read

OSA Webhook API

GET/api/alerts

Query stored alerts

With `q`, runs a full-text search (monitorName / triggerName / ruleNames / iocValue) against the app's own OpenSearch index. Without `q`, returns the most recent alerts straight from Postgres.

Query parameters

qstring
typeenum
DETECTORTHREAT_INTELCORRELATION
severityenum
CRITICALHIGHMEDIUMLOWINFORMATIONALUNKNOWN
sizeinteger
offsetinteger

Pagination offset — Postgres path (no `q`) only.

frominteger

receivedAt window start (epoch ms, inclusive) — Postgres path only.

tointeger

receivedAt window end (epoch ms, exclusive) — Postgres path only.

tenantstring

Exact tenant_id (from the raw OCSF docs' provenance, `tenantIds`) — Postgres path only. Discover values via /api/alerts/stats `byTenant`.

vendorstring

Exact vendor_name (e.g. CrowdStrike / SentinelOne / AWS, from `vendorNames`) — Postgres path only. Discover values via /api/alerts/stats `byVendor`.

Responses

200 Matching alerts, most recent first. The Postgres path (no `q`) also returns `total` (count for the same filter) and `offset` for honest paging.400 Unknown type/severity value
sourceenumrequired
postgresopensearch
countnumberrequired
totalnumber

Postgres path only.

offsetnumber

Postgres path only.

alertsAlert[]required
idstring
scorenumber

Full-text relevance score — present only on /api/alerts?q= (opensearch source) hits.

typeenum
DETECTORTHREAT_INTELCORRELATION
osIdstring

Alert/finding id in the SAP indices

monitorIdstring
monitorNamestring
triggerIdstring
triggerNamestring
detectorTypestring
severityenum
CRITICALHIGHMEDIUMLOWINFORMATIONALUNKNOWN
severityRawstring
stateenum
ACTIVEACKNOWLEDGEDCOMPLETEDERRORDELETEDUNKNOWN
iocValuestring
iocTypestring
correlationScorenumber
findingIdsstring[]
relatedDocIdsstring[]
ruleNamesstring[]
mitreTacticsstring[]
mitreTechniquesstring[]
tenantIdsstring[]

tenant_id values lifted out of the raw OCSF docs at ingest (AWS-sourced docs carry none, so this may be empty).

vendorNamesstring[]

metadata.product.vendor_name values from the raw OCSF docs (e.g. CrowdStrike / SentinelOne / AWS).

rawPayloadany

Exactly what OpenSearch posted (Mustache-rendered body).

enrichmentany

Everything fetched from OpenSearch at ingest (findings, raw OCSF docs, IOC details, correlations). Null if enrichment failed/was skipped.

enrichmentOkboolean
enrichmentErrstring
indexedboolean
dedupeKeystring
startTimestring<date-time>
receivedAtstring<date-time>
createdAtstring<date-time>
updatedAtstring<date-time>
cURL
curl -X GET https://osawebhook.defenderx.sentrixsolution.com/api/alerts?q=string&type=DETECTOR&severity=CRITICAL
JavaScript
const res = await fetch("https://osawebhook.defenderx.sentrixsolution.com/api/alerts", {
  method: "GET"
});
const data = await res.json();
Response 200
{
  "source": "postgres",
  "count": 0,
  "total": 0,
  "offset": 0,
  "alerts": [
    {
      "id": "string",
      "score": 0,
      "type": "DETECTOR",
      "osId": "string",
      "monitorId": "string",
      "monitorName": "string",
      "triggerId": "string",
      "triggerName": "string"
    }
  ]
}
GET/api/alerts/stats

Aggregate alert counts

Postgres aggregation with the same filters as the list endpoint: `total` plus per-type and per-severity breakdowns. Use this for KPI tiles — a size-capped list cannot report true totals.

Query parameters

typeenum
DETECTORTHREAT_INTELCORRELATION
severityenum
CRITICALHIGHMEDIUMLOWINFORMATIONALUNKNOWN
frominteger

receivedAt window start (epoch ms, inclusive).

tointeger

receivedAt window end (epoch ms, exclusive).

tenantstring

Exact tenant_id — same semantics as the list endpoint.

vendorstring

Exact vendor_name — same semantics as the list endpoint.

