{"paths":{"/v2/search":{"get":{"security":[{"ApiKeyAuth":[]}],"parameters":[{"$ref":"#/components/parameters/TriggeredQueryParameter"},{"$ref":"#/components/parameters/AssigneeQueryParameter"},{"$ref":"#/components/parameters/StatusQueryParameter"},{"$ref":"#/components/parameters/AlertRuleQueryParameter"},{"$ref":"#/components/parameters/FreetextQueryParameter"},{"$ref":"#/components/parameters/LimitQueryParameter"},{"$ref":"#/components/parameters/OffsetQueryParameter"},{"$ref":"#/components/parameters/TaggedTextQueryParameter"},{"$ref":"#/components/parameters/OrderByQueryParameter"},{"$ref":"#/components/parameters/DirectionQueryParameter"}],"summary":"Search for alerts","responses":{"200":{"description":"output","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertSearchResponseV2"}}}}},"description":"Search for alerts based on a set of filters.\n","tags":["Alert (deprecated)"]}},"/v2/search/details":{"get":{"security":[{"ApiKeyAuth":[]}],"parameters":[{"$ref":"#/components/parameters/TriggeredQueryParameter"},{"$ref":"#/components/parameters/AssigneeQueryParameter"},{"$ref":"#/components/parameters/StatusQueryParameter"},{"$ref":"#/components/parameters/AlertRuleQueryParameter"},{"$ref":"#/components/parameters/FreetextQueryParameter"},{"$ref":"#/components/parameters/LimitQueryParameter"},{"$ref":"#/components/parameters/OffsetQueryParameter"},{"$ref":"#/components/parameters/TaggedTextQueryParameter"},{"$ref":"#/components/parameters/OrderByQueryParameter"},{"$ref":"#/components/parameters/DirectionQueryParameter"}],"summary":"Search for alerts with extra details","responses":{"200":{"description":"output","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertSearchResponseV2"}}}}},"description":"Search for alerts based on a set of filters. This endpoint includes more data compared to the regular search endpoint.\n","tags":["Alert (deprecated)"]}},"/v3/image":{"get":{"security":[{"ApiKeyAuth":[]}],"parameters":[{"$ref":"#/components/parameters/ImageIdQueryParameter"}],"summary":"Fetch raw image data","responses":{"200":{"description":"output","content":{"application/octet-stream":{"schema":{"type":"string","format":"binary"}}}}},"description":"Fetch the raw image data of an image tied to an alert.\n","tags":["Alert V3"]}},"/v2/update":{"post":{"security":[{"ApiKeyAuth":[]}],"requestBody":{"description":"Flow configuration","required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertUpdateData"}}}},"summary":"Update one or several alerts","responses":{"200":{"description":"output","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertUpdateResponse"}}}}},"description":"Updates one or several alerts. It's possible to update assignee, status and a note tied to the triggered alert.\n\nThere are two types of statuses, the recommended \"statusInPortal\" and the legacy \"status\". They are mapped, so changing one will change the other and it is not possible to update both independently.\n","tags":["Alert"]}},"/v3/hits":{"get":{"security":[{"ApiKeyAuth":[]}],"parameters":[{"$ref":"#/components/parameters/AlertIdsQueryParameter"},{"$ref":"#/components/parameters/TaggedTextQueryParameter"}],"summary":"Fetch a flat collection of hits","responses":{"200":{"description":"output","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertHitsResponseV3"}}}}},"description":"Returns only a flat array of all hits (the Intelligence Cloud data that caused the alert to trigger) for one or several alerts.\n\nThis endpoint will also include the alert ID and a numeric index for each hits object.\n","tags":["Alert V3"]}},"/v3/{alert_id}":{"get":{"security":[{"ApiKeyAuth":[]}],"parameters":[{"$ref":"#/components/parameters/AlertIdQueryParameter"},{"$ref":"#/components/parameters/FieldsQueryParameter"},{"$ref":"#/components/parameters/TaggedTextQueryParameter"}],"summary":"Fetch alert by id","responses":{"200":{"description":"output","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertLookupResponseV3"}}}}},"description":"Fetch an alert by id. \n\nUsing the fields parameter the response can be set to include a set of fields. If no fields parameter is set, all available fields will be included in the response.\n","tags":["Alert V3"]}},"/v2/{alert_id}":{"get":{"security":[{"ApiKeyAuth":[]}],"parameters":[{"$ref":"#/components/parameters/AlertIdQueryParameter"},{"$ref":"#/components/parameters/TaggedTextQueryParameter"}],"summary":"Fetch alert by id","responses":{"200":{"description":"output","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertLookupResponseV2"}}}}},"description":"Fetch an alert by id. This endpoint includes all available fields in the response.