Skip to main content
Get a list of alerts with optional filtering.
External DocumentationTo learn more, visit the Rapid7 InsightIDR documentation.

Basic Parameters

ParameterDescription
End TimeThe end of the timeframe to search alerts until.
LEQL expressionThe LEQL WHERE query to match the search against.

For Example:
- where(status = 'OPEN' AND priority = 'CRITICAL') - all alerts that are currently open and have been marked with critical priority.
- where(assignee.email = 'analyst.name@company.com' AND status = 'INVESTIGATING') - all alerts currently being investigated by a specific analyst.
PageThe number of the page to return results from (zero-based).
Page SizeThe maximum number of results to return per page. Valid range is 1-100
RRNs OnlySelect to return only RRNs (Rapid7 Resource Names) without alert details.
Return All PagesAutomatically fetch all resources, page by page.
Start TimeThe start of the timeframe to search alerts from.
TermsAn array of search terms to match the search against.

For Example:
[
    {
      “field_ids”: [“string”],
      “operator”: “EQUALS”,
      “terms”: [
        “string”,
        “2025-10-23T12:17:24.622Z”,
        0,
        true
      ]
    }
  ]

Notes:
- Field IDs can be obtained using Get All Alert Fields action.
- Available options for operators: EQUALS, NOT_SET, NOT_EQUALS, CONTAINS, GREATER_THAN, LESS_THAN.
- Available options for terms: string, string <date-time>, number, boolean.

For more information, please refer to Rapid7 - Insight IDR Documentation

Advanced Parameters

ParameterDescription
Additional Field IDsA comma-separated list of additional field IDs to include for each alert in the result.

For more information, please refer to Rapid7 - Insight IDR Documentation
AggregatesAn array of aggregations to apply for all matching results.

For Example:

[
    {
      “name”: “string”,
      “type”: “BUCKET”,
      “fields”: [
        {
          “field_id”: “string”,
          “interval”: 0,
          “order”: “ASCENDING_NULLS_LAST”
        }
      ],
      “count_order”: “ASCENDING_NULLS_LAST”
    }
  ]
Note: Each object must include name and fields attributes.

For more information, please refer to Rapid7 - Insight IDR Documentation
SortsAn array of sorting objects to apply to the search.

For Example:

[
    {
      “field_id”: “string”,
      “order”: “ASCENDING_NULLS_LAST” #required for each object.
    }
  ]
For more information, please refer to Rapid7 - Insight IDR Documentation

Example Output

{
	"rrns": [
		"string"
	],
	"alerts": [
		{
			"rrn": "string",
			"version": 0,
			"created_at": "2019-08-24T14:15:22Z",
			"updated_at": "2019-08-24T14:15:22Z",
			"alerted_at": "2019-08-24T14:15:22Z",
			"ingested_at": "2019-08-24T14:15:22Z",
			"external_source": "string",
			"external_id": "string",
			"organization": {
				"id": "string",
				"name": "string",
				"region": "string",
				"product_token": "string",
				"customer_id": "string",
				"customer_name": "string",
				"customer_code": "string",
				"customer_group": "string",
				"flags": [
					"string"
				]
			},
			"title": "string",
			"type": "string",
			"rule": {
				"rrn": "string",
				"name": "string",
				"mitre_tcodes": [
					"string"
				],
				"version_rrn": "string"
			},
			"rule_matching_keys": [
				{
					"key": "string",
					"values": [
						"string"
					]
				}
			],
			"rule_keys_of_interest": [
				{
					"key": "string",
					"values": [
						"string"
					]
				}
			],
			"responsibility": "UNMAPPED",
			"monitored": true,
			"assignee": {
				"at": "2019-08-24T14:15:22Z",
				"id": "string",
				"email": "string",
				"first_name": "string",
				"last_name": "string"
			},
			"priority": "UNMAPPED",
			"status": "UNMAPPED",
			"status_transitions": {
				"seconds_to_first_investigating": 0,
				"seconds_to_first_closed": 0,
				"first_closed_at": "2019-08-24T14:15:22Z"
			},
			"disposition": "UNMAPPED",
			"investigation_rrn": "string",
			"tags": [
				"string"
			],
			"permissions": {
				"canEdit": true
			},
			"fields": [
				{
					"id": "string",
					"values": [
						"string"
					]
				}
			],
			"analytics": {
				"analytics_is_novel": true,
				"analytics_novel_score": 0.1,
				"analytics_cluster_malicious": 0.1,
				"analytics_cluster_testing": 0.1,
				"analytics_pac": "string"
			},
			"due_date": "2019-08-24T14:15:22Z",
			"first_closed_at": "2019-08-24T14:15:22Z",
			"log_details": [
				{
					"log_id": "string",
					"logset_id": "string",
					"log_timestamp": 0,
					"log_entry_id": "string"
				}
			],
			"ai_suggested_disposition": "UNMAPPED",
			"prediction_metadata": {
				"property1": {},
				"property2": {}
			},
			"prediction_data": {
				"property1": {},
				"property2": {}
			}
		}
	],
	"metadata": {
		"index": 0,
		"size": 0,
		"items_in_index": 0,
		"total_items": 0,
		"is_last_index": true
	},
	"aggregates": [
		{
			"name": "string",
			"type": "BUCKET",
			"value": {},
			"field_ids": [
				"string"
			],
			"buckets": [
				{
					"keys": [
						[
							"string"
						]
					],
					"count": 0
				}
			]
		}
	],
	"region_failures": [
		{
			"region": "string",
			"message": "string"
		}
	]
}

Workflow Library Example

Search Alerts with Rapid7 Insightidr and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop