topic Re: How to pass a filter to the Alerts API call with a post in Prisma Cloud Discussions

How to pass a filter to the Alerts API call with a post

CBarichello — Wed, 01 Nov 2023 20:10:49 GMT

I am attempting to get back a list of alerts with a status of resolved, but the filter is not working for me. Any ideas? I get back items, but they don't always have a status of resolved. Sometimes they do, sometimes the status is open, etc. See code below.

url2="https://api2.prismacloud.io/alert?detailed=true"

api_key="my token goes here"

json_body='{

"limit": "3",

"filters": [

{

"status": "resolved"

}

]

curl -X POST $url2 -H "Content-Type: application/json" -H "Accept: */*" -H "x-redlock-auth: $api_key" -d "$json_body"

Re: How to pass a filter to the Alerts API call with a post

JNeytchev — Thu, 02 Nov 2023 19:45:16 GMT

Hi CBarichello,

You are on the right path. You are missing a filter that would inform the API as to how far back to query for alerts. Here I am querying for resolved alerts from the last 3 hours via v2 POST:

# Get a 10 minute token token=$(curl -X POST https://api2.prismacloud.io/login -H 'Content-Type: application/json' -d '{"username":"'$PRISMA_ACCESS_KEY_ID'","password":"'$PRISMA_SECRET_KEY'"}' | jq -r '.token') # Body of the POST body='{"detailed":"true","timeRange":{"type":"relative","value":{"amount":3,"unit":"hour"}},"filters":[{"name":"alert.status","operator":"=","value":"resolved"}]}' curl -L -X POST 'https://api2.prismacloud.io/v2/alert?detailed=true' -H 'Content-Type: application/json; charset=UTF-8' -H 'Accept: */*' -H 'x-redlock-auth: '$token --data-raw "$body" # Same thing via v2 GET curl -L -X GET 'https://api2.prismacloud.io/v2/alert?timeType=relative&timeAmount=3&timeUnit=hour&detailed=true&alert.status=resolved' -H 'Accept: */*' -H 'x-redlock-auth: '$token

All info can be found the developer documentation https://pan.dev/prisma-cloud/api/cspm/post-alerts-v-2/

Hope this helps.

Re: How to pass a filter to the Alerts API call with a post

CBarichello — Thu, 02 Nov 2023 20:26:56 GMT

Thanks for the detailed information. After reading your post, I changed my code from

-d '{"limit":"3","filters":[{"status":"resolved"}]}'

d '{"limit":"3","filters":[{"name":"alert.status","operator":"=","value":"resolved"}]}'

It works great now.