Get Alerts
Get a list of alerts for a given scope.
Basic Parameters
| Parameter | Description |
|---|---|
| Alert IDs | Filter by a list of alert IDs. |
| Analyst Verdict | Filter alerts by an analyst verdict. Options: <br/> FALSE_POSITIVE<br/> SUSPICIOUS<br/> TRUE_POSITIVE<br/> UNDEFINED<br/> |
| Count Only | If true, only total number of items will be returned, without any of the actual objects. |
| Created After | Created after a specified timestamp. |
| Created Before | Created before a specified timestamp. |
| Cursor | Cursor position returned by the last request. Use to iterate over more than 1000 items. Example: "YWdlbnRfaWQ6NTgwMjkzODE=". |
| Incident Status | Filter alerts by a incident status. Options: <br/> IN_PROGRESS<br/> RESOLVED<br/> UNRESOLVED<br/> |
| Limit | Limit number of returned items (1-1000). Example: 10. |
| Return All Pages | Automatically fetch all resources, page by page. |
| Sort By | The column to sort the results by. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Account IDs | List of account IDs to filter by. Example: 225494730938493804,225494730938493915. |
Example Output
{
"errors": [
{
"type": "object"
}
],
"pagination": {
"nextCursor": "YWdlbnRfaWQ6NTgwMjkzODE=",
"totalItems": 580
},
"data": [
{
"sourceParentProcessInfo": {
"fileHashSha256": "string",
"subsystem": "unknown",
"uniqueId": "string",
"fileSignerIdentity": "string",
"integrityLevel": "unknown",
"pid": "string",
"filePath": "string",
"effectiveUser": "string",
"fileHashSha1": "string",
"pidStarttime": "2018-02-27T04:49:26.257525Z",
"fileHashMd5": "string",
"realUser": "string",
"loginUser": "string",
"storyline": "string",
"commandline": "string",
"name": "string",
"user": "string"
},
"ruleInfo": {
"severity": "Low",
"id": "string",
"s1ql": "string",
"scopeLevel": "group",
"treatAsThreat": "UNDEFINED",
"queryLang": "1.0",
"description": "string",
"queryType": "events",
"name": "string"
},
"alertInfo": {
"dnsResponse": "string",
"moduleSha1": "string",
"indicatorCategory": "string",
"incidentStatus": "Unresolved",
"tiIndicatorValue": "string",
"netEventDirection": "string",
"loginAccountSid": "string",
"hitType": "Events",
"modulePath": "string",
"indicatorDescription": "string",
"indicatorName": "string",
"dstPort": "string",
"isEdr": "boolean",
"analystVerdict": "Undefined",
"srcMachineIp": "string",
"registryKeyPath": "string",
"registryOldValueType": "string",
"tiIndicatorComparisonMethod": "string",
"registryPath": "string",
"registryValue": "string",
"loginIsAdministratorEquivalent": "string",
"loginAccountDomain": "string",
"reportedAt": "2018-02-27T04:49:26.257525Z",
"dnsRequest": "string",
"loginType": "string",
"registryOldValue": "string",
"srcIp": "string",
"updatedAt": "2018-02-27T04:49:26.257525Z",
"tiIndicatorSource": "string",
"source": "string",
"eventType": "string",
"tiIndicatorType": "string",
"dstIp": "string",
"loginsUserName": "string",
"createdAt": "2018-02-27T04:49:26.257525Z",
"loginIsSuccessful": "string",
"dvEventId": "string",
"srcPort": "string",
"alertId": "225494730938493804"
},
"targetProcessInfo": {
"tgtFileCreatedAt": "2018-02-27T04:49:26.257525Z",
"tgtProcSignedStatus": "string",
"tgtFilePath": "string",
"tgtFileHashSha256": "string",
"tgtFileModifiedAt": "2018-02-27T04:49:26.257525Z",
"tgtProcName": "string",
"tgtProcImagePath": "string",
"tgtFileHashSha1": "string",
"tgtFileIsSigned": "string",
"tgtProcStorylineId": "string",
"tgtProcPid": "string",
"tgtProcIntegrityLevel": "unknown",
"tgtProcCmdLine": "string",
"tgtFileId": "string",
"tgtProcUid": "string",
"tgtProcessStartTime": "2018-02-27T04:49:26.257525Z",
"tgtFileOldPath": "string"
},
"containerInfo": {
"labels": "string",
"name": "string",
"id": "string",
"image": "string"
},
"kubernetesInfo": {
"podLabels": "string",
"pod": "string",
"controllerKind": "string",
"namespace": "string",
"controllerLabels": "string",
"controllerName": "string",
"node": "string",
"namespaceLabels": "string",
"cluster": "string"
},
"sourceProcessInfo": {
"fileHashSha256": "string",
"subsystem": "unknown",
"uniqueId": "string",
"fileSignerIdentity": "string",
"integrityLevel": "unknown",
"pid": "string",
"filePath": "string",
"effectiveUser": "string",
"fileHashSha1": "string",
"pidStarttime": "2018-02-27T04:49:26.257525Z",
"fileHashMd5": "string",
"realUser": "string",
"loginUser": "string",
"storyline": "string",
"commandline": "string",
"name": "string",
"user": "string"
},
"agentDetectionInfo": {
"osName": "string",
"osRevision": "string",
"accountId": "225494730938493804",
"version": "3.6.1.14",
"machineType": "string",
"siteId": "225494730938493804",
"osFamily": "string",
"uuid": "string",
"name": "string"
}
}
]
}
Workflow Library Example
Get Alerts with Sentinelone and Send Results Via Email
Preview this Workflow on desktop