/api/alertsQuery stored alerts
With `q`, runs a full-text search (monitorName / triggerName / ruleNames / iocValue) against the app's own OpenSearch index. Without `q`, returns the most recent alerts straight from Postgres.
Query parameters
qstringtypeenumDETECTORTHREAT_INTELCORRELATIONseverityenumCRITICALHIGHMEDIUMLOWINFORMATIONALUNKNOWNsizeintegeroffsetintegerPagination offset — Postgres path (no `q`) only.
fromintegerreceivedAt window start (epoch ms, inclusive) — Postgres path only.
tointegerreceivedAt window end (epoch ms, exclusive) — Postgres path only.
tenantstringExact tenant_id (from the raw OCSF docs' provenance, `tenantIds`) — Postgres path only. Discover values via /api/alerts/stats `byTenant`.
vendorstringExact vendor_name (e.g. CrowdStrike / SentinelOne / AWS, from `vendorNames`) — Postgres path only. Discover values via /api/alerts/stats `byVendor`.
Responses
sourceenumrequiredpostgresopensearchcountnumberrequiredtotalnumberPostgres path only.
offsetnumberPostgres path only.
alertsAlert[]requiredidstringscorenumberFull-text relevance score — present only on /api/alerts?q= (opensearch source) hits.
typeenumDETECTORTHREAT_INTELCORRELATIONosIdstringAlert/finding id in the SAP indices
monitorIdstringmonitorNamestringtriggerIdstringtriggerNamestringdetectorTypestringseverityenumCRITICALHIGHMEDIUMLOWINFORMATIONALUNKNOWNseverityRawstringstateenumACTIVEACKNOWLEDGEDCOMPLETEDERRORDELETEDUNKNOWNiocValuestringiocTypestringcorrelationScorenumberfindingIdsstring[]relatedDocIdsstring[]ruleNamesstring[]mitreTacticsstring[]mitreTechniquesstring[]tenantIdsstring[]tenant_id values lifted out of the raw OCSF docs at ingest (AWS-sourced docs carry none, so this may be empty).
vendorNamesstring[]metadata.product.vendor_name values from the raw OCSF docs (e.g. CrowdStrike / SentinelOne / AWS).
rawPayloadanyExactly what OpenSearch posted (Mustache-rendered body).
enrichmentanyEverything fetched from OpenSearch at ingest (findings, raw OCSF docs, IOC details, correlations). Null if enrichment failed/was skipped.
enrichmentOkbooleanenrichmentErrstringindexedbooleandedupeKeystringstartTimestring<date-time>receivedAtstring<date-time>createdAtstring<date-time>updatedAtstring<date-time>curl -X GET https://osawebhook.defenderx.sentrixsolution.com/api/alerts?q=string&type=DETECTOR&severity=CRITICALconst res = await fetch("https://osawebhook.defenderx.sentrixsolution.com/api/alerts", {
method: "GET"
});
const data = await res.json();{
"source": "postgres",
"count": 0,
"total": 0,
"offset": 0,
"alerts": [
{
"id": "string",
"score": 0,
"type": "DETECTOR",
"osId": "string",
"monitorId": "string",
"monitorName": "string",
"triggerId": "string",
"triggerName": "string"
}
]
}