List Alerts V2 - GET
Returns a paginated list of alerts from the Prisma Cloud platform.
Data in the response object does not include alert rules.
Also, in the response object:
- Property riskDetail is deprecated.
- Property items[].resource.cloudServiceName is populated only for alerts whose resources belong to a cloud service.
Rate Limits
The following rate limits apply:
- Request rate limit: 2/sec
- Burst limit: 10/sec
Query Parameters
Possible values: [relative]
Time Type
Number of timeUnits
Possible values: [minute, hour, day, week, month, year]
Time Unit
true = Return detailed alert data.
Array of specific fields to return. Allowed fields: alert.id, alert.status, alert.time, cloud.accountId, cloud.account, cloud.region, resource.id, resource.name, policy.name, policy.type, policy.severity
Response object property by which to sort response list. The valid values are in the response object attribute sortAllowedColumns. The format is property:asc for ascending and property:desc for descending sort
The maximum number of items that will be returned in one response. The maximum cannot exceed 10,000. The default is 10,000.
Token that identifies the required page of data. When there are multiple pages of data in the response, set pageToken to the nextPageToken value from the previous API response to retrieve the next page of data.
Alert ID
Possible values: [open, dismissed, snoozed, resolved, pending_resolution]
Alert status
Cloud account
Cloud account Id
Account group
Cloud type
Cloud region
Cloud service
Policy ID
Policy name
Possible values: [critical, high, medium, low, informational]
Policy severity
Policy label
Possible values: [config, network, audit_event]
Policy type
Policy compliance standard name
Policy compliance requirement name
Policy compliance section ID
Possible values: [true, false]
Policy is remediable
Alert rule name
Resource ID
Resource name
Resource TYPE
- 200
- 400
- 429
successful operation
Schema
- Array [
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- For email notifications: List of unique email addresses to notify
- For integrations without notification templates: List of integration ids
- For integrations with notification templates: List of notification template ids
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- ]
items object[]
alertAdditionalInfo object
alertAttribution object
Model for AlertAttribution
attributionEventList object[]
Event
Event Timestamp
Username
Resource Created By
Resource Created On
alertRules object[]
alertRuleNotificationConfig object[]
List of data for notifications to third-party tools
daysOfWeek object[]
Days of week
Possible values: [SU, MO, TU, WE, TH, FR, SA]
Provide csv detailed report
Scan enabled
Possible values: [as_it_happens, daily, weekly, monthly]
Alert rule notification config ID
Include remediation in detailed report
Last Updated
Time of last notification in milliseconds
Template ID
Possible values: [email, slack, splunk, amazon_sqs, jira, microsoft_teams, webhook, aws_security_hub, google_cscc, service_now, pager_duty, azure_service_bus_queue, demisto, aws_s3, snowflake]
Integration type
Compress detailed report
Allow Auto-Remediation
Delay notifications by the specified milliseconds
Rule/Scan description
Rule/Scan is enabled
Rule/Scan name
include dismissed alerts in notification
include open alerts in notification
include resolved alerts in notification
include snoozed alerts in notification
List of specific policies to scan
Policy labels
Policy Scan Config ID
Scan all policies
target object
Model for Target Filter
List of Account group(s)
alertRulePolicyFilter object
Model for Alert Rule Policy Filter
List of available Alert Rule Policy Filters
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud Type Filter
Compliance Standard Filter
Policy Label Filter
Policy Severity Filter
List of excluded accounts
includedResourceLists object
Model for holding the lists resource list ids by resource list type
List of regions for which alerts will be triggered for account groups. Alerts not associated with specific regions will be triggered regardless of listed regions. If no regions are specified, then the alerts will be triggered for all regions.
tags object[]
List of TargetTag models (resource tags) for which alerts should be triggered
Resource tag target
List of value(s) for resource tag key
Timestamp when alert was last reopened for resource update, or the same as firstSeen if there are no status changes.
Dismissal Duration
Dismissal note
Dismiss until this timestamp
Dismissed by
Timestamp when the event occurred. Set only for Audit Event policies.
Timestamp of the first policy violation for the alert resource (i.e. the alert creation timestamp)
history object[]
Alert ID
Timestamp when alert status was last updated.
Timestamp when alert was last updated. Updates include but are not limited to resource updates, policy updates, alert rule updates, and alert status changes.
Raw JSON metadata for the alert
policy object
Model for Policy
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud type (Required for config policies). Not case-sensitive. Default is ALL.
complianceMetadata object[]
List of compliance data. Each item has compliance standard, requirement, and/or section information.
Compliance Section UUID
Policy ID
Requirement description
Requirement ID
Requirement name
Section name
Section Id
Section Label
Compliance standard description
Compliance standard name
Policy description
true=enabled. false=disabled.