Responses

200 Counts for the filtered set400 Unknown type/severity value
totalnumberrequired
byTypeobjectrequired

AlertType → count (only types present in the set).

bySeverityobjectrequired

Severity → count (only severities present in the set).

byTenantobjectrequired

tenant_id → alert count (an alert spanning n tenants counts n times). Also the value list for filter dropdowns.

byVendorobjectrequired

vendor_name → alert count. Also the value list for filter dropdowns.

cURL
curl -X GET https://osawebhook.defenderx.sentrixsolution.com/api/alerts/stats?type=DETECTOR&severity=CRITICAL&from=0
JavaScript
const res = await fetch("https://osawebhook.defenderx.sentrixsolution.com/api/alerts/stats", {
  method: "GET"
});
const data = await res.json();
Response 200
{
  "total": 0,
  "byType": null,
  "bySeverity": null,
  "byTenant": null,
  "byVendor": null
}
GET/api/alerts/{id}

Get one stored alert (full detail)

Returns the full row including `rawPayload` and `enrichment`. `id` is matched against the Postgres id (cuid) first, then against the OpenSearch alert/finding id (`osId`) — so both the ids returned by `/api/alerts`/ingest responses and SAP-side ids resolve.

Path parameters

idstringrequired

Postgres alert id (cuid) or OpenSearch alert/finding id (osId).

Responses

200 The alert404 No alert with that id/osId
idstring
scorenumber

Full-text relevance score — present only on /api/alerts?q= (opensearch source) hits.

typeenum
DETECTORTHREAT_INTELCORRELATION
osIdstring

Alert/finding id in the SAP indices

monitorIdstring
monitorNamestring
triggerIdstring
triggerNamestring
detectorTypestring
severityenum
CRITICALHIGHMEDIUMLOWINFORMATIONALUNKNOWN
severityRawstring
stateenum
ACTIVEACKNOWLEDGEDCOMPLETEDERRORDELETEDUNKNOWN
iocValuestring
iocTypestring
correlationScorenumber
findingIdsstring[]
relatedDocIdsstring[]
ruleNamesstring[]
mitreTacticsstring[]
mitreTechniquesstring[]
tenantIdsstring[]

tenant_id values lifted out of the raw OCSF docs at ingest (AWS-sourced docs carry none, so this may be empty).

vendorNamesstring[]

metadata.product.vendor_name values from the raw OCSF docs (e.g. CrowdStrike / SentinelOne / AWS).

rawPayloadany

Exactly what OpenSearch posted (Mustache-rendered body).

enrichmentany

Everything fetched from OpenSearch at ingest (findings, raw OCSF docs, IOC details, correlations). Null if enrichment failed/was skipped.

enrichmentOkboolean
enrichmentErrstring
indexedboolean
dedupeKeystring
startTimestring<date-time>
receivedAtstring<date-time>
createdAtstring<date-time>
updatedAtstring<date-time>
cURL
curl -X GET https://osawebhook.defenderx.sentrixsolution.com/api/alerts/{id}
JavaScript
const res = await fetch("https://osawebhook.defenderx.sentrixsolution.com/api/alerts/{id}", {
  method: "GET"
});
const data = await res.json();
Response 200
{
  "id": "string",
  "score": 0,
  "type": "DETECTOR",
  "osId": "string",
  "monitorId": "string",
  "monitorName": "string",
  "triggerId": "string",
  "triggerName": "string",
  "detectorType": "string",
  "severity": "CRITICAL",
  "severityRaw": "string",
  "state": "ACTIVE"
}
GET/api/openapi.json

This OpenAPI document

Responses

200 OpenAPI 3.1 document (JSON)
cURL
curl -X GET https://osawebhook.defenderx.sentrixsolution.com/api/openapi.json
JavaScript
const res = await fetch("https://osawebhook.defenderx.sentrixsolution.com/api/openapi.json", {
  method: "GET"
});
const data = await res.json();