Bulk Update Alerts
POST {{cb_url}}/api/v1/alerts
Updating alerts require an API key with Global Administrator privileges. Multiple alerts can be updated in bulk using the same call.
The only property that can be modified in a threat report is the is_ignored
property. By setting is_ignored
to True
for a threat report, any further hits on IOCs contained within that report will no longer trigger an Alert.
Payload
To modify multiple alerts at once, either specify the list of Alert IDs in the ids dictionary, or submit a query (using the URL-encoded version of the query string) in the query
string.
Specify the operation to perform by using either the set_ignored
, requested_status
, or assigned_to
keys. If the assigned_to
key is present, then the requested_status
should be provided as well.
The possible values for requested_status
are Resolved
, Unresolved
, In Progress
, or False Positive
.
Request Body
{"query"=>"cb.urlver=1&cb.fq.status=unresolved&sort=alert_severity%20desc&rows=10", "alert_ids"=>["id1", "id2"], "requested_status"=>"Resolved", "set_ignored"=>true, "assigned_to"=>"ahnold"}
HEADERS
Key | Datatype | Required | Description |
---|---|---|---|
Content-Type | string |