Alert
/api/v1/soc/alertsA detection from a security tool.
listgetacknowledgeescalateSchema
| Field | Type | Notes |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | frontend | backend | server | system | apiWhere the write originated. Defaults to 'api'. |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| title | string | Short title of the alert. |
| description | string | Detailed description of the alert. |
| severity | string | Severity level of the alert. |
| status | string | Current lifecycle status of the alert. |
| verdict | string | Analyst verdict for this alert. |
| source_alert | string | Connector id or name that raised this alert. |
| source_id | string | Connector-side event or alert identifier. |
| timestamp | date-time | ISO 8601 timestamp when the alert event occurred. |
| mitre_tactic | string | MITRE ATT&CK tactic ID. |
| mitre_technique | string | MITRE ATT&CK technique ID. |
| kill_chain_phase | string | Kill chain phase label. |
| host | json | Host that generated the alert. |
| user | json | User context associated with the alert. |
| indicators | json | Threat indicators (IOCs) associated with this alert. |
| related_alert_ids | json | IDs of correlated alerts. |
| related_finding_ids | json | IDs of forensic artefacts related to this alert. |
| assignee_id | string | ID of the analyst assigned to this alert. |
| investigation_id | string | ID of the Investigation this alert has been grouped into. |
| playbook_run_ids | json | IDs of automated playbook runs triggered by this alert. |
| ticket_ref | json | External ticketing system reference. |
| raw_data | json | Original connector payload preserved for forensic purposes. |
| tags | json | Free-form tags for filtering. |
API
client.soc.alerts.*Loading manifest…