Alerts over the API
Review of how to view alerts over the API to better understand use cases around API alerting and the JSON API alert.
How do I get alerts over the API ?
Ways to receive alerts over the API include:
|Get all alerts (on first page)||curl "https://app.threatstack.com/api/v1/alerts -H "Authorization: <deploy_key>" | jq.||Threat Stack only sends alerts using pages. Each page, by default, displays 100 alerts per page.|
|Get all alerts on “nth” page||
curl "https://app.threatstack.com/api/v1/alerts?start=2016-07-13T19:03:18Z&page=2" -H "Authorization:<deploy_key" | jq
|Get alerts from specific start time to end time period.||curl "https://app.threatstack.com/api/v1/alerts?start=2016-07-13T19:03:18Z" -H "Authorization: <deploy_key>" | jq.||
Format the start and end in the UTC and ISO 8601 formats.
NOTE: Alerts, along with contributing events, display on the UI or API for a period of 1 year. Also, if you dismiss an alert it displays in the Dismissed tab.
Anatomy of the Alert over the API
The Alert API includes 3 components,
- Meta data related to the alert
- Events related to the event
- The rule that generated the alert
The Alerts, Events, and Rules within the API
Similarly to viewing Alerts in the UI, you can see the:
- Alert Metadata
- Timestamp - the first event that triggered the alert
- Unique ID - displays in the URL of the alert in the UI
- Contributing Events
- Last Alerted Time - `latest_event` on the API call list
- Timestamp of each contributing event
- Rule that caused the alert
Example 1: Alert Metadata and Contributing Events:
Example 2: Rule that caused the Alert to display.