List Alerts - POST
POST/alert
Returns a list of alerts that matches the constraints specified in the body parameters. Max 10k results. To get more, use List Alerts V2 - POST.
The fields body parameter allows you to request specific fields from the alert payload. These fields are separate from the filters you specify. The following are valid fields items.
- alert.id
- alert.status
- alert.time
- cloud.account
- cloud.accountId
- cloud.region
- resource.id
- resource.name
- policy.name
- policy.type
- policy.severity
The filters body parameter enables you to narrow your request for alerts. See List Alert Filters for an API request to list all the valid filters.
Data in the response object does not include alert rules.
Also, in the response object:
- Property riskDetail is deprecated.
- Property resource.cloudServiceName is populated only for alerts whose resources belong to a cloud service.
Rate Limits
The following rate limits apply:
- Request rate limit: 2/sec
- Burst limit: 10/sec
Request
Query Parameters
true = Return detailed alert data. Default is false. Overrides detailed in body param.
- application/json; charset=UTF-8
Body
- Array [
- ]
- RelativeTimeRangeConfigModel
- AbsoluteTimeRangeConfigModel
- ToNowTimeRangeConfigModel
Detailed
Array of specific fields to return
filters object[]
Filtering parameters.
For filter names, refer to List Filters API.
For filter values, refer to List filter suggestions.
The only exception is resource.tagv2 filter name, provide filter value for it in the following format: "{"key":"'CustomerTagKey'","value":"'CustomerTagValue'"}"
Name
Possible values: [=]
Operator
Value
For asset or data inventory only. Group returned items by cloud.type, cloud.service, cloud.region, cloud.account, and/or resource.type
Maximum number of items to return. When data is paginated, maximum number of items per page.The maximum cannot exceed 10,000. The default is 10,000.
The number of items to skip before selecting items to return. Default is zero
Setting this pagination Token to the nextPageToken from a response object returns the next page of data
Array of sort properties. Append :asc or :desc to the key to sort by ascending or descending order respectively. Example sort properties are id:asc and timestamp:desc
timeRange object
See the Time Range Model for details.
Possible values: [BACKWARD, FORWARD]
Direction in which to count time. Default = BACKWARD
value objectrequired
Model for RelativeTimeDuration
Number of time units
Possible values: [minute, hour, day, week, month, year]
Time unit
value objectrequired
Model for Time
End timestamp
Start timestamp
Possible values: [MINUTE, HOUR, DAY, WEEK, MONTH, YEAR, EPOCH, LOGIN]
Time range object
Responses
- 200
- 400
- 429
successful operation
- */*
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- For email notifications: List of unique email addresses to notify
- For integrations without notification templates: List of integration ids
- For integrations with notification templates: List of notification template ids
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- ]
alertAdditionalInfo object
alertAttribution object
Model for AlertAttribution
attributionEventList object[]
Event
Event Timestamp
Username
Resource Created By
Resource Created On
alertRules object[]
alertRuleNotificationConfig object[]
List of data for notifications to third-party tools
Day of month
daysOfWeek object[]
Days of week
Possible values: [SU, MO, TU, WE, TH, FR, SA]
Provide csv detailed report
Scan enabled
Possible values: [as_it_happens, daily, weekly, monthly]
Frequency from RRule
Hour of day
Alert rule notification config ID
Include remediation in detailed report
Last Updated
Time of last notification in milliseconds
Template ID
Java time zone ID (e.g. America/Los_Angeles)
Possible values: [email, slack, splunk, amazon_sqs, jira, microsoft_teams, webhook, aws_security_hub, google_cscc, service_now, pager_duty, azure_service_bus_queue, demisto, aws_s3, snowflake]
Integration type
Compress detailed report
Allow Auto-Remediation
Delay notifications by the specified milliseconds
Rule/Scan description
Rule/Scan is enabled
Last modified by
Last modified on this date/time in milliseconds
Rule/Scan name
include dismissed alerts in notification
include open alerts in notification
include resolved alerts in notification
include snoozed alerts in notification
List of specific policies to scan
Policy labels
Policy Scan Config ID
Scan all policies
target objectrequired
Model for Target Filter
List of Account group(s)
alertRulePolicyFilter object
Model for Alert Rule Policy Filter
List of available Alert Rule Policy Filters
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud Type Filter
Compliance Standard Filter
Policy Label Filter
Policy Severity Filter
List of excluded accounts
includedResourceLists object
Model for holding the lists resource list ids by resource list type
List of regions for which alerts will be triggered for account groups. Alerts not associated with specific regions will be triggered regardless of listed regions. If no regions are specified, then the alerts will be triggered for all regions.
tags object[]
List of TargetTag models (resource tags) for which alerts should be triggered
Resource tag target
List of value(s) for resource tag key
Timestamp when alert was last reopened for resource update, or the same as firstSeen if there are no status changes.
