Get Alerts By Alert IDs
Returns alerts that match the given alert ids.
External Documentation
To learn more, visit the Intezer documentation.
Parameters
| Parameter | Description |
|---|---|
| Alert IDs | List of comma seperated alert ids to search for. |
| Environments | List of comma seperated environments to search in. |
Example Output
{
"result": {
"alert_count": 1,
"alerts": [
{
"alert_id": "ed638299999999862495_-1864999299",
"intezer_alert_url": "https://analyze.intezer.com/alerts/ed638299999999862495_-1864999299",
"note": "🟦 Intezer Automated Triage🧨 \n===================================\n Confirmed Threat - Generic Threat - CoinMiner\n===================================\nRecommended actions: Kill, Quarantine\nTTPs: Defense Evasion, Execution\nIOCs: 2 indicators\n\nView alert: 👉 https://analyze.intezer.com/alerts/ed638299999999862495_-1864999299",
"alert": {
"alert_id": "ed638299999999862495_-1864999299",
"creation_time": "2023-06-28T07:06:38.228013",
"creation_time_display": "28 Jun 23 | 06:38 UTC",
"alert_title": "MyThreatName.exe",
"severity": "high",
"severity_display": "High",
"alert_url": "https://falcon.crowdstrike.com/activity/detections/detail/9999c9999af9999d84d999c2ee7131bb/999994989665",
"descriptions": [
"This file meets the File Analysis ML algorithm's low-confidence threshold for malware."
],
"external_account_name": "MyAccountName",
"site_name": "MySiteName",
"is_mitigated": false,
"mitigation_status_display": "Not Mitigated",
"device": {
"id": "9999c9999af9999d84d999c2ee7131bb",
"hostname": "MyHostName",
"os_type": "windows",
"os_name": "Windows 10"
}
},
"triage_result": {
"alert_verdict": "confirmed_threat",
"alert_verdict_display": "Confirmed Threat",
"risk_level": "high",
"risk_level_display": "High",
"risk_category": "generic_threat",
"risk_category_display": "Generic Threat",
"families": {
"family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9",
"family_name": "HopperTick"
},
"threat_name": "MyThreatName.exe",
"risk_score": 20,
"ttps": [
{
"tactic_id": "TA0002",
"technique": "Command and Scripting Interpreter: Unix Shell",
"technique_id": "T1059.004",
"source": "analysis",
"tactic": "Execution"
}
]
},
"alert_sub_types": [
"file_based"
],
"raw_alert": {},
"sender": "cs",
"scans": [
{
"is_main_analysis": true,
"file_analysis": {
"family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9",
"sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356",
"ttps": [
{
"tactic_id": "TA0002",
"technique": "Command and Scripting Interpreter: Unix Shell",
"technique_id": "T1059.004",
"tactic": "Execution"
}
],
"file_name": "MyFileName.exe",
"verdict": "malicious",
"sub_verdict": "malicious",
"iocs": {
"files": [
{
"path": "/path/to/MyFileName.exe",
"sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356",
"verdict": "malicious",
"family": null,
"type": "main_file"
}
],
"network": [
{
"source": [
"Network communication"
],
"ioc": "10.0.0.1",
"type": "ip"
}
]
},
"analysis_time": "2022-05-28T07:09:58",
"analysis_url": "https://analyze.intezer.com/analyses/0833e33b-2dcd-4d48-a853-8b4822675911",
"family_name": "Emotet",
"analysis_id": "0833e33b-2dcd-4d48-a853-8b4822675911"
},
"collection_status": "collected",
"scan_type": "file"
}
],
"response": {
"automated_response_actions": [
{
"action_name": "Endpoint scan performed",
"action_key": "endpoint_scan_performed",
"status": "suggested"
}
],
"user_recommended_actions": [
{
"action_name": "Kill Process (RTR)",
"action_key": "kill_process"
}
],
"user_recommended_actions_display": "Kill Process (RTR)",
"iocs": {
"files": [
{
"path": "/path/to/MyFileName.exe",
"sha256": "4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356",
"verdict": "malicious",
"family": null,
"type": "main_file"
}
],
"network": [
{
"ioc": "10.0.0.1",
"source": [
"Network communication"
],
"type": "ip"
}
]
},
"status": "follow_up_required",
"status_display": "Follow Up Required"
},
"source": "cs",
"source_display": "CrowdStrike",
"source_type": "edr"
}
]
}
}
Workflow Library Example
Get Alerts by Alert Ids with Intezer and Send Results Via Email
Preview this Workflow on desktop