Export Alerts
POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/alerts/_export
Export Alerts in csv format. This is an asynchronous request which enables up to 25,000 records to be exported in each request.
Use the Export Alerts endpoint defined here to create a job with required search criteria to limit the results. A job_id is returned.
- This job may take up to 5 minutes to complete.
Optionally, use Get Job Progress to check whether the job has completed.
Use the job_id in the Download Job Output endpoint in the Jobs Service to get the results. The Download Job API requires the permission jobs.status - READ.
- If more than 25,000 records matched the criteria, the first 25,000 are returned, sorted by backend_timestamp.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
| org.alerts | READ |
| jobs.status | READ |
Request Schema
{
"query": "<string>",
"time_range": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"criteria": {
"org_key": [
"<string>"
],
"id": [
"<string>"
],
"type": [
"<string>"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"alert_origin": [
"<string>"
]
"minimum_severity": <integer>,
"reason_code": [
"<string>"
],
"threat_id": [
"<string>"
],
"primary_event_id": [
"<string>"
],
"policy_applied": [
"<string>"
],
"run_state": [
"<string>"
],
"sensor_action": [
"<string>"
],
"workflow_status": [
"<string>"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"<string>"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>"
],
"workflow_closure_reason": [
"<string>"
],
"determination_value": [
"<string>"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"<string>"
],
"tags": [
"<string>"
],
"alert_notes_present": <boolean>,
"threat_notes_present": <boolean>,
"device_id": [
<long>
],
"device_name": [
"<string>"
],
"device_uem_id": [
"<string>"
],
"device_policy": [
"<string>"
],
"device_policy_id": [
<long>
],
"device_target_value": [
"<string>"
],
"device_os": [
"<string>"
],
"device_os_version": [
"<string>"
],
"device_username": [
"<string>"
],
"device_location": [
"<string>"
],
"device_external_ip": [
"<string>"
],
"device_internal_ip": [
"<string>"
],
"rule_config_type": [
"<string>"
],
"rule_config_name": [
"<string>"
],
"rule_config_id": [
"<string>"
],
"rule_category_id": [
"<string>"
],
"rule_id": [
"<string>"
],
"process_guid": [
"<string>"
],
"process_pid": [
<integer>
],
"process_name": [
"<string>"
],
"process_sha256": [
"<string>"
],
"process_md5": [
"<string>"
],
"process_effective_reputation": [
"<string>"
],
"process_reputation": [
"<string>"
],
"process_cmdline": [
"<string>"
],
"process_username": [
"<string>"
],
"process_signatures_certificate_authority": [
"<string>"
],
"process_signatures_publisher": [
"<string>"
],
"parent_guid": [
"<string>"
],
"parent_pid": [
<integer>
],
"parent_name": [
"<string>"
],
"parent_sha256": [
"<string>"
],
"parent_md5": [
"<string>"
],
"parent_effective_reputation": [
"<string>"
],
"parent_reputation": [
"ADWARE",
"NOT_SUPPORTED"
],
"parent_cmdline": [
"<string>"
],
"parent_username": [
"<string>"
],
"childproc_guid": [
"<string>"
],
"childproc_name": [
"<string>"
],
"childproc_sha256": [
"<string>"
],
"childproc_md5": [
"<string>"
],
"childproc_effective_reputation": [
"<string>"
],
"childproc_username": [
"<string>"
],
"childproc_cmdline": [
"<string>"
],
"netconn_remote_port": [
<integer>
],
"netconn_local_port": [
<integer>
],
"netconn_protocol": [
"<string>"
],
"netconn_remote_domain": [
"<string>"
],
"netconn_remote_ip": [
"<string>"
],
"netconn_local_ip": [
"<string>"
],
"netconn_remote_ipv4": [
"<string>"
],
"netconn_local_ipv4": [
"<string>"
],
"netconn_remote_ipv6": [
"<string>"
],
"netconn_local_ipv6": [
"<string>"
],
"threat_category": [
"<string>"
],
"ttps": [
"<string>"
],
"attack_tactic": [
"<string>"
],
"attack_technique": [
"<string>"
],
"report_id": [
"<string>"
],
"report_name": [
"<string>"
],
"report_link": [
"<string>"
],
"watchlists_id": [
"<string>"
],
"watchlists_name": [
"<string>"
],
"k8s_policy_id": [
"<string>"
],
"k8s_policy": [
"<string>"
],
"k8s_rule_id": [
"<string>"
],
"k8s_rule": [
"<string>"
],
"cluster_name": [
"<string>"
],
"namespace": [
"<string>"
],
"workload_kind": [
"<string>"
],
"workload_name": [
"<string>"
],
"replica_id": [
"<string>"
],
"connection_type": [
"<string>"
],
"egress_group_id": [
"<string>"
],
"egress_group_name": [
"<string>"
],
"ip_reputation": [
<integer>
],
"remote_is_private": <boolean>,
"remote_namespace": [
"<string>"
],
"remote_replica_id": [
"<string>"
],
"remote_workload_kind": [
"<string>"
],
"remote_workload_name": [
"<string>"
],
"tms_rule_id": [
"<string>"
],
"threat_name": [
"<string>"
],
"vendor_name": [
"<string>"
],
"vendor_id": [
"<string>"
],
"product_name": [
"<string>"
],
"product_id": [
"<string>"
],
"external_device_friendly_name": [
"<string>"
],
"serial_number": [
"<string>"
],
"blocked_name": [
"<string>"
],
"blocked_sha256": [
"<string>"
],
"blocked_md5": [
"<string>"
],
"blocked_effective_reputation": [
"<string>"
],
"ml_classification_final_verdict": [
"<string>"
],
"ml_classification_global_prevalence": [
"<string>"
],
"ml_classification_org_prevalence": [
"<string>"
],
"mdr_alert": <boolean>,
"mdr_workflow_status": [
"<string>"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": <boolean>,
"mdr_determination_value": [
"<string>"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
}
},
"exclusions": {
"org_key": [
"<string>"
],
"id": [
"<string>"
],
"type": [
"<string>"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"alert_origin": [
"<string>"
]
"minimum_severity": <integer>,
"reason_code": [
"<string>"
],
"threat_id": [
"<string>"
],
"primary_event_id": [
"<string>"
],
"policy_applied": [
"<string>"
],
"run_state": [
"<string>"
],
"sensor_action": [
"<string>"
],
"workflow_status": [
"<string>"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"<string>"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>"
],
"workflow_closure_reason": [
"<string>"
],
"determination_value": [
"NONE"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"<string>"
],
"tags": [
"<string>"
],
"alert_notes_present": <boolean>,
"threat_notes_present": <boolean>,
"device_id": [
<long>
],
"device_name": [
"<string>"
],
"device_uem_id": [
"<string>"
],
"device_policy": [
"<string>"
],
"device_policy_id": [
<long>
],
"device_target_value": [
"<string>"
],
"device_os": [
"<string>"
],
"device_os_version": [
"<string>"
],
"device_username": [
"<string>"
],
"device_location": [
"<string>"
],