Application Metadata from AppDna
connectionDetails object[]
ConnectionDetails for network_event alerts
Dismissal Duration
Dismissal note
Dismiss until this timestamp
Dismissed by
Timestamp when the event occurred. Set only for Audit Event policies.
Timestamp of the first policy violation for the alert resource (i.e. the alert creation timestamp)
history object[]
Reason
Possible values: [OPEN, DISMISSED, SNOOZED, PENDING_RESOLUTION, RESOLVED]
Status
Alert ID
investigateOptions object
Model for InvestigateOptions
alert id
The flag indicates if the policy has RQL execution support
searchId for the policy RQL
Timestamp when alert status was last updated.
Timestamp when alert was last updated. Updates include but are not limited to resource updates, policy updates, alert rule updates, and alert status changes.
Raw JSON metadata for the alert
policy object
Model for Policy
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud type (Required for config policies). Not case-sensitive. Default is ALL.
complianceMetadata object[]
List of compliance data. Each item has compliance standard, requirement, and/or section information.
Compliance Section UUID
Policy ID
Requirement description
Requirement ID
Requirement name
Section name
Section Id
Section Label
Compliance standard description
Compliance standard name
Created by
Created on this timestamp
Deleted
Policy description
true=enabled. false=disabled.
Finding Type
Labels
Last modified by
Last modified on this timestamp
Policy name
Overridden
Policy ID
Possible values: [run, build, run_and_build, audit, data_classification, dns, malware, network_event, network, ueba, permissions, network_config, identity, sensitive_data_exposure, internet_exposure, injections, vulnerability_scanning, shellshock, known_bots, unknown_bots, virtual_patches, event, misconfig_and_event, misconfig, host, container_image]
Policy subtype
Possible values: [config, network, audit_event, anomaly, data, iam, workload_vulnerability, workload_incident, api, attack_path, malware, grayware]
Policy type. Policy type anomaly is read-only.
Policy UPI
Remediation recommendation
isRemediable
remediation object
Model for Remediation
actions object[]
Policy Action
CLI Script Template
Description
Restrict alert dismissal
rule objectrequired
Model for Rule
API name
Cloud account
Cloud type
Saved search ID that defines the rule criteria.
dataCriteria object
Criteria for Rule
Data policy. Required for DLP rule criteria.
Possible values: [private, public, conditional]
File exposure
File extensions
Name
parameters objectrequired
Parameters (e.g. {"savedSearch": "true"})
Resource ID path
Resource type
Possible values: [Config, Network, AuditEvent, DLP, IAM, NetworkConfig]
Type of rule or RQL query
Rule last modified on
Possible values: [high, medium, low]
Severity
true = Policy is a Prisma Cloud system default policy
Policy ID
The reason for an alert's status. For more information on Alert reasons see View and Respond to Prisma Cloud Alerts and Prisma Cloud Alert Resolution Reasons
resource object
Model for Cloud Resource
Account
Account ID
additionalInfo object
Additional info
Possible values: [ARRAY, BINARY, BOOLEAN, MISSING, NULL, NUMBER, OBJECT, POJO, STRING]
Cloud account ancestors. For GCP.
Cloud account groups
Cloud account owners. For Azure and GCP.
Cloud service name
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud type
Raw JSON data for the resource
Id
Name
Region name
Region API identifier
Resource API name
resourceTags object
Resource tags
Resource type
RRN
URL
riskDetail object
Model for Risk Detail
policyScores object[]
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]
Cloud type (Required for config policies). Not case-sensitive. Default is ALL.
complianceMetadata object[]
List of compliance data. Each item has compliance standard, requirement, and/or section information.
Compliance Section UUID
Policy ID
Requirement description
Requirement ID
Requirement name
Section name
Section Id
Section Label
Compliance standard description
Compliance standard name
Created by
Created on this timestamp
Deleted
Policy description
true=enabled. false=disabled.
