List Alerts - GET
GET/alert
Returns a list of alerts that match the constraints specified in the query parameters. Max 10k results. To get more, use List Alerts V2 - GET.
Data in the response object does not include alert rules.
Also, in the response object:
- Property riskDetail is deprecated.
- Property resource.cloudServiceName is populated only for alerts whose resources belong to a cloud service.
Rate Limits
The following rate limits apply:
- Request rate limit: 2/sec
- Burst limit: 10/sec
Request
Query Parameters
Possible values: [relative
]
Time Type
Number of timeUnits
Possible values: [minute
, hour
, day
, week
, month
, year
]
Time Unit
true = Return detailed alert data.
Comma-separated list of specific fields to retrieve. Allowed values: alert.id, alert.status, alert.time, cloud.accountId, cloud.account, cloud.region, resource.id, resource.name, policy.name, policy.type, policy.severity
The maximum number of items that will be returned in one response. The maximum cannot exceed 10,000. The default is 10,000.
Alert ID
Possible values: [open
, dismissed
, snoozed
, resolved
, pending_resolution
]
Alert status
Cloud account
Cloud account Id
Account group
Cloud type
Cloud region
Cloud service
Policy ID
Policy name
Possible values: [critical
, high
, medium
, low
, informational
]
Policy severity
Policy label
Possible values: [config
, network
, audit_event
]
Policy type
Policy compliance standard name
Policy compliance requirement name
Policy compliance section ID
Possible values: [true
, false
]
Policy is remediable
Alert rule name
Resource ID
Resource name
Resource TYPE
Responses
- 200
- 400
- 429
successful operation
- */*
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- For email notifications: List of unique email addresses to notify
- For integrations without notification templates: List of integration ids
- For integrations with notification templates: List of notification template ids
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- ]
alertAdditionalInfo object
alertAttribution object
Model for AlertAttribution
attributionEventList object[]
Event
Event Timestamp
Username
Resource Created By
Resource Created On
alertRules object[]
alertRuleNotificationConfig object[]
List of data for notifications to third-party tools
Day of month
daysOfWeek object[]
Days of week
Possible values: [SU
, MO
, TU
, WE
, TH
, FR
, SA
]
Provide csv detailed report
Scan enabled
Possible values: [as_it_happens
, daily
, weekly
, monthly
]
Frequency from RRule
Hour of day
Alert rule notification config ID
Include remediation in detailed report
Last Updated
Time of last notification in milliseconds
Template ID
Java time zone ID (e.g. America/Los_Angeles)
Possible values: [email
, slack
, splunk
, amazon_sqs
, jira
, microsoft_teams
, webhook
, aws_security_hub
, google_cscc
, service_now
, pager_duty
, azure_service_bus_queue
, demisto
, aws_s3
, snowflake
]
Integration type
Compress detailed report
Allow Auto-Remediation
Delay notifications by the specified milliseconds
Rule/Scan description
Rule/Scan is enabled
Last modified by
Last modified on this date/time in milliseconds
Rule/Scan name
include dismissed alerts in notification
include open alerts in notification
include resolved alerts in notification
include snoozed alerts in notification
List of specific policies to scan
Policy labels
Policy Scan Config ID
Scan all policies
target objectrequired
Model for Target Filter
List of Account group(s)
alertRulePolicyFilter object
Model for Alert Rule Policy Filter
List of available Alert Rule Policy Filters
Possible values: [ALL
, AWS
, AZURE
, GCP
, ALIBABA_CLOUD
, OCI
, IBM
]
Cloud Type Filter
Compliance Standard Filter
Policy Label Filter
Policy Severity Filter
List of excluded accounts
includedResourceLists object
Model for holding the lists resource list ids by resource list type
List of regions for which alerts will be triggered for account groups. Alerts not associated with specific regions will be triggered regardless of listed regions. If no regions are specified, then the alerts will be triggered for all regions.
tags object[]
List of TargetTag models (resource tags) for which alerts should be triggered
Resource tag target
List of value(s) for resource tag key
Timestamp when alert was last reopened for resource update, or the same as firstSeen if there are no status changes.
Application Metadata from AppDna
connectionDetails object[]
ConnectionDetails for network_event alerts
Dismissal Duration
Dismissal note
Dismiss until this timestamp
Dismissed by
Timestamp when the event occurred. Set only for Audit Event policies.
