Get detailed information about an alert. The following permission is required to run this action:
  • Alerts: Read and Write.
This endpoint does not support detection IDs prefixed with ldt.
External DocumentationTo learn more, visit the CrowdStrike documentation.

Parameters

ParameterDescription
Alert IDsComma separated list of alert IDs to get details on. This endpoint does not support detection IDs prefixed with ldt.

Example Output

{
	"meta": {
		"query_time": 0.004553092,
		"writes": {
			"resources_affected": 0
		},
		"powered_by": "detectsapi",
		"trace_id": "e3a17704-d33e-4f70-a769-6a3ddc01844f"
	},
	"errors": [],
	"resources": [
		{
			"activity_id": "3D14C6B6-XXXX-460EC4FCD27D",
			"aggregate_id": "aggind:dca1XXXX1660:097877B9-C71F-42C7-A836-2944D119B6CB",
			"cid": "0123456789ABCDEFGHIJKLMNOPQRSTUV-WX",
			"composite_id": "28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544",
			"confidence": 30,
			"context_timestamp": "2022-05-15T10:32:00.000Z",
			"created_timestamp": "2022-05-15T11:34:56.887790892Z",
			"description": "User access from an unusual location",
			"display_name": "Unusual user geolocation",
			"end_time": "2022-05-15T10:32:00.000Z",
			"falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/dca1xxxx1660",
			"id": "ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544",
			"location_country_code": "US",
			"name": "AnomalousGeoLocationAccess",
			"objective": "Gain Access",
			"okta_application_id": "0oa1xxxxL5d7",
			"pattern_id": 51125,
			"product": "idp",
			"scenario": "machine_learning",
			"severity": 31,
			"show_in_ui": true,
			"source_account_name": "demo.user@example.com",
			"source_account_okta_id": "00u4xxxxf5d7",
			"source_endpoint_address_ip4": "192.0.2.100",
			"source_endpoint_ip_address": "192.0.2.100",
			"sso_application_identifier": "Okta Admin Console",
			"sso_application_uri": "0oa1xxxxL5d7",
			"start_time": "2022-05-15T10:32:00.000Z",
			"status": "new",
			"tactic": "Initial Access",
			"tactic_id": "TA0001",
			"technique": "Valid Accounts",
			"technique_id": "T1078",
			"timestamp": "2022-05-15T10:34:56.509Z",
			"type": "idp-session-source-user-endpoint-target-info",
			"updated_timestamp": "2022-05-15T11:34:56.887790892Z"
		}
	]
}

Workflow Library Example

Get Alert Details with Crowdstrike and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop