Bulk Update Alerts
POST {{cb_url}}/api/v1/alerts
Updating alerts require an API key with Global Administrator privileges. Multiple alerts can be updated in bulk using the same call.
The only property that can be modified in a threat report is the is_ignored property. By setting is_ignored to True for a threat report, any further hits on IOCs contained within that report will no longer trigger an Alert.
Payload
To modify multiple alerts at once, either specify the list of Alert IDs in the ids dictionary, or submit a query (using the URL-encoded version of the query string) in the query string.
Specify the operation to perform by using either the set_ignored, requested_status, or assigned_to keys. If the assigned_to key is present, then the requested_status should be provided as well.
The possible values for requested_status are Resolved, Unresolved, In Progress, or False Positive.
Request Body
{"query"=>"cb.urlver=1&cb.fq.status=unresolved&sort=alert_severity%20desc&rows=10", "alert_ids"=>["id1", "id2"], "requested_status"=>"Resolved", "set_ignored"=>true, "assigned_to"=>"ahnold"}
HEADERS
| Key | Datatype | Required | Description |
|---|---|---|---|
Content-Type | string |