Timestamp of the first policy violation for the alert resource (i.e. the alert creation timestamp)
history object[]
Reason
Possible values: [OPEN
, DISMISSED
, SNOOZED
, PENDING_RESOLUTION
, RESOLVED
]
Status
Alert ID
investigateOptions object
Model for InvestigateOptions
alert id
The flag indicates if the policy has RQL execution support
searchId for the policy RQL
Timestamp when alert status was last updated.
Timestamp when alert was last updated. Updates include but are not limited to resource updates, policy updates, alert rule updates, and alert status changes.
Raw JSON metadata for the alert
policy object
Model for Policy
Possible values: [ALL
, AWS
, AZURE
, GCP
, ALIBABA_CLOUD
, OCI
, IBM
]
Cloud type (Required for config policies). Not case-sensitive. Default is ALL.
complianceMetadata object[]
List of compliance data. Each item has compliance standard, requirement, and/or section information.
Compliance Section UUID
Policy ID
Requirement description
Requirement ID
Requirement name
Section name
Section Id
Section Label
Compliance standard description
Compliance standard name
Created by
Created on this timestamp
Deleted
Policy description
true=enabled. false=disabled.
Finding Type
Labels
Last modified by
Last modified on this timestamp
Policy name
Overridden
Policy ID
Possible values: [run
, build
, run_and_build
, audit
, data_classification
, dns
, malware
, network_event
, network
, ueba
, permissions
, network_config
, identity
, sensitive_data_exposure
, internet_exposure
, injections
, vulnerability_scanning
, shellshock
, known_bots
, unknown_bots
, virtual_patches
, event
, misconfig_and_event
, misconfig
, host
, container_image
]
Policy subtype
Possible values: [config
, network
, audit_event
, anomaly
, data
, iam
, workload_vulnerability
, workload_incident
, api
, attack_path
, malware
, grayware
]
Policy type. Policy type anomaly is read-only.
Policy UPI
Remediation recommendation
isRemediable
remediation object
Model for Remediation
actions object[]
Policy Action
CLI Script Template
Description
Restrict alert dismissal
rule objectrequired
Model for Rule
API name
Cloud account
Cloud type
Saved search ID that defines the rule criteria.
dataCriteria object
Criteria for Rule
Data policy. Required for DLP rule criteria.
Possible values: [private
, public
, conditional
]
File exposure
File extensions
Name
parameters objectrequired
Parameters (e.g. {"savedSearch": "true"})
Resource ID path
Resource type
Possible values: [Config
, Network
, AuditEvent
, DLP
, IAM
, NetworkConfig
]
Type of rule or RQL query
Rule last modified on
Possible values: [high
, medium
, low
]
Severity
true = Policy is a Prisma Cloud system default policy
Policy ID
The reason for an alert's status. For more information on Alert reasons see View and Respond to Prisma Cloud Alerts and Prisma Cloud Alert Resolution Reasons
resource object
Model for Cloud Resource
Account
Account ID
additionalInfo object
Additional info
Possible values: [ARRAY
, BINARY
, BOOLEAN
, MISSING
, NULL
, NUMBER
, OBJECT
, POJO
, STRING
]
Cloud account ancestors. For GCP.
Cloud account groups
Cloud account owners. For Azure and GCP.
Cloud service name
Possible values: [ALL
, AWS
, AZURE
, GCP
, ALIBABA_CLOUD
, OCI
, IBM
]
Cloud type
Raw JSON data for the resource
Id
Name
Region name
Region API identifier
Resource API name
resourceTags object
Resource tags
Resource type
RRN
URL
riskDetail object
Model for Risk Detail
policyScores object[]
Possible values: [ALL
, AWS
, AZURE
, GCP
, ALIBABA_CLOUD
, OCI
, IBM
]
Cloud type (Required for config policies). Not case-sensitive. Default is ALL.
complianceMetadata object[]
List of compliance data. Each item has compliance standard, requirement, and/or section information.
Compliance Section UUID
Policy ID
Requirement description
Requirement ID
Requirement name
Section name
Section Id
Section Label
Compliance standard description
Compliance standard name
Created by
Created on this timestamp
Deleted
Policy description
true=enabled. false=disabled.
