Skip to main content

List Alert Counts By Policy - GET

GET 
/alert/policy

Returns alert counts grouped by policy. You can use query parameters to narrow the response.

In the response object:

  • Property alertRules is not populated.
  • Property riskDetail is deprecated.
  • Property resource.cloudServiceName is not populated.

Rate Limits

The following rate limits apply:

  • Request rate limit: 1/sec
  • Burst limit: 5/sec

Request

Query Parameters

    alert.id string

    Alert ID

    alert.status string

    Possible values: [open, dismissed, snoozed, resolved, pending_resolution]

    Alert status

    cloud.account string

    Cloud account

    cloud.accountId string

    Cloud account Id

    account.group string

    Account group

    cloud.type string

    Cloud type

    cloud.region string

    Cloud region

    cloud.service string

    Cloud service

    policy.id string

    Policy ID

    policy.name string

    Policy name

    policy.severity string

    Possible values: [critical, high, medium, low, informational]

    Policy severity

    policy.label string

    Policy label

    policy.type string

    Possible values: [config, network, audit_event]

    Policy type

    policy.complianceStandard string

    Policy compliance standard name

    policy.complianceRequirement string

    Policy compliance requirement name

    policy.complianceSection string

    Policy compliance section ID

    policy.remediable string

    Possible values: [true, false]

    Policy is remediable

    alertRule.name string

    Alert rule name

    resource.id string

    Resource ID

    resource.name string

    Resource name

    resource.type string

    Resource TYPE

Responses

successful operation

Schema
  • Array [
    • alertAdditionalInfo object
    property name* string
    alertAttribution object

    Model for AlertAttribution

    attributionEventList object[]
  • Array [
    • event string

    Event

    event_ts int64

    Event Timestamp

    username string

    Username

  • ]
    • resourceCreatedBy string

    Resource Created By

    resourceCreatedOn int64

    Resource Created On

    alertCount int64
    alertRules object[]
  • Array [
    • alertRuleNotificationConfig object[]

    List of data for notifications to third-party tools

  • Array [
    • dayOfMonth int32

    Day of month

    daysOfWeek object[]

    Days of week

  • Array [
    • day string

    Possible values: [SU, MO, TU, WE, TH, FR, SA]

    offset int32
  • ]
    • detailedReport boolean

    Provide csv detailed report

    enabled boolean

    Scan enabled

    frequency string

    Possible values: [as_it_happens, daily, weekly, monthly]

    frequencyFromRRule string

    Frequency from RRule

    hourOfDay int32

    Hour of day

    id string

    Alert rule notification config ID

    includeRemediation boolean

    Include remediation in detailed report

    lastUpdated int64

    Last Updated

    last_sent_ts int64

    Time of last notification in milliseconds

    recipients string[]
    • For email notifications: List of unique email addresses to notify
    • For integrations without notification templates: List of integration ids
    • For integrations with notification templates: List of notification template ids
    rruleSchedule string
    templateId string

    Template ID

    timezone string

    Java time zone ID (e.g. America/Los_Angeles)

    type string

    Possible values: [email, slack, splunk, amazon_sqs, jira, microsoft_teams, webhook, aws_security_hub, google_cscc, service_now, pager_duty, azure_service_bus_queue, demisto, aws_s3, snowflake]

    Integration type

    withCompression boolean

    Compress detailed report

  • ]
    • allowAutoRemediate boolean

    Allow Auto-Remediation

    delayNotificationMs int64

    Delay notifications by the specified milliseconds

    description string

    Rule/Scan description

    enabled boolean

    Rule/Scan is enabled

    lastModifiedBy string

    Last modified by

    lastModifiedOn int64

    Last modified on this date/time in milliseconds

    name stringrequired

    Rule/Scan name

    notifyOnDismissed boolean

    include dismissed alerts in notification

    notifyOnOpen boolean

    include open alerts in notification

    notifyOnResolved boolean

    include resolved alerts in notification

    notifyOnSnoozed boolean

    include snoozed alerts in notification

    policies string[]

    List of specific policies to scan

    policyLabels string[]

    Policy labels

    policyScanConfigId string

    Policy Scan Config ID

    scanAll boolean

    Scan all policies

    target objectrequired

    Model for Target Filter

    accountGroups string[]

    List of Account group(s)

    alertRulePolicyFilter object

    Model for Alert Rule Policy Filter

    availablePolicyFilters string[]

    List of available Alert Rule Policy Filters

    cloud.type string[]

    Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]

    Cloud Type Filter

    policy.complianceStandard string[]

    Compliance Standard Filter

    policy.label string[]

    Policy Label Filter

    policy.severity string[]

    Policy Severity Filter

    excludedAccounts string[]

    List of excluded accounts

    includedResourceLists object

    Model for holding the lists resource list ids by resource list type

    computeAccessGroupIds string[]
    regions string[]

    List of regions for which alerts will be triggered for account groups. Alerts not associated with specific regions will be triggered regardless of listed regions. If no regions are specified, then the alerts will be triggered for all regions.

    tags object[]

    List of TargetTag models (resource tags) for which alerts should be triggered

  • Array [
    • key string

    Resource tag target

    values string[]