"device_external_ip": [
"<string>"
],
"device_internal_ip": [
"<string>"
],
"rule_config_type": [
"<string>"
],
"rule_config_name": [
"<string>"
],
"rule_config_id": [
"<string>"
],
"rule_category_id": [
"<string>"
],
"rule_id": [
"<string>"
],
"process_guid": [
"<string>"
],
"process_pid": [
<integer>
],
"process_name": [
"<string>"
],
"process_sha256": [
"<string>"
],
"process_md5": [
"<string>"
],
"process_effective_reputation": [
"<string>"
],
"process_reputation": [
"<string>"
],
"process_cmdline": [
"<string>"
],
"process_username": [
"<string>"
],
"process_signatures_certificate_authority": [
"<string>"
],
"process_signatures_publisher": [
"<string>"
],
"parent_guid": [
"<string>"
],
"parent_pid": [
<integer>
],
"parent_name": [
"<string>"
],
"parent_sha256": [
"<string>"
],
"parent_md5": [
"<string>"
],
"parent_effective_reputation": [
"<string>"
],
"parent_reputation": [
"<string>"
],
"parent_cmdline": [
"<string>"
],
"parent_username": [
"<string>"
],
"childproc_guid": [
"<string>"
],
"childproc_name": [
"<string>"
],
"childproc_sha256": [
"<string>"
],
"childproc_md5": [
"<string>"
],
"childproc_effective_reputation": [
"<string>"
],
"childproc_username": [
"<string>"
],
"childproc_cmdline": [
"<string>"
],
"netconn_remote_port": [
<integer>
],
"netconn_local_port": [
<integer>
],
"netconn_protocol": [
"<string>"
],
"netconn_remote_domain": [
"<string>"
],
"netconn_remote_ip": [
"<string>"
],
"netconn_local_ip": [
"<string>"
],
"netconn_remote_ipv4": [
"<string>"
],
"netconn_local_ipv4": [
"<string>"
],
"netconn_remote_ipv6": [
"<string>"
],
"netconn_local_ipv6": [
"<string>"
],
"threat_category": [
"<string>"
],
"ttps": [
"<string>"
],
"attack_tactic": [
"<string>"
],
"attack_technique": [
"<string>"
],
"report_id": [
"<string>"
],
"report_name": [
"<string>"
],
"report_link": [
"<string>"
],
"watchlists_id": [
"<string>"
],
"watchlists_name": [
"<string>"
],
"k8s_policy_id": [
"<string>"
],
"k8s_policy": [
"<string>"
],
"k8s_rule_id": [
"<string>"
],
"k8s_rule": [
"<string>"
],
"cluster_name": [
"<string>"
],
"namespace": [
"<string>"
],
"workload_kind": [
"<string>"
],
"workload_name": [
"<string>"
],
"replica_id": [
"<string>"
],
"connection_type": [
"<string>"
],
"egress_group_id": [
"<string>"
],
"egress_group_name": [
"<string>"
],
"ip_reputation": [
<integer>
],
"remote_is_private": <boolean>,
"remote_namespace": [
"<string>"
],
"remote_replica_id": [
"<string>"
],
"remote_workload_kind": [
"<string>"
],
"remote_workload_name": [
"<string>"
],
"tms_rule_id": [
"<string>"
],
"threat_name": [
"<string>"
],
"vendor_name": [
"<string>"
],
"vendor_id": [
"<string>"
],
"product_name": [
"<string>"
],
"product_id": [
"<string>"
],
"external_device_friendly_name": [
"<string>"
],
"serial_number": [
"<string>"
],
"blocked_name": [
"<string>"
],
"blocked_sha256": [
"<string>"
],
"blocked_md5": [
"<string>"
],
"blocked_effective_reputation": [
"<string>"
],
"ml_classification_final_verdict": [
"<string>"
],
"ml_classification_global_prevalence": [
"<string>"
],
"ml_classification_org_prevalence": [
"<string>"
],
"mdr_alert": <boolean>,
"mdr_workflow_status": [
"<string>"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": <boolean>,
"mdr_determination_value": [
