Get Alert Details
GET {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/alerts/{{cb_alert_id}}
Get a single alert using an ID.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.alerts | READ |
HEADERS
Key | Datatype | Required | Description |
---|---|---|---|
Accept | string |
RESPONSES
status: OK
{"org_key":"ABCD1234","alert_url":"https://defense.conferdeploy.net/alerts?s[c][query_string]=id:52fa009d-e2d1-4118-8a8d-04f521ae66aa\u0026orgKey=ABCD1234","id":"12ab345cd6-e2d1-4118-8a8d-04f521ae66aa","type":"WATCHLIST","backend_timestamp":"2023-04-14T21:30:40.570Z","user_update_timestamp":null,"backend_update_timestamp":"2023-04-14T21:30:40.570Z","detection_timestamp":"2023-04-14T21:27:14.719Z","first_event_timestamp":"2023-04-14T21:21:42.193Z","last_event_timestamp":"2023-04-14T21:21:42.193Z","category":"THREAT","severity":8,"reason":"Process infdefaultinstall.exe was detected by the report \"Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall\" in 6 watchlists","reason_code":"05696200-88e6-3691-a1e3-8d9a64dbc24e:7828aec8-8502-3a43-ae68-41b5050dab5b","threat_id":"0569620088E6669121E38D9A64DBC24E","primary_event_id":"-7RlZFHcSGWKSrF55B_4Ig-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-04-14T21:30:40.570Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON","status":"OPEN"},"determination":null,"tags":["tag1","tag2"],"alert_notes_present":false,"threat_notes_present":false,"is_updated":false,"device_id":18118174,"device_name":"pscr-test-01-1677785028.620244-9","device_uem_id":"","device_target_value":"LOW","device_policy":"123abcde-c21b-4d64-9e3e-53595ef9c7af","device_policy_id":1234567,"device_os":"WINDOWS","device_os_version":"Windows 10 x64 SP: 1","device_username":"demouser@demoorg.com","device_location":"UNKNOWN","device_external_ip":"1.2.3.4","mdr_alert":false,"report_id":"oJFtoawGS92fVMXlELC1Ow-b4ee93fc-ec58-436a-a940-b4d33a613513","report_name":"Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall","report_description":"\n\nThreat:\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.\n\nFalse Positives:\nSome environments may legitimate use this, but should be rare.\n\nScore:\n85","report_tags":["attack","attackframework","threathunting"],"report_link":"https://attack.mitre.org/wiki/Technique/T1218","ioc_id":"b4ee93fc-ec58-436a-a940-b4d33a613513-0","ioc_hit":"((process_name:InfDefaultInstall.exe)) -enriched:true","watchlists":[{"id":"9x0timurQkqP7FBKX4XrUw","name":"Carbon Black Advanced Threats"}],"process_guid":"ABCD1234-0114761e-00002ae4-00000000-19db1ded53e8000","process_pid":10980,"process_name":"infdefaultinstall.exe","process_sha256":"1a2345cd88666a458f804e5d0fe925a9f55cf016733458c58c1980addc44cd774","process_md5":"12c34567894a49f13193513b0138f72a9","process_effective_reputation":"LOCAL_WHITE","process_reputation":"NOT_LISTED","process_cmdline":"InfDefaultInstall.exe C:\\Users\\username\\userdir\\Infdefaultinstall.inf","process_username":"DEMO\\DEMOUSER","process_signatures":[{"certificate_authority":"Demo Code Signing CA - G2","publisher":"Demo Test Authority"}],"childproc_guid":"","childproc_username":"","childproc_cmdline":"","ml_classification_final_verdict":"NOT_ANOMALOUS","ml_classification_global_prevalence":"LOW","ml_classification_org_prevalence":"LOW"}