Get Alert Details

Get detailed information about an alert.

note

This endpoint does not support detection IDs prefixed with ldt.

External Documentation

To learn more, visit the CrowdStrike documentation.

Parameters

Parameter	Description
Alert IDs	Comma separated list of alert IDs to get details on. This endpoint does not support detection IDs prefixed with ldt.

Example Output

{
    "meta": {
        "query_time": 0.004553092,
        "writes": {
            "resources_affected": 0
        },
        "powered_by": "detectsapi",
        "trace_id": "e3a17704-d33e-4f70-a769-6a3ddc01844f"
    },
    "errors": [],
    "resources": [
        {
            "activity_id": "3D14C6B6-XXXX-460EC4FCD27D",
            "aggregate_id": "aggind:dca1XXXX1660:097877B9-C71F-42C7-A836-2944D119B6CB",
            "cid": "0123456789ABCDEFGHIJKLMNOPQRSTUV-WX",
            "composite_id": "28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544",
            "confidence": 30,
            "context_timestamp": "2022-05-15T10:32:00.000Z",
            "created_timestamp": "2022-05-15T11:34:56.887790892Z",
            "description": "User access from an unusual location",
            "display_name": "Unusual user geolocation",
            "end_time": "2022-05-15T10:32:00.000Z",
            "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/dca1xxxx1660",
            "id": "ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544",
            "location_country_code": "US",
            "name": "AnomalousGeoLocationAccess",
            "objective": "Gain Access",
            "okta_application_id": "0oa1xxxxL5d7",
            "pattern_id": 51125,
            "product": "idp",
            "scenario": "machine_learning",
            "severity": 31,
            "show_in_ui": true,
            "source_account_name": "demo.user@example.com",
            "source_account_okta_id": "00u4xxxxf5d7",
            "source_endpoint_address_ip4": "192.0.2.100",
            "source_endpoint_ip_address": "192.0.2.100",
            "sso_application_identifier": "Okta Admin Console",
            "sso_application_uri": "0oa1xxxxL5d7",
            "start_time": "2022-05-15T10:32:00.000Z",
            "status": "new",
            "tactic": "Initial Access",
            "tactic_id": "TA0001",
            "technique": "Valid Accounts",
            "technique_id": "T1078",
            "timestamp": "2022-05-15T10:34:56.509Z",
            "type": "idp-session-source-user-endpoint-target-info",
            "updated_timestamp": "2022-05-15T11:34:56.887790892Z"
        }
    ]
}

Workflow Library Example

Get Alert Details with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop

Get Alert Details

Parameters​

Example Output​

Workflow Library Example​

Parameters

Example Output

Workflow Library Example