GET
/
edr
/
alerts
/
{alert_id}
curl --request GET \
  --url https://api.leen.dev/v1/edr/alerts/{alert_id} \
  --header 'X-API-KEY: <api-key>' \
  --header 'X-CONNECTION-ID: <api-key>'
{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "vendor_id": "<string>",
  "title": "<string>",
  "description": "<string>",
  "assigned_user": "<string>",
  "severity": "none",
  "vendor_severity": "<string>",
  "status": "unknown",
  "vendor_status": "<string>",
  "first_event_time": "2023-11-07T05:31:56Z",
  "last_event_time": "2023-11-07T05:31:56Z",
  "resolved_time": "2023-11-07T05:31:56Z",
  "vendor": "crowdstrike",
  "pid": "<string>",
  "process_created_at": "2023-11-07T05:31:56Z",
  "process_filename": "<string>",
  "process_command_line": "<string>",
  "process_filepath": "<string>",
  "process_sha1": "<string>",
  "process_sha256": "<string>",
  "process_md5": "<string>",
  "parent_pid": "<string>",
  "user_name": "<string>",
  "windows_sid": "<string>",
  "active_directory_user_id": "<string>",
  "active_directory_domain": "<string>",
  "device": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "status": "active",
    "platform": "mac",
    "hostnames": [
      "<string>"
    ],
    "os_version": "<string>",
    "os_major_version": "<string>",
    "os_minor_version": "<string>",
    "fqdns": [
      "<string>"
    ],
    "ipv4s": [
      "<string>"
    ],
    "ipv6s": [
      "<string>"
    ],
    "mac_addresses": [
      "<string>"
    ],
    "last_seen": "2023-11-07T05:31:56Z",
    "first_seen": "2023-11-07T05:31:56Z",
    "source_vendors": [
      {
        "vendor": "<string>",
        "vendor_id": "<string>",
        "agent_info": {
          "agent_version": "<string>",
          "signature_version": "<string>",
          "policies": [
            {}
          ]
        }
      }
    ],
    "installed_software": [
      "<string>"
    ],
    "ad_info": {
      "org_unit": "<string>",
      "site_name": "<string>",
      "domain": "<string>",
      "device_id": "<string>"
    },
    "cloud_metadata": {
      "cloud_provider": "aws",
      "account_id": "<string>",
      "region": "<string>",
      "availability_zone": "<string>",
      "instance_id": "<string>",
      "instance_type": "<string>",
      "image_id": "<string>",
      "kernel_id": "<string>",
      "vpc_id": "<string>",
      "subnet_id": "<string>"
    },
    "tags": [
      {
        "key": "<string>",
        "value": "<string>",
        "source": "aws"
      }
    ],
    "identities": [
      {
        "username": "<string>",
        "user_sid": "<string>"
      }
    ],
    "vendor_data": {}
  },
  "mitre": [
    {
      "tactic_name": "<string>",
      "tactic_id": "<string>",
      "tactic_source": "<string>",
      "techniques": [
        {
          "technique_name": "<string>",
          "technique_id": "<string>",
          "technique_link": "<string>"
        }
      ]
    }
  ],
  "observables": [
    {
      "name": "<string>",
      "type_id": 0,
      "type": "UNKNOWN",
      "value": "<string>"
    }
  ]
}

Authorizations

​
X-CONNECTION-ID
string
header
required
​
X-API-KEY
string
header
required

Path Parameters

​
alert_id
string
required

Response

200
application/json
Successful Response
​
vendor_id
string | null
required

Vendor's ID of the alert

​
title
string | null
required

Title of the alert, provided by the upstream vendor

​
description
string | null
required

Description of alert, provided by the upstream vendor

​
assigned_user
string | null
required

Assigned user

​
vendor_severity
string | null
required

Vendor's severity

​
vendor_status
string | null
required

Vendor's status

​
first_event_time
string | null
required

First event time

​
last_event_time
string | null
required

Last event time

​
resolved_time
string | null
required

Resolved time

​
vendor
enum<string>
required

Source vendor

Available options:
crowdstrike,
ms_defender_endpoint,
sentinelone
​
pid
string | null
required

Process ID

​
process_created_at
string | null
required

Process created at

​
process_filename
string | null
required

Process filename

​
process_command_line
string | null
required

Process command line

​
process_filepath
string | null
required

Process filepath

​
process_sha1
string | null
required

Process SHA1

​
process_sha256
string | null
required

Process SHA256

​
process_md5
string | null
required

Process MD5

​
parent_pid
string | null
required

Parent process ID

​
user_name
string | null
required

User name

​
windows_sid
string | null
required

Windows SID

​
active_directory_user_id
string | null
required

Active Directory user ID

​
active_directory_domain
string | null
required

Active Directory domain

​
device
object
required

Device attached to the alert, include device groups with includeDeviceGroups query parameter

​
mitre
object[]
required

MITRE Tactics associated with the alert

​
id
string | null
​
severity
enum<string>
default:none

Alert severity

Available options:
none,
low,
medium,
high,
critical,
info
​
status
enum<string>
default:unknown

Alert status

Available options:
unknown,
new,
in_progress,
unresolved,
resolved
​
observables
object[] | null

Observable data associated with the alert

OCSF Observable object