Finding Type
Labels
Policy name
Possible values: [config, network, audit_event, anomaly, data, iam, workload_vulnerability, workload_incident, waas_event, attack_path]
Policy type. Policy type anomaly is read-only.
Remediation recommendation
remediation object
Model for Remediation
actions object[]
Policy Action
CLI Script Template
Description
rule object
Model for Rule
Saved search ID that defines the rule criteria.
dataCriteria object
Criteria for Rule
Data policy. Required for DLP rule criteria.
Possible values: [private, public, conditional]
File exposure
File extensions
Name
parameters object required
Parameters (e.g. {"savedSearch": "true"})
Possible values: [Config, Network, AuditEvent, DLP, IAM, NetworkConfig]
Type of rule or RQL query
Possible values: [high, medium, low]
Severity
Policy ID
resource object
Model for Cloud Resource
Account
Account ID
additionalInfo object
Additional info
Possible values: [ARRAY, BINARY, BOOLEAN, MISSING, NULL, NUMBER, OBJECT, POJO, STRING]
Cloud account groups
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud type
Id
Name
Region name
Region API identifier
resourceTags object
Resource tags
RRN
URL
riskDetail object
Model for Risk Detail
policyScores object[]
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud type (Required for config policies). Not case-sensitive. Default is ALL.
complianceMetadata object[]
List of compliance data. Each item has compliance standard, requirement, and/or section information.
Compliance Section UUID
Policy ID
Requirement description
Requirement ID
Requirement name
Section name
Section Id
Section Label
Compliance standard description
Compliance standard name
Policy description
true=enabled. false=disabled.
Finding Type
Labels
Policy name
Points
Possible values: [config, network, audit_event, anomaly, data, iam, workload_vulnerability, workload_incident, waas_event, attack_path]
Policy type. Policy type anomaly is read-only.
Remediation recommendation
remediation object
Model for Remediation
actions object[]
Policy Action
CLI Script Template
Description
riskScore object
Model for Score
Max Score
Score
rule object required
Model for Rule
Saved search ID that defines the rule criteria.
dataCriteria object
Criteria for Rule
Data policy. Required for DLP rule criteria.
Possible values: [private, public, conditional]
File exposure
File extensions
Name
parameters object required
Parameters (e.g. {"savedSearch": "true"})
Possible values: [Config, Network, AuditEvent, DLP, IAM, NetworkConfig]
Type of rule or RQL query
Possible values: [high, medium, low]
Severity
Rating
riskScore object
Model for Score
Max Score
Score
Score
Saved Search ID
Triggered By
{
"dynamicColumns": [
"string"
],
"infoMsg": "string",
"items": [
{
"alertAdditionalInfo": {},
"alertAttribution": {
"attributionEventList": [
{
"event": "string",
"event_ts": 0,
"username": "string"
}
],
"resourceCreatedBy": "string",
"resourceCreatedOn": 0
},
"alertCount": 0,
"alertRules": [
{
"alertRuleNotificationConfig": [
{
"dayOfMonth": 0,
"daysOfWeek": [
{
"day": "SU",
"offset": 0
}
],
"detailedReport": true,
"enabled": true,
"frequency": "as_it_happens",
"frequencyFromRRule": "string",
"hourOfDay": 0,
"id": "string",
"includeRemediation": true,
"lastUpdated": 0,
"last_sent_ts": 0,
"recipients": [
"string"
],
"rruleSchedule": "string",
"templateId": "string",
"timezone": "string",
"type": "email",
"withCompression": true
}
],
"allowAutoRemediate": true,
"delayNotificationMs": 0,
"description": "string",
"enabled": true,
"lastModifiedBy": "string",
"lastModifiedOn": 0,
"name": "string",
"notifyOnDismissed": true,
"notifyOnOpen": true,
"notifyOnResolved": true,
"notifyOnSnoozed": true,
"policies": [
"string"
],
"policyLabels": [
"string"
],
"policyScanConfigId": "string",
"scanAll": true,
"target": {
"accountGroups": [
"string"
],
"alertRulePolicyFilter": {
"availablePolicyFilters": [
"string"
],
"cloud.type": [
"ALL"
],
"policy.complianceStandard": [
"string"
],
"policy.label": [
"string"
],
"policy.severity": [
"string"
]
},
"excludedAccounts": [
"string"
],
"includedResourceLists": {
"computeAccessGroupIds": [
"string"
]
},
"regions": [
"string"
],
"tags": [
{
"key": "string",
"values": [
"string"
]
}
]
}
}
],
"alertTime": 0,
