Bulk Update Alerts

POST {{cb_url}}/api/v1/alerts

Updating alerts require an API key with Global Administrator privileges. Multiple alerts can be updated in bulk using the same call.

The only property that can be modified in a threat report is the is_ignored property. By setting is_ignored to True for a threat report, any further hits on IOCs contained within that report will no longer trigger an Alert.

Payload

To modify multiple alerts at once, either specify the list of Alert IDs in the ids dictionary, or submit a query (using the URL-encoded version of the query string) in the query string.

Specify the operation to perform by using either the set_ignored, requested_status, or assigned_to keys. If the assigned_to key is present, then the requested_status should be provided as well.

The possible values for requested_status are Resolved, Unresolved, In Progress, or False Positive.

See Documentation

Request Body

{"query"=>"cb.urlver=1&cb.fq.status=unresolved&sort=alert_severity%20desc&rows=10", "alert_ids"=>["id1", "id2"], "requested_status"=>"Resolved", "set_ignored"=>true, "assigned_to"=>"ahnold"}

HEADERS

KeyDatatypeRequiredDescription
Content-Typestring