"<string>"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
}
},
"format": "<string>",
"fields": ["<string>"]
}
Request Body
{"time_range"=>{"range"=>"-1d"}, "criteria"=>{"minimum_severity"=>2, "type"=>["WATCHLIST"]}, "format"=>"CSV"}
HEADERS
| Key | Datatype | Required | Description |
|---|---|---|---|
Content-Type | string | ||
Accept | string |
RESPONSES
status: OK
"alert_notes_present,alert_url,asset_group,asset_id,attack_tactic,attack_technique,backend_timestamp,backend_update_timestamp,blocked_effective_reputation,blocked_md5,blocked_name,blocked_sha256,childproc_cmdline,childproc_effective_reputation,childproc_guid,childproc_md5,childproc_name,childproc_sha256,childproc_username,chrome_device_id,connection_type,container_id,container_image_hash,container_image_name,container_name,detection_timestamp,determination_change_timestamp,determination_changed_by,determination_changed_by_type,determination_value,device_external_ip,device_id,device_internal_ip,device_location,device_name,device_os,device_os_version,device_policy,device_policy_id,device_target_value,device_uem_id,device_username,egress_group_id,egress_group_name,external_device_friendly_name,first_event_timestamp,id,ioc_field,ioc_hit,ioc_id,ip_reputation,is_updated,k8s_cluster,k8s_kind,k8s_namespace,k8s_pod_name,k8s_policy,k8s_policy_id,k8s_rule,k8s_rule_id,k8s_workload_name,last_event_timestamp,mdr_alert,mdr_alert_notes_present,mdr_determination_value,mdr_threat_notes_present,mdr_workflow_is_assigned,mdr_workflow_status,ml_classification_anomalies,ml_classification_final_verdict,ml_classification_global_prevalence,ml_classification_org_prevalence,netconn_local_ip,netconn_local_ipv4,netconn_local_ipv6,netconn_local_port,netconn_protocol,netconn_remote_domain,netconn_remote_ip,netconn_remote_ipv4,netconn_remote_ipv6,netconn_remote_port,org_key,parent_cmdline,parent_effective_reputation,parent_guid,parent_md5,parent_name,parent_pid,parent_reputation,parent_sha256,parent_username,policy_applied,primary_event_id,process_cmdline,process_container_pid,process_effective_reputation,process_guid,process_issuer,process_md5,process_name,process_pid,process_publisher,process_reputation,process_sha256,process_username,product_id,product_name,reason,reason_code,remote_is_private,remote_k8s_kind,remote_k8s_namespace,remote_k8s_pod_name,remote_k8s_workload_name,report_description,report_id,report_link,report_name,report_tags,rule_category_id,rule_config_category,rule_config_id,rule_config_name,rule_id,run_state,sensor_action,serial_number,severity,tags,threat_hunt_id,threat_hunt_name,threat_id,threat_name,threat_notes_present,tms_rule_id,ttps,type,user_update_timestamp,vendor_id,vendor_name,watchlists,workflow_change_timestamp,workflow_changed_by,workflow_changed_by_rule_id,workflow_changed_by_type,workflow_closure_reason,workflow_status\nfalse,defense.conferdeploy.net/alerts?s[c][query_string]=id:4870e071-9c7d-4147-b00d-0be988ff920a\u0026orgKey=ABCD1234,,,,,2024-05-28T13:27:23.815596681Z,2024-05-28T13:27:23.815596681Z,,,,,,,,,,,,,,,,,,2024-05-28T13:24:28.335Z,2024-05-28T13:27:23.815596681Z,,,NONE,1.2.3.4,18741265,10.203.101.185,UNKNOWN,DEMO-WIN,WINDOWS,Windows 10 x64,Standard,165700,MEDIUM,,,,,,2024-05-28T13:20:42.954Z,4870e071-9c7d-4147-b00d-0be988ff920a,,(process_name:dllhost.exe) AND