\n","tags":["Alert (deprecated)"]}},"/v3":{"get":{"security":[{"ApiKeyAuth":[]}],"parameters":[{"$ref":"#/components/parameters/TriggeredQueryParameter"},{"$ref":"#/components/parameters/AssigneeQueryParameter"},{"$ref":"#/components/parameters/StatusInPortalQueryParameter"},{"$ref":"#/components/parameters/AlertRuleQueryParameter"},{"$ref":"#/components/parameters/FreetextQueryParameter"},{"$ref":"#/components/parameters/LimitQueryParameter"},{"$ref":"#/components/parameters/OffsetQueryParameter"},{"$ref":"#/components/parameters/TaggedTextQueryParameter"},{"$ref":"#/components/parameters/OrderByQueryParameter"},{"$ref":"#/components/parameters/DirectionQueryParameter"},{"$ref":"#/components/parameters/FieldsQueryParameter"}],"summary":"Search for alerts","responses":{"200":{"description":"output","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertSearchResponseV3"}}}}},"description":"Search for alerts based on a set of filters.\n","tags":["Alert V3"]}},"/v2/rule":{"get":{"security":[{"ApiKeyAuth":[]}],"parameters":[{"$ref":"#/components/parameters/FreetextQueryParameter"},{"$ref":"#/components/parameters/LimitQueryParameter"},{"$ref":"#/components/parameters/TaggedTextQueryParameter"}],"summary":"Search for alert rules.","responses":{"200":{"description":"output","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertRuleSearchResponseV2"}}}}},"description":"Search for alert rules based on a set of filters.\n","tags":["Alert"]}}},"openapi":"3.1.1","info":{"title":"Alert API","version":"3.0.0","description":"The Alert API allows for interacting with Recorded Future Alerts and Alert rules.\n\nPlease read the [documentation](https://docs.recordedfuture.com/reference/get_v3#/) before using this API.\n","x-rf-service-id":"service:alert-api"},"components":{"parameters":{"LimitQueryParameter":{"description":"Maximum number of items to include\n","schema":{"format":"int32","maximum":1000,"default":10,"minimum":1,"type":"integer"},"required":false,"name":"limit","in":"query"},"TaggedTextQueryParameter":{"description":"Include text tags","schema":{"type":"boolean","default":false},"required":false,"name":"taggedText","in":"query"},"FreetextQueryParameter":{"description":"Filter by any text.\n","schema":{"type":"string"},"required":false,"name":"freetext","in":"query"},"TriggeredQueryParameter":{"description":"The triggered time itself has millisecond precision, but can be searched for using parameters of higher granularity on the form [x, y], which is interpreted as beginning of x until end of y.\n\nFor example:\n* [2024-08-01, 2024-08-14] matches alerts triggered since beginning of 2024-08-01 to end of 2023-08-14\n* [2024-09-23 12:02, 2024-09-23 12:03] matches alerts triggered since beginning of 12:02 to end of 12:03, for example including an alert with triggered: 12:03:58.567\n\nThe format of the time is either 2024-09-23 12:03:58.000 or 2024-09-23T12:03:58.000Z (the T and Z are optional). The precision used can range from a year down to milliseconds. On the form [x, y], x and y should have the same level of precision (e.g. date, minutes, milliseconds).\nRelative time expressions are also supported, such as -2d, which means two days prior to today and yesterday. As with absolute time references, both ends of the range still need to be specified. For example, to search for alerts that fired within the last 24 hrs, use triggered = [-24h,].\nOpen-ended ranges is allowed, but will only exclude one single millisecond compared to a closed-ended range, and therefore only make sense to use when filtering on millisecond precision.\n\nFor example:\n- [2024-09-23 12:03:58.000, 2024-09-23 12:03:58.567) will match an alert triggered at 12:03:58.567 but not an alert triggered at 12:03:58.568.\n","schema":{"type":"string","example":"2026-01-01"},"required":false,"name":"triggered","in":"query"},"AlertIdQueryParameter":{"description":"Id of alert to fetch","schema":{"type":"string","example":"5PqsAw"},"required":true,"name":"alert_id","in":"path"},"DirectionQueryParameter":{"description":"Sort direction based on the triggered timestamp","schema":{"type":"string","enum":["asc","desc"],"default":"desc"},"required":false,"name":"direction","in":"query"},"AssigneeQueryParameter":{"description":"Filter by a specific assigned user, using the email address associated with that user account, or use 'NONE' to explicitly match against unassigned alerts.\n","schema":{"type":"string"},"required":false,"name":"assignee","in":"query"},"OffsetQueryParameter":{"description":"Offset search from previous result. The API may only return the first 1000 results, meaning that limit + from cannot exceed 1000.\n","schema":{"type":"integer","format":"int32","minimum":1,"maximum":1000},"required":false,"name":"from","in":"query"},"AlertRuleQueryParameter":{"description":"Filter by alert rule id.