List Alerts - Leen.dev Unified API for Security

Authorizations

X-CONNECTION-ID

string

header

required

X-API-KEY

string

header

required

Query Parameters

sort

string | null

Sort by field

enableCursor

boolean

default:

false

Enable cursor based pagination instead of default offset-based pagination

updatedSince

string | null

Datetime filter, only return items updated since this datetime. Example format: 2021-01-01T00:00:00+00:00

limit

integer

default:

100

Limit size (page size)

Required range: x > 0

offset

integer

default:

Offset index (starting index of page)

Required range: x > 0

excludeTotal

boolean

default:

false

Skips returning the total rows, total is set to null when true

cursor

string | null

device_id

string

severity

string

status

string

includeDeviceGroups

boolean

default:

false

Include device groups in the devices attached to the vulnerability

includeObservables

boolean

default:

false

Include observable data in the response

Response

200 - application/json

count

integer

required

Number of items return in the response

items

object[]

required

List of items returned in the response

items.active_directory_domain

string | null

required

Active Directory domain

items.active_directory_user_id

string | null

required

Active Directory user ID

items.assigned_user

string | null

required

Assigned user

items.description

string | null

required

Description of alert, provided by the upstream vendor

items.device

object

required

Device attached to the alert, include device groups with includeDeviceGroups query parameter

items.device.ad_info

object | null

required

items.device.first_seen

string | null

required

items.device.id

string

required

items.device.installed_software

string[] | null

required

items.device.last_seen

string | null

required

items.device.source_vendors

object[]

required

items.device.status

enum<string>

required

Available options:

active,

offline,

quarantined

items.device.cloud_metadata

object | null

CloudMetadata, currently only AWS is supported

items.device.fqdns

string[] | null

items.device.hostnames

string[] | null

items.device.identities

object[] | null

items.device.ipv4s

string[] | null

items.device.ipv6s

string[] | null

items.device.mac_addresses

string[] | null

items.device.os_major_version

string | null

items.device.os_minor_version

string | null

items.device.os_version

string | null

items.device.platform

enum<string> | null

Available options:

mac,

windows,

linux,

unknown

items.device.tags

object[] | null

items.device.vendor_data

object | null

Vendor specific pass through data, values can vary based on vendor

items.first_event_time

string | null

required

First event time

items.last_event_time

string | null

required

Last event time

items.mitre

object[]

required

MITRE Tactics associated with the alert

items.parent_pid

string | null

required

Parent process ID

items.pid

string | null

required

Process ID

items.process_command_line

string | null

required

Process command line

items.process_created_at

string | null

required

Process created at

items.process_filename

string | null

required

Process filename

items.process_filepath

string | null

required

Process filepath

items.process_md5

string | null

required

Process MD5

items.process_sha1

string | null

required

Process SHA1

items.process_sha256

string | null

required

Process SHA256

items.resolved_time

string | null

required

Resolved time

items.title

string | null

required

Title of the alert, provided by the upstream vendor

items.user_name

string | null

required

User name

items.vendor

enum<string>

required

Source vendor

Available options:

crowdstrike,

ms_defender_endpoint,

sentinelone

items.vendor_id

string | null

required

Vendor's ID of the alert

items.vendor_severity

string | null

required

Vendor's severity

items.vendor_status

string | null

required

Vendor's status

items.windows_sid

string | null

required

Windows SID

items.id

string | null

items.observables

object[] | null

Observable data associated with the alert

items.severity

enum<string>

default:

none

Alert severity

Available options:

none,

low,

medium,

high,

critical,

info

items.status

enum<string>

default:

unknown

Alert status

Available options:

unknown,

new,

in_progress,

unresolved,

resolved

total

integer | null

Total number of items that can be returned