"dismissalDuration": "string",
"dismissalNote": "string",
"dismissalUntilTs": 0,
"dismissedBy": "string",
"eventOccurred": 0,
"firstSeen": 0,
"history": [
{
"reason": "string",
"status": "OPEN"
}
],
"id": "string",
"lastSeen": 0,
"lastUpdated": 0,
"metadata": {},
"policy": {
"cloudType": "ALL",
"complianceMetadata": [
{
"complianceId": "string",
"customAssigned": true,
"policyId": "string",
"requirementDescription": "string",
"requirementId": "string",
"requirementName": "string",
"sectionDescription": "string",
"sectionId": "string",
"sectionLabel": "string",
"standardDescription": "string",
"standardId": "string",
"standardName": "string"
}
],
"createdBy": "string",
"createdOn": 0,
"deleted": true,
"description": "string",
"enabled": true,
"findingTypes": [
"string"
],
"labels": [
"string"
],
"lastModifiedBy": "string",
"lastModifiedOn": 0,
"name": "string",
"overridden": true,
"policyId": "string",
"policySubTypes": [
"run"
],
"policyType": "config",
"policyUpi": "string",
"recommendation": "string",
"remediable": true,
"remediation": {
"actions": [
{
"operation": "string",
"payload": "string"
}
],
"cliScriptTemplate": "string",
"description": "string"
},
"restrictAlertDismissal": true,
"rule": {
"apiName": "string",
"cloudAccount": "string",
"cloudType": "string",
"criteria": "string",
"dataCriteria": {
"classificationResult": "string",
"exposure": "private",
"extension": [
"string"
]
},
"name": "string",
"parameters": {},
"resourceIdPath": "string",
"resourceType": "string",
"type": "Config"
},
"ruleLastModifiedOn": 0,
"severity": "high",
"systemDefault": true
},
"policyId": "string",
"reason": "string",
"resource": {
"account": "string",
"accountId": "string",
"additionalInfo": {
"array": true,
"bigDecimal": true,
"bigInteger": true,
"binary": true,
"boolean": true,
"containerNode": true,
"double": true,
"float": true,
"floatingPointNumber": true,
"int": true,
"integralNumber": true,
"long": true,
"missingNode": true,
"nodeType": "ARRAY",
"null": true,
"number": true,
"object": true,
"pojo": true,
"short": true,
"textual": true,
"valueNode": true
},
"cloudAccountAncestors": [
"string"
],
"cloudAccountGroups": [
"string"
],
"cloudAccountOwners": [
"string"
],
"cloudServiceName": "string",
"cloudType": "ALL",
"data": {},
"id": "string",
"name": "string",
"region": "string",
"regionId": "string",
"resourceApiName": "string",
"resourceConfigJsonAvailable": true,
"resourceDetailsAvailable": true,
"resourceTags": {},
"resourceType": "string",
"rrn": "string",
"unifiedAssetId": "string",
"url": "string"
},
"riskDetail": {
"policyScores": [
{
"cloudType": "ALL",
"complianceMetadata": [
{
"complianceId": "string",
"customAssigned": true,
"policyId": "string",
"requirementDescription": "string",
"requirementId": "string",
"requirementName": "string",
"sectionDescription": "string",
"sectionId": "string",
"sectionLabel": "string",
"standardDescription": "string",
"standardId": "string",
"standardName": "string"
}
],
"createdBy": "string",
"createdOn": 0,
"deleted": true,
"description": "string",
"enabled": true,
"findingTypes": [
"string"
],
"labels": [
"string"
],
"lastModifiedBy": "string",
"lastModifiedOn": 0,
"name": "string",
"overridden": true,
"points": "string",
"policyId": "string",
"policySubTypes": [
"run"
],
"policyType": "config",
"policyUpi": "string",
"recommendation": "string",
"remediable": true,
"remediation": {
"actions": [
{
"operation": "string",
"payload": "string"
}
],
"cliScriptTemplate": "string",
"description": "string"
},
"restrictAlertDismissal": true,
"riskScore": {
"maxScore": 0,
"score": 0
},
"rule": {
"apiName": "string",
"cloudAccount": "string",
"cloudType": "string",
"criteria": "string",
"dataCriteria": {
"classificationResult": "string",
"exposure": "private",
"extension": [
"string"
]
},
"name": "string",
"parameters": {},
"resourceIdPath": "string",
"resourceType": "string",
"type": "Config"
},
"ruleLastModifiedOn": 0,
"severity": "high",
"systemDefault": true
}
],
"rating": "string",
"riskScore": {
"maxScore": 0,
"score": 0
},
"score": "string"
},
"saveSearchId": "string",
"status": "open",
"triggeredBy": "string"
}
],
"nextPageToken": "string",
"sortAllowedColumns": [
"string"
],
"totalRows": 0
}
internal_error
Too Many Requests