Finding Type
Labels
Last modified by
Last modified on this timestamp
Policy name
Overridden
Points
Policy ID
Possible values: [run, build, run_and_build, audit, data_classification, dns, malware, network_event, network, ueba, permissions, network_config, identity, sensitive_data_exposure, internet_exposure, injections, vulnerability_scanning, shellshock, known_bots, unknown_bots, virtual_patches, event, misconfig_and_event, misconfig, host, container_image]
Policy subtype
Possible values: [config, network, audit_event, anomaly, data, iam, workload_vulnerability, workload_incident, api, attack_path, malware, grayware]
Policy type. Policy type anomaly is read-only.
Policy UPI
Remediation recommendation
isRemediable
remediation object
Model for Remediation
actions object[]
Policy Action
CLI Script Template
Description
Restrict alert dismissal
riskScore object
Model for Score
Max Score
Score
rule objectrequired
Model for Rule
API name
Cloud account
Cloud type
Saved search ID that defines the rule criteria.
dataCriteria object
Criteria for Rule
Data policy. Required for DLP rule criteria.
Possible values: [private, public, conditional]
File exposure
File extensions
Name
parameters objectrequired
Parameters (e.g. {"savedSearch": "true"})
Resource ID path
Resource type
Possible values: [Config, Network, AuditEvent, DLP, IAM, NetworkConfig]
Type of rule or RQL query
Rule last modified on
Possible values: [high, medium, low]
Severity
true = Policy is a Prisma Cloud system default policy
Rating
riskScore object
Model for Score
Max Score
Score
Score
Saved Search ID
Possible values: [open, dismissed, snoozed, resolved, pending_resolution]
Status
Triggered By
[
{
"alertAdditionalInfo": {},
"alertAttribution": {
"attributionEventList": [
{
"event": "string",
"event_ts": 0,
"username": "string"
}
],
"resourceCreatedBy": "string",
"resourceCreatedOn": 0
},
"alertCount": 0,
"alertRules": [
{
"alertRuleNotificationConfig": [
{
"dayOfMonth": 0,
"daysOfWeek": [
{
"day": "SU",
"offset": 0
}
],
"detailedReport": true,
"enabled": true,
"frequency": "as_it_happens",
"frequencyFromRRule": "string",
"hourOfDay": 0,
"id": "string",
"includeRemediation": true,
"lastUpdated": 0,
"last_sent_ts": 0,
"recipients": [
"string"
],
"rruleSchedule": "string",
"templateId": "string",
"timezone": "string",
"type": "email",
"withCompression": true
}
],
"allowAutoRemediate": true,
"delayNotificationMs": 0,
"description": "string",
"enabled": true,
"lastModifiedBy": "string",
"lastModifiedOn": 0,
"name": "string",
"notifyOnDismissed": true,
"notifyOnOpen": true,
"notifyOnResolved": true,
"notifyOnSnoozed": true,
"policies": [
"string"
],
"policyLabels": [
"string"
],
"policyScanConfigId": "string",
"scanAll": true,
"target": {
"accountGroups": [
"string"
],
"alertRulePolicyFilter": {
"availablePolicyFilters": [
"string"
],
"cloud.type": [
"ALL"
],
"policy.complianceStandard": [
"string"
],
"policy.label": [
"string"
],
"policy.severity": [
"string"
]
},
"excludedAccounts": [
"string"
],
"includedResourceLists": {
"computeAccessGroupIds": [
"string"
]
},
"regions": [
"string"
],
"tags": [
{
"key": "string",
"values": [
"string"
]
}
]
}
}
],
"alertTime": 0,
"appMetadata": [
{}
],
"connectionDetails": [
{
"accepted": "string",
"accountName": "string",
"classification": "string",
"destIp": "string",
"destIsp": "string",
"feedSource": "string",
"id": 0,
"inboundTrafficVolume": 0,
"markedThreatTs": 0,
"outboundTrafficVolume": 0,
"packets": 0,
"srcIp": "string",
"srcIsp": "string",
"threatDescription": "string",
"timestamp": 0,
"trafficOverTime": [
{}
],
"trafficVolume": 0
}
],
"dismissalDuration": "string",
"dismissalNote": "string",
"dismissalUntilTs": 0,
"dismissedBy": "string",
"eventOccurred": 0,
"firstSeen": 0,
"history": [
{
"reason": "string",
"status": "OPEN"
}
],
"id": "string",
"investigateOptions": {
"alertId": "string",
"hasSearchExecutionSupport": true,
"searchId": "string"
},
"lastSeen": 0,