Finding Type
Labels
Last modified by
Last modified on this timestamp
Policy name
Overridden
Points
Policy ID
Possible values: [run
, build
, run_and_build
, audit
, data_classification
, dns
, malware
, network_event
, network
, ueba
, permissions
, network_config
, identity
, sensitive_data_exposure
, internet_exposure
, injections
, vulnerability_scanning
, shellshock
, known_bots
, unknown_bots
, virtual_patches
, event
, misconfig_and_event
, misconfig
, host
, container_image
]
Policy subtype
Possible values: [config
, network
, audit_event
, anomaly
, data
, iam
, workload_vulnerability
, workload_incident
, api
, attack_path
, malware
, grayware
]
Policy type. Policy type anomaly is read-only.
Policy UPI
Remediation recommendation
isRemediable
remediation object
Model for Remediation
actions object[]
Policy Action
CLI Script Template
Description
Restrict alert dismissal
riskScore object
Model for Score
Max Score
Score
rule objectrequired
Model for Rule
API name
Cloud account
Cloud type
Saved search ID that defines the rule criteria.
dataCriteria object
Criteria for Rule
Data policy. Required for DLP rule criteria.
Possible values: [private
, public
, conditional
]
File exposure
File extensions
Name
parameters objectrequired
Parameters (e.g. {"savedSearch": "true"})
Resource ID path
Resource type
Possible values: [Config
, Network
, AuditEvent
, DLP
, IAM
, NetworkConfig
]
Type of rule or RQL query
Rule last modified on
Possible values: [high
, medium
, low
]
Severity
true = Policy is a Prisma Cloud system default policy
Rating
riskScore object
Model for Score
Max Score
Score
Score
Saved Search ID
Possible values: [open
, dismissed
, snoozed
, resolved
, pending_resolution
]
Status
Triggered By
[
{
"alertAdditionalInfo": {},
"alertAttribution": {
"attributionEventList": [
{
"event": "string",
"event_ts": 0,
"username": "string"
}
],
"resourceCreatedBy": "string",
"resourceCreatedOn": 0
},
"alertCount": 0,
"alertRules": [
{
"alertRuleNotificationConfig": [
{
"dayOfMonth": 0,
"daysOfWeek": [
{
"day": "SU",
"offset": 0
}
],
"detailedReport": true,
"enabled": true,
"frequency": "as_it_happens",
"frequencyFromRRule": "string",
"hourOfDay": 0,
"id": "string",
"includeRemediation": true,
"lastUpdated": 0,
"last_sent_ts": 0,
"recipients": [
"string"
],
"rruleSchedule": "string",
"templateId": "string",
"timezone": "string",
"type": "email",
"withCompression": true
}
],
"allowAutoRemediate": true,
"delayNotificationMs": 0,
"description": "string",
"enabled": true,
"lastModifiedBy": "string",
"lastModifiedOn": 0,
"name": "string",
"notifyOnDismissed": true,
"notifyOnOpen": true,
"notifyOnResolved": true,
"notifyOnSnoozed": true,
"policies": [
"string"
],
"policyLabels": [
"string"
],
"policyScanConfigId": "string",
"scanAll": true,
"target": {
"accountGroups": [
"string"
],
"alertRulePolicyFilter": {
"availablePolicyFilters": [
"string"
],
"cloud.type": [
"ALL"
],
"policy.complianceStandard": [
"string"
],
"policy.label": [
"string"
],
"policy.severity": [
"string"
]
},
"excludedAccounts": [
"string"
],
"includedResourceLists": {
"computeAccessGroupIds": [
"string"
]
},
"regions": [
"string"
],
"tags": [
{
"key": "string",
"values": [
"string"
]
}
]
}
}
],
"alertTime": 0,
"appMetadata": [
{}
],
"connectionDetails": [
{
"accepted": "string",
"accountName": "string",
"classification": "string",
"destIp": "string",
"destIsp": "string",
"feedSource": "string",
"id": 0,
"inboundTrafficVolume": 0,
"markedThreatTs": 0,
"outboundTrafficVolume": 0,
"packets": 0,
"srcIp": "string",
"srcIsp": "string",
"threatDescription": "string",
"timestamp": 0,
"trafficOverTime": [
{}
],
"trafficVolume": 0
}
],
"dismissalDuration": "string",
"dismissalNote": "string",
"dismissalUntilTs": 0,
"dismissedBy": "string",
"eventOccurred": 0,
"firstSeen": 0,
"history": [
{
"reason": "string",
"status": "OPEN"
}
],
"id": "string",
"investigateOptions": {
"alertId": "string",
"hasSearchExecutionSupport": true,
"searchId": "string"
},
"lastSeen": 0,
"lastUpdated": 0,
"metadata": {},
"policy": {
"cloudType": "ALL",
"complianceMetadata": [
{
"complianceId": "string",
"customAssigned": true,
"policyId": "string",
"requirementDescription": "string",
"requirementId": "string",
"requirementName": "string",
"sectionDescription": "string",
"sectionId": "string",
"sectionLabel": "string",
"standardDescription": "string",
"standardId": "string",
"standardName": "string"
}
],
"createdBy": "string",
"createdOn": 0,
"deleted": true,
"description": "string",
"enabled": true,
"findingTypes": [
"string"
],
"labels": [
"string"
],
"lastModifiedBy": "string",
"lastModifiedOn": 0,
"name": "string",
"overridden": true,
"policyId": "string",
"policySubTypes": [
"run"
],
"policyType": "config",
"policyUpi": "string",
"recommendation": "string",
"remediable": true,
"remediation": {
"actions": [
{
"operation": "string",
"payload": "string"
}
],
"cliScriptTemplate": "string",
"description": "string"
},
"restrictAlertDismissal": true,
"rule": {
"apiName": "string",
"cloudAccount": "string",
"cloudType": "string",
"criteria": "string",
"dataCriteria": {
"classificationResult": "string",
"exposure": "private",
"extension": [
"string"
]
},
"name": "string",
"parameters": {},
"resourceIdPath": "string",
"resourceType": "string",
"type": "Config"
},
"ruleLastModifiedOn": 0,
"severity": "high",
"systemDefault": true
},
"policyId": "string",
"reason": "string",
"resource": {
"account": "string",
"accountId": "string",
"additionalInfo": {
"array": true,
"bigDecimal": true,
"bigInteger": true,
"binary": true,
"boolean": true,
"containerNode": true,
"double": true,
"float": true,
"floatingPointNumber": true,
"int": true,
"integralNumber": true,
"long": true,
"missingNode": true,
"nodeType": "ARRAY",
"null": true,
"number": true,
"object": true,
"pojo": true,
"short": true,
"textual": true,
"valueNode": true
},
"cloudAccountAncestors": [
"string"
],
"cloudAccountGroups": [
"string"
],
"cloudAccountOwners": [
"string"
],
"cloudServiceName": "string",
"cloudType": "ALL",
"data": {},
"id": "string",
"name": "string",
"region": "string",
"regionId": "string",
"resourceApiName": "string",
"resourceConfigJsonAvailable": true,
"resourceDetailsAvailable": true,
"resourceTags": {},
"resourceType": "string",
"rrn": "string",
"unifiedAssetId": "string",
"url": "string"
},
"riskDetail": {
"policyScores": [
{
"cloudType": "ALL",
"complianceMetadata": [
{
"complianceId": "string",
"customAssigned": true,
"policyId": "string",
"requirementDescription": "string",
"requirementId": "string",
"requirementName": "string",
"sectionDescription": "string",
"sectionId": "string",
"sectionLabel": "string",
"standardDescription": "string",
"standardId": "string",
"standardName": "string"
}
],
"createdBy": "string",
"createdOn": 0,
"deleted": true,
"description": "string",
"enabled": true,
"findingTypes": [
"string"
],
"labels": [
"string"
],
"lastModifiedBy": "string",
"lastModifiedOn": 0,
"name": "string",
"overridden": true,
"points": "string",
"policyId": "string",
"policySubTypes": [
"run"
],
"policyType": "config",
"policyUpi": "string",
"recommendation": "string",
"remediable": true,
"remediation": {
"actions": [
{
"operation": "string",
"payload": "string"
}
],
"cliScriptTemplate": "string",
"description": "string"
},
"restrictAlertDismissal": true,
"riskScore": {
"maxScore": 0,
"score": 0
},
"rule": {
"apiName": "string",
"cloudAccount": "string",
"cloudType": "string",
"criteria": "string",
"dataCriteria": {
"classificationResult": "string",
"exposure": "private",
"extension": [
"string"
]
},
"name": "string",
"parameters": {},
"resourceIdPath": "string",
"resourceType": "string",
"type": "Config"
},
"ruleLastModifiedOn": 0,
"severity": "high",
"systemDefault": true
}
],
"rating": "string",
"riskScore": {
"maxScore": 0,
"score": 0
},
"score": "string"
},
"saveSearchId": "string",
"status": "open",
"triggeredBy": "string"
}
]
internal_error
Too Many Requests