateDate": "2022-07-19T09:00:49.052Z",
"creationDate": "2022-07-19T09:00:49.052Z",
"otpSecret": "string",
"loginAttempts": 0,
"recoveryAttempts": 0
},
"domain": {
"id": "string",
"name": "string",
"status": 0,
"type": 0,
"updateDate": "2022-07-19T09:00:49.052Z",
"creationDate": "2022-07-19T09:00:49.052Z",
"subscribed": 0,
"daysLeft": 0,
"showLanding": true,
"reseller": {
"id": 0,
"name": "string",
"preferences": "string",
"contactInformation": "string",
"pricePlans": "string",
"updateDate": "2022-07-19T09:00:49.052Z",
"creationDate": "2022-07-19T09:00:49.052Z",
"permPolicy": "string",
"menuView": "string",
"limits": "string",
"groupId": 0,
"webPreferences": "string"
},
"groupId": 0,
"alertsLastReseted": "2022-07-19T09:00:49.052Z"
},
"lastTimeLogged": "2022-07-19T09:00:49.052Z",
"status": 0,
"creationDate": "2022-07-19T09:00:49.052Z",
"updateDate": "2022-07-19T09:00:49.052Z",
"pwd": "string",
"validationToken": "string",
"roleCustom": 0,
"rolesCustom": [
0
],
"externalId": "string",
"owner": true,
"alertsLastVisited": "2022-07-19T09:00:49.052Z"
},
"msg": "string",
"ack": "string",
"creationDate": "2022-07-19T09:00:49.052Z",
"updateDate": "2022-07-19T09:00:49.052Z",
"elementType": "string",
"elementId": "string",
"domain": {
"id": "string",
"name": "string",
"status": 0,
"type": 0,
"updateDate": "2022-07-19T09:00:49.052Z",
"creationDate": "2022-07-19T09:00:49.052Z",
"subscribed": 0,
"daysLeft": 0,
"showLanding": true,
"reseller": {
"id": 0,
"name": "string",
"preferences": "string",
"contactInformation": "string",
"pricePlans": "string",
"updateDate": "2022-07-19T09:00:49.052Z",
"creationDate": "2022-07-19T09:00:49.052Z",
"permPolicy": "string",
"menuView": "string",
"limits": "string",
"groupId": 0,
"webPreferences": "string"
},
"groupId": 0,
"alertsLastReseted": "2022-07-19T09:00:49.052Z"
},
"title": "string",
"status": "string",
"task": true
}
],
"alertLabel": "string"
}
] |
400 | Error in request. |
401 | Unauthorized request. |
403 | Forbidden request. |
405 | Method not allowed. |
500 | Server error and Java exception. |
GET/v1/alerts/statistics
Get statistics from a set of alerts.
To perform this request, your Devo user must have at least the Alerts (view) permission assigned. Learn more about roles and permissions in this article.
Request
Query string parameters
Query string parameters are optionally added after the path parameters, preceded by a question mark (?
) and separated by an ampersand (&)
Parameter | Type | Definition |
---|---|---|
|
| Indicate the number of hours back you want to analyze. |
|
| Filters all alerts triggered after this date. This must by an epoch time in milliseconds. |
|
| Type of the results retrieved. Must be one of the following:
The default value is |
|
| Filter by alert name. |
|
| Set this parameter to |
Example
Find below a request example in cURL language. This request will show statistics of the alerts triggered in the last 10 hours defined in the domain that corresponds to the given token. We are requesting the results to be shown as a funnel. Learn how to authorize your request in this article.
curl -H 'standAloneToken:YOUR_TOKEN' -X GET "https://api-us.devo.com/alerts/v1/alerts/statistics?hours=10&type=funnel"
Response
Check the list of available responses:
Code | Description |
---|---|
200 | Successful response. Statistics for the matching alerts are shown. {
"total": {
"total": 2258,
"enriched": 2258
},
"types": {
"Model": {
"total": 0,
"enriched": 0
},
"Observation": {
"total": 0,
"enriched": 0
},
"Detection": {
"total": 1185,
"enriched": 1185
},
"Analytics": {
"total": 1073,
"enriched": 1073
}
}
} |
400 | Error in request. |
401 | Unauthorized request. |
403 | Forbidden request. |
405 | Method not allowed. |
500 | Server error and Java exception. |
GET/v1/alerts/listStatus
To perform this request, your Devo user must have at least the Alerts (view) permission assigned. Learn more about roles and permissions in this article.
