Update an Alert

Update one ore more alerts.

Synopsis

URI
/public_api/v1/alerts/update_alerts/
HTTP Method
POST
Required License
Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per TB

Description

Update one or more alerts. You can update up to 100 alerts per request. Missing fields are ignored.

Request Fields

The body of this request contains a JSON object with the following fields:
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
alert_id-_list
An list representing the alert IDs you want to update.
update_data
Provides an array of filtered fields. Each JSON object contains the following keywords which define the incident data you want to update:
  • severity
    - Defined severity, one of the following:
    • critical
    • high
    • medium
    • low
    • informational
  • status
    - Updated alert status, one of the following:
    • new
    • resolved_threat_handled
    • under_investigation
    • resolved_security_testing
    • resolved_auto
    • resolved_known_issue
    • resolved_duplicate
    • resolved_true_positive'
    • resolved_other
    • resolved_false_positive
  • comment
    —Descriptive comment explaining the changes.
Request Example
curl -X POST https://api-{fqdn}/public_api/v1/alerts/update_alerts/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "alert_id_list":"<list of alert IDs>", "update_data":{ "severity":"low", "status":"resolved_other", "comment":"This alert is resolved" } }'

Success Response

Upon success, the HTTP response code is 200 and the API returns a reply of true.
Field
Description
alert_ids
IDs of alerts that were updated.
Response Example
{ "reply":{ "alerts_ids":[ <list of alert IDs> ] } }

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors. For example,
test@test.com is not a valid Cortex XDR email address.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Recommended For You