    List of value(s) for resource tag key

  • ]
  • ]
    • alertTime int64

    Timestamp when alert was last reopened for resource update, or the same as firstSeen if there are no status changes.

    appMetadata object[]

    Application Metadata from AppDna

    connectionDetails object[]

    ConnectionDetails for network_event alerts

  • Array [
    • accepted string
    accountName string
    classification string
    destIp string
    destIsp string
    feedSource string
    id int32
    inboundTrafficVolume int64
    markedThreatTs int64
    outboundTrafficVolume int64
    packets int64
    srcIp string
    srcIsp string
    threatDescription string
    timestamp int64
    trafficOverTime object[]
    trafficVolume int64
  • ]
    • dismissalDuration string

    Dismissal Duration

    dismissalNote string

    Dismissal note

    dismissalUntilTs int64

    Dismiss until this timestamp

    dismissedBy string

    Dismissed by

    eventOccurred int64

    Timestamp when the event occurred. Set only for Audit Event policies.

    firstSeen int64

    Timestamp of the first policy violation for the alert resource (i.e. the alert creation timestamp)

    history object[]
  • Array [
    • reason string

    Reason

    status string

    Possible values: [OPEN, DISMISSED, SNOOZED, PENDING_RESOLUTION, RESOLVED]

    Status

  • ]
    • id string

    Alert ID

    investigateOptions object

    Model for InvestigateOptions

    alertId string

    alert id

    hasSearchExecutionSupport boolean

    The flag indicates if the policy has RQL execution support

    searchId string

    searchId for the policy RQL

    lastSeen int64

    Timestamp when alert status was last updated.

    lastUpdated int64

    Timestamp when alert was last updated. Updates include but are not limited to resource updates, policy updates, alert rule updates, and alert status changes.

    metadata object

    Raw JSON metadata for the alert

    policy object

    Model for Policy

    cloudType string

    Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]

    Cloud type (Required for config policies). Not case-sensitive. Default is ALL.

    complianceMetadata object[]

    List of compliance data. Each item has compliance standard, requirement, and/or section information.

  • Array [
    • complianceId string

    Compliance Section UUID

    customAssigned boolean
    policyId string

    Policy ID

    requirementDescription string

    Requirement description

    requirementId string

    Requirement ID

    requirementName string

    Requirement name

    sectionDescription string

    Section name

    sectionId string

    Section Id

    sectionLabel string

    Section Label

    standardDescription string

    Compliance standard description

    standardId string
    standardName string

    Compliance standard name

  • ]
    • createdBy string

    Created by

    createdOn int64

    Created on this timestamp

    deleted boolean

    Deleted

    description string

    Policy description

    enabled boolean

    true=enabled. false=disabled.

    findingTypes string[]

    Finding Type

    labels string[]

    Labels

    lastModifiedBy string

    Last modified by

    lastModifiedOn int64

    Last modified on this timestamp

    name stringrequired

    Policy name

    overridden boolean

    Overridden

    policyId string

    Policy ID

    policySubTypes string[]

    Possible values: [run, build, run_and_build, audit, data_classification, dns, malware, network_event, network, ueba, permissions, network_config, identity, sensitive_data_exposure, internet_exposure, injections, vulnerability_scanning, shellshock, known_bots, unknown_bots, virtual_patches, event, misconfig_and_event, misconfig, host, container_image]

    Policy subtype

    policyType stringrequired

    Possible values: [config, network, audit_event, anomaly, data, iam, workload_vulnerability, workload_incident, api, attack_path, malware, grayware]

    Policy type. Policy type anomaly is read-only.

    policyUpi string

    Policy UPI

    recommendation string

    Remediation recommendation

    remediable boolean

    isRemediable

    remediation object

    Model for Remediation

    actions object[]

    Policy Action

  • Array [
    • operation string
    payload string
  • ]
    • cliScriptTemplate string

    CLI Script Template

    description string

    Description

    restrictAlertDismissal boolean

    Restrict alert dismissal

    rule objectrequired

    Model for Rule

    apiName string

    API name

    cloudAccount string

    Cloud account

    cloudType string

    Cloud type

    criteria stringrequired

    Saved search ID that defines the rule criteria.

    dataCriteria object

    Criteria for Rule

    classificationResult string

    Data policy. Required for DLP rule criteria.

    exposure string

    Possible values: [private, public, conditional]

    File exposure

    extension string[]

    File extensions

    name stringrequired

    Name

    parameters objectrequired

    Parameters (e.g. {"savedSearch": "true"})

    property name* string
    resourceIdPath string

    Resource ID path

    resourceType string

    Resource type

    type stringrequired

    Possible values: [Config, Network, AuditEvent, DLP, IAM, NetworkConfig]

    Type of rule or RQL query

    ruleLastModifiedOn int64

    Rule last modified on

    severity stringrequired

    Possible values: [high, medium, low]

    Severity

    systemDefault boolean

    true = Policy is a Prisma Cloud system default policy

    policyId string

    Policy ID

    reason string

    The reason for an alert's status. For more information on Alert reasons see View and Respond to Prisma Cloud Alerts and Prisma Cloud Alert Resolution Reasons

    resource object

    Model for Cloud Resource

    account string

    Account

    accountId string

    Account ID

    additionalInfo object

    Additional info

    array boolean
    bigDecimal boolean
    bigInteger boolean
    binary boolean
    boolean boolean
    containerNode boolean
    double boolean
    float boolean
    floatingPointNumber boolean
    int boolean
    integralNumber boolean
    long boolean
    missingNode boolean
    nodeType string

    Possible values: [ARRAY, BINARY, BOOLEAN, MISSING, NULL, NUMBER, OBJECT, POJO, STRING]

    null boolean
    number boolean
    object boolean
    pojo boolean
    short boolean
    textual boolean
    valueNode boolean
    cloudAccountAncestors string[]

    Cloud account ancestors. For GCP.

    cloudAccountGroups string[]

    Cloud account groups

    cloudAccountOwners string[]

    Cloud account owners. For Azure and GCP.

    cloudServiceName string

    Cloud service name

    cloudType string

    Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]

    Cloud type

    data object

    Raw JSON data for the resource

    id string

    Id

    name string

    Name

    region string

    Region name

    regionId string

    Region API identifier

    resourceApiName string

    Resource API name

    resourceConfigJsonAvailable boolean
    resourceDetailsAvailable boolean
    resourceTags object

    Resource tags

    property name* string
    resourceType string

    Resource type

    rrn string

    RRN

    unifiedAssetId string
    url string

    URL

    riskDetail object

    Model for Risk Detail

    policyScores object[]
  • Array [
    • cloudType string

    Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]

    Cloud type (Required for config policies). Not case-sensitive. Default is ALL.

    complianceMetadata object[]

    List of compliance data. Each item has compliance standard, requirement, and/or section information.

  • Array [
    • complianceId string

    Compliance Section UUID

    customAssigned boolean
    policyId string

    Policy ID

    requirementDescription string

    Requirement description

    requirementId string

    Requirement ID

    requirementName string

    Requirement name

    sectionDescription string

    Section name

    sectionId string

    Section Id

    sectionLabel string

    Section Label

    standardDescription string

    Compliance standard description

    standardId string
    standardName string

    Compliance standard name

  • ]
    • createdBy string

    Created by

    createdOn int64

    Created on this timestamp

    deleted boolean

    Deleted

    description string

    Policy description

    enabled boolean

    true=enabled. false=disabled.

    findingTypes string[]

    Finding Type

    labels string[]

    Labels

    lastModifiedBy string

    Last modified by

    lastModifiedOn int64

    Last modified on this timestamp

    name stringrequired

    Policy name

    overridden boolean

    Overridden

    points string

    Points

    policyId string

    Policy ID

    policySubTypes string[]

    Possible values: [run, build, run_and_build, audit, data_classification, dns, malware, network_event, network, ueba, permissions, network_config, identity, sensitive_data_exposure, internet_exposure, injections, vulnerability_scanning, shellshock, known_bots, unknown_bots, virtual_patches, event, misconfig_and_event, misconfig, host, container_image]

    Policy subtype

    policyType stringrequired

    Possible values: [config, network, audit_event, anomaly, data, iam, workload_vulnerability, workload_incident, api, attack_path, malware, grayware]

    Policy type. Policy type anomaly is read-only.

    policyUpi string

    Policy UPI

    recommendation string

    Remediation recommendation

    remediable boolean

    isRemediable

    remediation object

    Model for Remediation

    actions object[]

    Policy Action

  • Array [
    • operation string
    payload string
  • ]
    • cliScriptTemplate string

    CLI Script Template

    description string

    Description

    restrictAlertDismissal boolean

    Restrict alert dismissal

    riskScore object

    Model for Score

    maxScore int64

    Max Score

    score int64

    Score

    rule objectrequired

    Model for Rule

    apiName string

    API name

    cloudAccount string

    Cloud account

    cloudType string

    Cloud type

    criteria stringrequired

    Saved search ID that defines the rule criteria.

    dataCriteria object

    Criteria for Rule

    classificationResult string

    Data policy. Required for DLP rule criteria.

    exposure string

    Possible values: [private, public, conditional]

    File exposure

    extension string[]

    File extensions

    name stringrequired

    Name

    parameters objectrequired

    Parameters (e.g. {"savedSearch": "true"})

    property name* string
    resourceIdPath string

    Resource ID path

    resourceType string

    Resource type

    type stringrequired

    Possible values: [Config, Network, AuditEvent, DLP, IAM, NetworkConfig]

    Type of rule or RQL query

    ruleLastModifiedOn int64

    Rule last modified on

    severity stringrequired

    Possible values: [high, medium, low]

    Severity

    systemDefault boolean

    true = Policy is a Prisma Cloud system default policy

  • ]
    • rating string

    Rating

    riskScore object

    Model for Score

    maxScore int64

    Max Score

    score int64

    Score

    score string

    Score

    saveSearchId string

    Saved Search ID

    status string

    Possible values: [open, dismissed, snoozed, resolved, pending_resolution]

    Status

    triggeredBy string

    Triggered By

  • ]
Loading...