Alert API Overview


Alerts over the API

Review of how to view alerts over the API to better understand use cases around API alerting and the JSON API alert.

How do I get alerts over the API ?

Ways to receive alerts over the API include:

Result Command Notes
Get all alerts (on first page) curl " -H "Authorization: <deploy_key>" | jq. Threat Stack only sends alerts using pages. Each page, by default, displays 100 alerts per page.
Get all alerts on “nth” page

curl "" -H "Authorization:<deploy_key" | jq

Get alerts from specific start time to end time period. curl "" -H "Authorization: <deploy_key>" | jq.

Format the start and end in the UTC and ISO 8601 formats.

Format example:  

  • 2016-07-13T16:43:18+00:00
  • 2016-07-13T16:43:18Z
  • 20160713T164318Z.

NOTE: Alerts, along with contributing events, display on the UI or API for a period of 1 year. Also, if you dismiss an alert it displays in the Dismissed tab.

Anatomy of the Alert over the API

The Alert API includes 3 components,

  • Meta data related to the alert
  • Events related to the event
  • The rule that generated the alert

The Alerts, Events, and Rules within the API

Similarly to viewing Alerts in the UI, you can see the:

  • Alert Metadata
    • Timestamp - the first event that triggered the alert
    • Unique ID  - displays in the URL of the alert in the UI
  • Contributing Events
    • Last Alerted Time - `latest_event` on the API call list
    • Timestamp of each contributing event
  • Rule that caused the alert

Example 1: Alert Metadata and Contributing Events:


Example 2: Rule that caused the Alert to display.


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.