Get the status of a set of alerts.
Request
Query string parameters
Query string parameters are optionally added after the path parameters, preceded by a question mark (?
) and separated by an ampersand (&)
Parameter | Type | Definition |
---|---|---|
|
| Filters all alerts triggered after this date. This must by an epoch time in milliseconds. The default value is 24 hours before the request. |
Example
Find below a request example in cURL language. This request will show the statuses of the alerts triggered in the last 24 hours in the domain that corresponds to the given token. Learn how to authorize your request in this article.
curl -H 'standAloneToken:YOUR_TOKEN' -X GET "https://api-us.devo.com/alerts/v1/alerts/listStatus"
Response
Check the list of available responses:
Code | Description |
---|---|
200 | Successful response. The list of statuses of the alerts within the indicated period is shown. {
"87663927": 0,
"87385381": 0,
"87385380": 0,
"87385383": 0,
"87385382": 0,
"87385377": 0,
"87385376": 0,
"87385379": 0,
"87385378": 0,
"87647513": 2,
"87647512": 2,
"87467282": 2,
"87467283": 2,
"87598352": 0,
"87598353": 0,
"87385375": 0,
"87598354": 0,
"87598355": 0,
"87598356": 0,
"87598357": 0,
} |
400 | Error in request. |
401 | Unauthorized request. |
403 | Forbidden request. |
405 | Method not allowed. |
500 | Server error and Java exception. |
PUT/v1/alerts/updateStatus
To perform this request, your Devo user must have at least the Alerts or Alerts_unread (manage) permission assigned. Learn more about roles and permissions in this article.
Update alert status by ID.
Request
Query string parameters
Query string parameters are optionally added after the path parameters, preceded by a question mark (?
) and separated by an ampersand (&)
Parameter | Type | Definition |
---|---|---|
|
| ID of the alert you want to update. How can I get the ID of a triggered alert? Triggered alert IDs are displayed in the Alerts area of the Devo platform. You can find them in the Alerts history table at the bottom of the Alerts dashboard tab. Learn more about this in Managing triggered alerts. You will also get the IDs of the triggered alerts in a domain using GET |
|
| New status of the alert. Must be one of the following (each number code corresponds to the status indicated next to it):
|
Example
Find below a request example in cURL language. This request will change the status of the triggered alert with ID 123456
to Watched (100
) in the domain that corresponds to the given token. Learn how to authorize your request in this article.
curl --location --request PUT 'https://api-us.devo.com/alerts/v1/alerts/updateStatus?id=123456&status=100' --header 'standAloneToken:YOUR_TOKEN'
Response
Check the list of available responses:
Code | Description |
---|---|
200 | Successful response. The status of the alert is updated. {
"id": 123456,
"domain": "demo",
"priority": 5,
"context": "my.alert.demo.SecIntSeveralDNS",
"category": "my.context",
"srcPort": null,
"srcIp": null,
"srcHost": null,
"dstIp": null,
"dstPort": null,
"dstHost": null,
"protocol": null,
"username": "user@devo.com",
"application": null,
"engine": "pilot.my.alert.demo.SecIntSeveralDNS",
"extraData": "{\"sourceIP\":\"%2F194.140.174.171\",\"totalservers\":\"71\",\"destinationCount\":\"71.00007511654165\",\"eventdate\":\"2023-04-05+07%3A00%3A00.0\"}",
"alertDate": null,
"status": 100,
"ack_status_date": null,
"createDate": 1680681772000,
"updateDate": 1680683709802,
"scaled": false,
"digest": "c80cfdff6620d2a07f757690f8137ca17635479b",
"uniquedigest": "a63d213133dd3f7756c265ea2c712fe8c0a4fc18",
"postAlertAction": null,
"contextLabel": null,
"contextSubscription": null,
"shouldSend": false,
"alertOwner": null,
"fullExtraData": null,
"alertType": null,
"alertMitreTactics": null,
"alertMitreTechniques": null,
"alertPriority": null,
"alertDefinition": null,
"allExtraDataFields": null,
"tags": null,
"entities": null,
"commentsList": null,
"integrations": null,
"contexto": null
} |
400 | Error in request. |
401 | Unauthorized request. |
403 | Forbidden request. |
405 | Method not allowed. |
500 | Server error and Java exception. |
PUT/v1/alerts/updateStatusList
To perform this request, your Devo user must have at least the Alerts or Alerts_unread (manage) permission assigned. Learn more about roles and permissions in this article.
Update alert status in bulk.
Request
Query string parameters
Query string parameters are optionally added after the path parameters, preceded by a question mark (?
) and separated by an ampersand (&)
Parameter | Type | Definition |
---|---|---|
|
| New status of the alerts. Must be one of the following (each number code corresponds to the status indicated next to it):
|
Request body
The request JSON body must include the IDs of all the alerts you want to update, following this format:
["113451", "113452", "113453"]
Example
Find below a request example in cURL language. This request will change the status of the triggered alerts with IDs 123456
and 567890
to Watched (100
) in the domain that corresponds to the given token. Learn how to authorize your request in this article.
curl --location --request PUT 'https://api-us.devo.com/alerts/v1/alerts/updateStatusList?status=100' --header 'standAloneToken:YOUR_TOKEN' --data '["123456", "567890"]'
Response
Check the list of available responses:
Code | Description |
---|---|
200 | Successful response. The status of the indicated alerts is updated. |
400 | Error in request. |
401 | Unauthorized request. |
403 | Forbidden request. |
405 | Method not allowed. |
500 | Server error and Java exception. |
PUT/v1/alerts/{alertID}/priority
To perform this request, your Devo user must have at least the Alerts or Alerts_unread (manage) permission assigned. Learn more about roles and permissions in this article.
Update the priority of a given alert.
Request
Path parameters
Add the following path parameters as part of the endpoint:
Parameter | Type | Definition |
---|---|---|
|
| ID of the alert you want to update. |
Query string parameters
Query string parameters are optionally added after the path parameters, preceded by a question mark (?
) and separated by an ampersand (&)
Parameter | Type | Definition |
---|---|---|
|
| Enter the new status of the alert. Values
|
Example
Find below a request example in cURL language. This request will update the status of the alert with ID 123456
to High (6) in the domain that corresponds to the given token. Learn how to authorize your request in this article.
curl --location --request PUT 'https://api-us.devo.com/alerts/v1/alerts/170480513/priority?priority=6' --header 'standAloneToken:YOUR_TOKEN'
Response
Check the list of available responses:
Code | Description |
---|---|
200 | Successful response. Alert status updated. {
"id": 123456,
"domain": "myDomain",
"priority": 6,
"context": "my.alert.tutorials.myAlertEach.TcgKWDuG",
"category": "my.context",
"srcPort": null,
"srcIp": null,
"srcHost": null,
"dstIp": null,
"dstPort": null,
"dstHost": null,
"protocol": null,
"username": "user@devo.com",
"application": null,
"engine": "pilot-4-pro-cloud-custom-aws-us-east-1",
"extraData": "{...}",
"alertDate": null,
"status": 0,
"ack_status_date": null,
"createDate": 1679998567000,
"updateDate": 1685437868049,
"scaled": false,
"digest": "c28250445d783ea79c3633f2e5d1b1e20f79e514",
"uniquedigest": "0cba6b3dde174a41103edd6121911a1b7280bbb8",
"postAlertAction": null,
"contextLabel": null,
"contextSubscription": null,
"shouldSend": false,
"alertOwner": null,
"fullExtraData": null,
"alertType": null,
"alertMitreTactics": null,
"alertMitreTechniques": null,
"alertPriority": null,
"alertDefinition": null,
"allExtraDataFields": null,
"tags": null,
"entities": null,
"commentsList": null,
"integrations": null,
"contexto": null
} |
400 | Error in request. |
401 | Unauthorized request. |
403 | Forbidden request. |
405 | Method not allowed. |
500 | Server error and Java exception. |