"lastUpdated": 0,
"metadata": {},
"policy": {
"cloudType": "ALL",
"complianceMetadata": [
{
"complianceId": "string",
"customAssigned": true,
"policyId": "string",
"requirementDescription": "string",
"requirementId": "string",
"requirementName": "string",
"sectionDescription": "string",
"sectionId": "string",
"sectionLabel": "string",
"standardDescription": "string",
"standardId": "string",
"standardName": "string"
}
],
"createdBy": "string",
"createdOn": 0,
"deleted": true,
"description": "string",
"enabled": true,
"findingTypes": [
"string"
],
"labels": [
"string"
],
"lastModifiedBy": "string",
"lastModifiedOn": 0,
"name": "string",
"overridden": true,
"policyId": "string",
"policySubTypes": [
"run"
],
"policyType": "config",
"policyUpi": "string",
"recommendation": "string",
"remediable": true,
"remediation": {
"actions": [
{
"operation": "string",
"payload": "string"
}
],
"cliScriptTemplate": "string",
"description": "string"
},
"restrictAlertDismissal": true,
"rule": {
"apiName": "string",
"cloudAccount": "string",
"cloudType": "string",
"criteria": "string",
"dataCriteria": {
"classificationResult": "string",
"exposure": "private",
"extension": [
"string"
]
},
"name": "string",
"parameters": {},
"resourceIdPath": "string",
"resourceType": "string",
"type": "Config"
},
"ruleLastModifiedOn": 0,
"severity": "high",
"systemDefault": true
},
"policyId": "string",
"reason": "string",
"resource": {
"account": "string",
"accountId": "string",
"additionalInfo": {
"array": true,
"bigDecimal": true,
"bigInteger": true,
"binary": true,
"boolean": true,
"containerNode": true,
"double": true,
"float": true,
"floatingPointNumber": true,
"int": true,
"integralNumber": true,
"long": true,
"missingNode": true,
"nodeType": "ARRAY",
"null": true,
"number": true,
"object": true,
"pojo": true,
"short": true,
"textual": true,
"valueNode": true
},
"cloudAccountAncestors": [
"string"
],
"cloudAccountGroups": [
"string"
],
"cloudAccountOwners": [
"string"
],
"cloudServiceName": "string",
"cloudType": "ALL",
"data": {},
"id": "string",
"name": "string",
"region": "string",
"regionId": "string",
"resourceApiName": "string",
"resourceConfigJsonAvailable": true,
"resourceDetailsAvailable": true,
"resourceTags": {},
"resourceType": "string",
"rrn": "string",
"unifiedAssetId": "string",
"url": "string"
},
"riskDetail": {
"policyScores": [
{
"cloudType": "ALL",
"complianceMetadata": [
{
"complianceId": "string",
"customAssigned": true,
"policyId": "string",
"requirementDescription": "string",
"requirementId": "string",
"requirementName": "string",
"sectionDescription": "string",
"sectionId": "string",
"sectionLabel": "string",
"standardDescription": "string",
"standardId": "string",
"standardName": "string"
}
],
"createdBy": "string",
"createdOn": 0,
"deleted": true,
"description": "string",
"enabled": true,
"findingTypes": [
"string"
],
"labels": [
"string"
],
"lastModifiedBy": "string",
"lastModifiedOn": 0,
"name": "string",
"overridden": true,
"points": "string",
"policyId": "string",
"policySubTypes": [
"run"
],
"policyType": "config",
"policyUpi": "string",
"recommendation": "string",
"remediable": true,
"remediation": {
"actions": [
{
"operation": "string",
"payload": "string"
}
],
"cliScriptTemplate": "string",
"description": "string"
},
"restrictAlertDismissal": true,
"riskScore": {
"maxScore": 0,
"score": 0
},
"rule": {
"apiName": "string",
"cloudAccount": "string",
"cloudType": "string",
"criteria": "string",
"dataCriteria": {
"classificationResult": "string",
"exposure": "private",
"extension": [
"string"
]
},
"name": "string",
"parameters": {},
"resourceIdPath": "string",
"resourceType": "string",
"type": "Config"
},
"ruleLastModifiedOn": 0,
"severity": "high",
"systemDefault": true
}
],
"rating": "string",
"riskScore": {
"maxScore": 0,
"score": 0
},
"score": "string"
},
"saveSearchId": "string",
"status": "open",
"triggeredBy": "string"
}
]
internal_error
Too Many Requests