Skip to main content

List Alert Definitions

Get the list of all the alerts defined in a given domain.

External Documentation

To learn more, visit the Devo documentation.

Parameters

ParameterDescription
Alert IDIndicate an alert definition ID to get only that specific alert.
Alert NameFilter alerts by their names. You will only get alerts that contain the terms specified in their names. The filter is case insensitive.
PagePage number of the results to fetch.
SizeThe number of results per page.

Example Output

[
    {
        "id": "214554",
        "creationDate": 1678293187000,
        "name": "AWSWAFRuleDeletion",
        "message": "WAF rule or rulegroup deletion",
        "description": "WAF rule or rulegroup deletion",
        "categoryId": "2432",
        "subcategory": "lib.my.tutorials.AWS",
        "subcategoryId": "4452",
        "isActive": false,
        "isFavorite": false,
        "isAlertChain": false,
        "alertCorrelationContext": {
            "id": "67741",
            "nameId": "my.alert.tutorials.AWSWAFRuleDeletion",
            "ownerEmail": "john.smith@devo.com",
            "querySourceCode": "from cloud.aws.cloudtrail where eq(eventName,\"DeleteRule\") or eq(eventName,\"DeleteRuleGroup\") group every 1m select count() as count",
            "priority": 3,
            "correlationTrigger": {
                "kind": "each",
                "externalPeriod": null,
                "externalOffset": null,
                "internalPeriod": null,
                "internalOffset": null
            }
        },
        "actionPolicyId": []
    },
    {
        "id": "214555",
        "creationDate": 1678293190000,
        "name": "AWSRootAccessConsoleLogin",
        "message": "Root access via console",
        "description": "Root access via console",
        "categoryId": "2432",
        "subcategory": "lib.my.tutorials.threats",
        "subcategoryId": "4453",
        "isActive": false,
        "isFavorite": false,
        "isAlertChain": false,
        "alertCorrelationContext": {
            "id": "67742",
            "nameId": "my.alert.tutorials.AWSRootAccessConsoleLogin",
            "ownerEmail": "john.smith@devo.com",
            "querySourceCode": "from cloud.aws.cloudtrail where eventSource=\"signin.amazonaws.com\" where eventName=\"ConsoleLogin\" select str(jqeval(jqcompile(\".ConsoleLogin\"), responseElements)) as loginResponse select str(jqeval(jqcompile(\".MFAUsed\"), additionalEventData)) as mfaUsed group every 1m by userName,userIdentity_principalId,userIdentity_type,mfaUsed,loginResponse where userIdentity_type=\"Root\" where loginResponse=\"Success\" select count() as count",
            "priority": 2,
            "correlationTrigger": {
                "kind": "each",
                "externalPeriod": null,
                "externalOffset": null,
                "internalPeriod": null,
                "internalOffset": null
            }
        },
        "actionPolicyId": []
    }
]

Workflow Library Example

List Alert Definitions with Devo and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop