EDR
Get Alert by ID
EDR
Get Alert by ID
Retrieve an EDR alert by its ID (Leen’s UUID).
GET
/
edr
/
alerts
/
{alert_id}
Authorizations
X-CONNECTION-ID
string
headerrequiredX-API-KEY
string
headerrequiredPath Parameters
alert_id
string
requiredResponse
200 - application/json
id
string | null
vendor_id
string | null
requiredVendor's ID of the alert
title
string | null
requiredTitle of the alert, provided by the upstream vendor
description
string | null
requiredDescription of alert, provided by the upstream vendor
assigned_user
string | null
requiredAssigned user
severity
enum<string>
default: noneAlert severity
Available options:
none, low, medium, high, critical, info vendor_severity
string | null
requiredVendor's severity
status
enum<string>
default: unknownAlert status
Available options:
unknown, new, in_progress, unresolved, resolved vendor_status
string | null
requiredVendor's status
first_event_time
string | null
requiredFirst event time
last_event_time
string | null
requiredLast event time
resolved_time
string | null
requiredResolved time
vendor
enum<string>
requiredSource vendor
Available options:
crowdstrike, ms_defender_endpoint, sentinelone pid
string | null
requiredProcess ID
process_created_at
string | null
requiredProcess created at
process_filename
string | null
requiredProcess filename
process_command_line
string | null
requiredProcess command line
process_filepath
string | null
requiredProcess filepath
process_sha1
string | null
requiredProcess SHA1
process_sha256
string | null
requiredProcess SHA256
process_md5
string | null
requiredProcess MD5
parent_pid
string | null
requiredParent process ID
user_name
string | null
requiredUser name
windows_sid
string | null
requiredWindows SID
active_directory_user_id
string | null
requiredActive Directory user ID
active_directory_domain
string | null
requiredActive Directory domain
device
object
requiredDevice attached to the alert, include device groups with includeDeviceGroups query parameter
mitre
object[]
requiredMITRE Tactics associated with the alert