Get Alert

Retrieve detailed information about a specific alert including matched log and enrichment.

Endpoint

GET /api/alerts/{id}

For API keys:

GET /api/external/alerts/{id}

Authentication

Requires JWT token or API key with read permissions.

Path Parameters

Parameter	Type	Description
`id`	string	Alert UUID

Example Request

curl -H "Authorization: Bearer chad_ak_xxxxx..." \
  https://chad.example.com/api/external/alerts/alert-abc-123

Response

{
  "id": "alert-abc-123",
  "rule_id": "rule-def-456",
  "rule_title": "Failed Login Attempt",
  "severity": "high",
  "status": "new",
  "created_at": "2024-01-15T14:32:17Z",
  "acknowledged_at": null,
  "resolved_at": null,
  "acknowledged_by": null,
  "resolved_by": null,
  "matched_log": {
    "@timestamp": "2024-01-15T14:32:15Z",
    "event": {
      "code": "4625",
      "action": "logon-failed",
      "outcome": "failure"
    },
    "source": {
      "ip": "192.168.1.50",
      "port": 52431
    },
    "user": {
      "name": "admin",
      "domain": "CORP"
    },
    "host": {
      "name": "DC01",
      "ip": ["10.0.0.5"]
    },
    "winlog": {
      "event_id": 4625,
      "channel": "Security"
    }
  },
  "enrichment": {
    "risk_level": "suspicious",
    "risk_score": 65,
    "iocs": [
      {
        "type": "ip",
        "value": "192.168.1.50",
        "sources": {
          "abuseipdb": {
            "is_public": true,
            "abuse_confidence_score": 25,
            "country_code": "US"
          },
          "greynoise": {
            "noise": false,
            "riot": false
          }
        }
      }
    ],
    "geoip": {
      "source.ip": {
        "country": "United States",
        "city": "New York",
        "asn": 12345,
        "org": "Example ISP"
      }
    }
  },
  "tags": ["attack.credential_access", "attack.t1110"],
  "comments": [
    {
      "id": "comment-xyz",
      "user": "analyst@example.com",
      "text": "Investigating - appears to be brute force attempt",
      "created_at": "2024-01-15T15:00:00Z"
    }
  ],
  "related_alerts": [
    {
      "id": "alert-related-001",
      "rule_title": "Successful Login After Failures",
      "created_at": "2024-01-15T14:35:00Z"
    }
  ]
}

Response Fields

Alert Metadata

Field	Type	Description
`id`	string	Unique identifier
`rule_id`	string	Source rule
`rule_title`	string	Rule name
`severity`	string	Alert severity
`status`	string	Current status
`created_at`	datetime	Detection time
`acknowledged_at`	datetime	When acknowledged
`resolved_at`	datetime	When resolved
`acknowledged_by`	string	Who acknowledged
`resolved_by`	string	Who resolved

Matched Log

The matched_log object contains the full log document that triggered the alert. Structure depends on your log schema.

Enrichment

Field	Type	Description
`risk_level`	string	`unknown`, `clean`, `suspicious`, `malicious`
`risk_score`	integer	0-100 aggregate score
`iocs`	array	Extracted IOCs with TI results
`geoip`	object	GeoIP data for IP addresses

Comments

Array of investigation comments with user and timestamp. Other alerts that may be related (same source, same timeframe).

Error Responses

404 Not Found

{
  "detail": "Alert not found"
}

401 Unauthorized

{
  "detail": "Could not validate credentials"
}

Code Examples

Python

import requests

response = requests.get(
    f"{BASE_URL}/api/external/alerts/alert-abc-123",
    headers={"Authorization": f"Bearer {API_KEY}"}
)

if response.ok:
    alert = response.json()

    print(f"Alert: {alert['rule_title']}")
    print(f"Status: {alert['status']}")
    print(f"Severity: {alert['severity']}")

    # Check enrichment
    if alert.get('enrichment'):
        print(f"Risk Level: {alert['enrichment']['risk_level']}")
        print(f"Risk Score: {alert['enrichment']['risk_score']}")

    # Show matched log excerpt
    log = alert['matched_log']
    print(f"Source IP: {log.get('source', {}).get('ip', 'unknown')}")
    print(f"User: {log.get('user', {}).get('name', 'unknown')}")

JavaScript

const response = await fetch(
  'https://chad.example.com/api/external/alerts/alert-abc-123',
  {
    headers: {
      'Authorization': 'Bearer chad_ak_xxxxx...'
    }
  }
);

const alert = await response.json();

console.log(`Alert: ${alert.rule_title}`);
console.log(`Risk: ${alert.enrichment?.risk_level || 'unknown'}`);
console.log(`Log: ${JSON.stringify(alert.matched_log, null, 2)}`);

API Reference

Rules

Alerts

Get Alert

Get Alert

Endpoint

Authentication

Path Parameters

Example Request

Response

Response Fields

Alert Metadata

Matched Log

Enrichment

Comments

Error Responses

404 Not Found

401 Unauthorized

Code Examples

Python

JavaScript

API Reference

Rules

Alerts

​Get Alert

​Endpoint

​Authentication

​Path Parameters

​Example Request

​Response

​Response Fields

​Alert Metadata

​Matched Log

​Enrichment

​Comments

​Related Alerts

​Error Responses

​404 Not Found

​401 Unauthorized

​Code Examples

​Python

​JavaScript

Get Alert

Endpoint

Authentication

Path Parameters

Example Request

Response

Response Fields

Alert Metadata

Matched Log

Enrichment

Comments

Related Alerts

Error Responses

404 Not Found

401 Unauthorized

Code Examples

Python

JavaScript