process_publisher_state:FILE_SIGNATURE_STATE_VERIFIED ,529de965-e1f6-4e7d-a37e-9e392da29740,,false,,,,,,1b32b7cf-7c3d-30f1-97b4-6ec2e39530c9,,627bbdfe-55a7-3100-89bc-25d618fb9684,,2024-05-28T13:20:42.954Z,false,false,,false,false,,,,,,,,,0,,,,,,0,ABCD1234,C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p,TRUSTED_WHITE_LIST,ABCD1234-011df811-00000330-00000000-1daa67e691ecdb8,7469cc568ad6821fd9d925542730a7d8,c:\\windows\\system32\\svchost.exe,816,TRUSTED_WHITE_LIST,,NT AUTHORITY\\SYSTEM,NOT_APPLIED,1yR4WspiQUmlqaWJRHV9eg-0,C:\\WINDOWS\\system32\\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F},0,TRUSTED_WHITE_LIST,ABCD1234-011df811-00001c44-00000000-1daa67eb00776e6,[Microsoft Windows Production PCA 2011],dfe1e4b1b8714cbe1005ee9413c2bae9,c:\\windows\\system32\\dllhost.exe,7236,[Microsoft Windows],TRUSTED_WHITE_LIST,0309834d40475ccd5a88c48f7ff5ec62e5c6798900357dd83665c3d0345124e0,DEMO-WIN\\DEMO-DOMAIN,,,\"Process dllhost.exe was detected by the report \"\"demo-report\"\" in watchlist \"\"demo-watchlist\"\"\",1b32b7cf-7c3d-30f1-97b4-6ec2e39530c9:627bbdfe-55a7-3100-89bc-25d618fb9684,false,,,,,,Q0O2FxEWSy2fSSYxEs2Pg,,demo-report,,1b32b7cf-7c3d-30f1-97b4-6ec2e39530c9,,,,627bbdfe-55a7-3100-89bc-25d618fb9684,RAN,ALLOW,,5,,,,1B32B7CF7C3D40F117B46EC2E39530C9,,true,,,WATCHLIST,,,,,2024-05-28T13:27:23.815596681Z,ALERT_CREATION,,SYSTEM,,OPEN\nfalse,defense.conferdeploy.net/alerts?s[c][query_string]=id:f3b3f70d-28a1-4764-9385-89331608e0f3\u0026orgKey=ABCD1234,,,,,2024-05-28T12:55:56.709689187Z,2024-05-28T12:55:56.709689187Z,,,,,,,,,,,,,,,,,,2024-05-28T12:52:34.185Z,2024-05-28T12:55:56.709689187Z,,,NONE,1.2.3.4,19013608,9.8.7.6,UNKNOWN,DEMO-02\\DEMO-DOMAIN,WINDOWS,Windows 10 x64,Demo Policy,465946,MEDIUM,,,,,,2024-05-28T12:48:32.406Z,f3b3f70d-28a1-4764-9385-89331608e0f3,,(process_name:dllhost.exe) AND process_publisher_state:FILE_SIGNATURE_STATE_VERIFIED ,529de965-e1f6-4e7d-a37e-9e392da29740,,false,,,,,,1b32b7cf-7c3d-30f1-97b4-6ec2e39530c9,,627bbdfe-55a7-3100-89bc-25d618fb9684,,2024-05-28T12:48:32.406Z,false,false,,false,false,,,,,,,,,0,,,,,,0,ABCD1234,C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p,TRUSTED_WHITE_LIST,ABCD1234-01221fe8-00000338-00000000-1daa710f1091653,7469cc568ad6821fd9d925542730a7d8,c:\\windows\\system32\\svchost.exe,824,TRUSTED_WHITE_LIST,,NT AUTHORITY\\SYSTEM,NOT_APPLIED,AZDQ1VvNSdyupi9rG-4nOg-0,C:\\Windows\\system32\\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F},0,TRUSTED_WHITE_LIST,ABCD1234-01221fe8-00001f70-00000000-1daa7113a0da2e2,[Microsoft Windows Production PCA 2011],dfe1e4b1b8714cbe1005ee9413c2bae9,c:\\windows\\system32\\dllhost.exe,8048,[Microsoft Windows],TRUSTED_WHITE_LIST,0309834d40475ccd5a88c48f7ff5ec62e5c6798900357dd83665c3d0345124e0,DEMO-02\\DEMO-DOMAIN,,,\"Process dllhost.exe was detected by the report \"\"demo-report\"\" in watchlist \"\"demo-watchlist\"\"\",1b32b7cf-7c3d-30f1-97b4-6ec2e39530c9:627bbdfe-55a7-3100-89bc-25d618fb9684,false,,,,,,Q0O2FxEWSy2fSSYxEs2Pg,,demo-report,,1b32b7cf-7c3d-30f1-97b4-6ec2e39530c9,,,,627bbdfe-55a7-3100-89bc-25d618fb9684,RAN,ALLOW,,5,,,,1B32B7CF7C3D40F117B46EC2E39530C9,,true,,,WATCHLIST,,,,,2024-05-28T12:55:56.709689187Z,ALERT_CREATION,,SYSTEM,,OPEN\n"