Skip to main content

Get Alerts By Alert IDs

Returns alerts that match the given alert ids.

External Documentation

To learn more, visit the Intezer documentation.

Parameters

ParameterDescription
Alert IDsList of comma separated alert ids to search for.
EnvironmentsList of comma separated environments to search in.

Example Output

{
"result": {
"alert_count": 1,
"alerts": [
{
"alert_id": "ed638299999999862495_-1864999299",
"intezer_alert_url": "https://analyze.intezer.com/alerts/ed638299999999862495_-1864999299",
"note": "🟦 Intezer Automated Triage🧨 \n===================================\n Confirmed Threat - Generic Threat - CoinMiner\n===================================\nRecommended actions: Kill, Quarantine\nTTPs: Defense Evasion, Execution\nIOCs: 2 indicators\n\nView alert: 👉 https://analyze.intezer.com/alerts/ed638299999999862495_-1864999299",
"alert": {
"alert_id": "ed638299999999862495_-1864999299",
"creation_time": "2023-06-28T07:06:38.228013",
"creation_time_display": "28 Jun 23 | 06:38 UTC",
"alert_title": "MyThreatName.exe",
"severity": "high",
"severity_display": "High",
"alert_url": "https://falcon.crowdstrike.com/activity/detections/detail/9999c9999af9999d84d999c2ee7131bb/999994989665",
"descriptions": [
"This file meets the File Analysis ML algorithm's low-confidence threshold for malware."
],
"external_account_name": "MyAccountName",
"site_name": "MySiteName",
"is_mitigated": false,
"mitigation_status_display": "Not Mitigated",
"device": {
"id": "9999c9999af9999d84d999c2ee7131bb",
"hostname": "MyHostName",
"os_type": "windows",
"os_name": "Windows 10"
}
},
"triage_result": {
"alert_verdict": "confirmed_threat",
"alert_verdict_display": "Confirmed Threat",
"risk_level": "high",
"risk_level_display": "High",
"risk_category": "generic_threat",
"risk_category_display": "Generic Threat",
"families": {
"family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9",
"family_name": "HopperTick"
},
"threat_name": "MyThreatName.exe",
"risk_score": 20,
"ttps": [
{
"tactic_id": "TA0002",
"technique": "Command and Scripting Interpreter: Unix Shell",
"technique_id": "T1059.004",
"source": "analysis",
"tactic": "Execution"
}
]
},
"alert_sub_types": [
"file_based"
],
"raw_alert": {},
"sender": "cs",
"scans": [
{
"is_main_analysis": true,
"file_analysis": {
"family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9",
"sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356",
"ttps": [
{
"tactic_id": "TA0002",
"technique": "Command and Scripting Interpreter: Unix Shell",
"technique_id": "T1059.004",
"tactic": "Execution"
}
],
"file_name": "MyFileName.exe",
"verdict": "malicious",
"sub_verdict": "malicious",
"iocs": {
"files": [
{
"path": "/path/to/MyFileName.exe",
"sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356",
"verdict": "malicious",
"family": null,
"type": "main_file"
}
],
"network": [
{
"source": [
"Network communication"
],
"ioc": "10.0.0.1",
"type": "ip"
}
]
},
"analysis_time": "2022-05-28T07:09:58",
"analysis_url": "https://analyze.intezer.com/analyses/0833e33b-2dcd-4d48-a853-8b4822675911",
"family_name": "Emotet",
"analysis_id": "0833e33b-2dcd-4d48-a853-8b4822675911"
},
"collection_status": "collected",
"scan_type": "file"
}
],
"response": {
"automated_response_actions": [
{
"action_name": "Endpoint scan performed",
"action_key": "endpoint_scan_performed",
"status": "suggested"
}
],
"user_recommended_actions": [
{
"action_name": "Kill Process (RTR)",
"action_key": "kill_process"
}
],
"user_recommended_actions_display": "Kill Process (RTR)",
"iocs": {
"files": [
{
"path": "/path/to/MyFileName.exe",
"sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356",
"verdict": "malicious",
"family": null,
"type": "main_file"
}
],
"network": [
{
"ioc": "10.0.0.1",
"source": [
"Network communication"
],
"type": "ip"
}
]
},
"status": "follow_up_required",
"status_display": "Follow Up Required"
},
"source": "cs",
"source_display": "CrowdStrike",
"source_type": "edr"
}
]
}
}

Workflow Library Example

Get Alerts by Alert Ids with Intezer and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop