GET
/
edr
/
alerts
/
{alert_id}

Authorizations

X-CONNECTION-ID
string
headerrequired
X-API-KEY
string
headerrequired

Path Parameters

alert_id
string
required

Response

200 - application/json
id
string | null
vendor_id
string | null
required

Vendor's ID of the alert

title
string | null
required

Title of the alert, provided by the upstream vendor

description
string | null
required

Description of alert, provided by the upstream vendor

assigned_user
string | null
required

Assigned user

severity
enum<string>
default: none

Alert severity

Available options:
none,
low,
medium,
high,
critical,
info
vendor_severity
string | null
required

Vendor's severity

status
enum<string>
default: unknown

Alert status

Available options:
unknown,
new,
in_progress,
unresolved,
resolved
vendor_status
string | null
required

Vendor's status

first_event_time
string | null
required

First event time

last_event_time
string | null
required

Last event time

resolved_time
string | null
required

Resolved time

vendor
enum<string>
required

Source vendor

Available options:
crowdstrike,
ms_defender_endpoint,
sentinelone
pid
string | null
required

Process ID

process_created_at
string | null
required

Process created at

process_filename
string | null
required

Process filename

process_command_line
string | null
required

Process command line

process_filepath
string | null
required

Process filepath

process_sha1
string | null
required

Process SHA1

process_sha256
string | null
required

Process SHA256

process_md5
string | null
required

Process MD5

parent_pid
string | null
required

Parent process ID

user_name
string | null
required

User name

windows_sid
string | null
required

Windows SID

active_directory_user_id
string | null
required

Active Directory user ID

active_directory_domain
string | null
required

Active Directory domain

device
object
required

Device attached to the alert, include device groups with includeDeviceGroups query parameter

mitre
object[]
required

MITRE Tactics associated with the alert