\n","schema":{"type":"string"},"required":false,"name":"alertRule","in":"query"},"StatusQueryParameter":{"description":"Filter by review status.\n","schema":{"type":"string","enum":["unassigned","assigned","pending","dismiss","no-action","actionable","tuning"]},"required":false,"name":"status","in":"query"},"StatusInPortalQueryParameter":{"description":"Filter by review status.\n","schema":{"type":"string","enum":["New","Resolved","Pending","Dismissed","Flag for Tuning"]},"required":false,"name":"statusInPortal","in":"query"},"AlertIdsQueryParameter":{"description":"Alert ids separated by comma","schema":{"type":"string","example":"5PqsAw"},"required":true,"name":"ids","in":"query"},"FieldsQueryParameter":{"description":"Fields to include in the response. If no specific fields are requested, all available fields are included in the response.\n\nValues should be separated by comma.\n\nAvailable fields are:\n* ai_insights\n* enriched_entities \n* hits \n* id \n* log \n* owner_organisation_details \n* review\n* rule\n* title\n* triggered_by \n* type\n* url\n","schema":{"type":"string"},"required":false,"name":"fields","in":"query"},"ImageIdQueryParameter":{"description":"Image id","schema":{"type":"string","example":"img:0c11f825-a2ff-454f-aa1a-d7568eaf0a60"},"required":true,"name":"id","in":"query"},"OrderByQueryParameter":{"description":"Sort order","schema":{"type":"string","enum":["triggered"]},"required":false,"name":"orderby","in":"query"}},"schemas":{"AlertSearchResponseV3":{"type":"object","properties":{"data":{"type":"array","items":{"type":"object"}},"counts":{"$ref":"#/components/schemas/Counts"}},"required":["data","counts"]},"AlertUpdateData":{"type":"array","items":{"type":"object","properties":{"assignee":{"type":"string","description":"New assignee. Can be an id, uhash, username or email."},"statusInPortal":{"type":"string","description":"New alert status","enum":["New","Resolved","Pending","Dismissed","Flag for Tuning"]},"id":{"type":"string","description":"Id of the alert to update","example":"FNESDXvojsW"},"note":{"type":"string","description":"New note text"},"status":{"type":"string","description":"New alert status (legacy)","enum":["unassigned","assigned","pending","dismiss","no-action","actionable","tuning"]}},"required":["id"]}},"AlertSearchDetailsResponseV2":{"type":"object","properties":{"data":{"type":"object"}},"required":["data"]},"AlertHitsResponseV3":{"type":"object","properties":{"data":{"type":"array","items":{"type":"object"}}},"required":["data"]},"AlertRuleSearchResponseV2":{"type":"object","properties":{"data":{"type":"object","properties":{"results":{"type":"array","items":{"type":"object"}},"counts":{"$ref":"#/components/schemas/Counts"}},"required":["results","counts"]}},"required":["data"]},"Counts":{"type":"object","properties":{"returned":{"type":"number","example":1},"total":{"type":"number","example":1000}},"required":["returned","total"]},"AlertLookupResponseV2":{"type":"object","properties":{"data":{"type":"object"}},"required":["data"]},"AlertLookupResponseV3":{"type":"object","properties":{"data":{"type":"object"}},"required":["data"]},"AlertUpdateResponse":{"type":"object","properties":{"success":{"type":"array","items":{"type":"object","properties":{"assignee":{"type":"string","description":"Updated assignee"},"statusDate":{"type":"string","format":"date-time","description":"Date of when the alert last had a status update","example":"2025-04-16T13:00:00.000Z"},"reviewDate":{"type":"string","format":"date-time","description":"Date of when the alert was last reviewed","example":"2025-04-16T13:00:00.000Z"},"statusInPortal":{"type":"string","enum":["New","Resolved","Pending","Dismissed","Flag for Tuning"],"description":"Updated status"},"id":{"type":"string","description":"Id of the updated alert","example":"FNESDXvojsW"},"note":{"type":"object","description":"Updated note text","properties":{"text":{"type":"string"},"author":{"type":"string"},"date":{"type":"string","format":"date-time","example":"2025-04-16T13:00:00.000Z"}}},"status":{"type":"string","enum":["unassigned","assigned","pending","dismiss","no-action","actionable","tuning"],"description":"Updated status (legacy)"},"statusChangeBy":{"type":"string","description":"Id of the user that performed the status update"}},"required":["id"]}},"error":{"type":"array","items":{"type":"object","properties":{"id":{"type":"string","description":"Id of the alert that failed to update","example":"FNESDXvojry"},"reason":{"type":"string","description":"Error message why the alert failed to update"},"statusCode":{"type":"integer","format":"int32","description":"Error status code","example":400}}}}}},"AlertSearchResponseV2":{"type":"object","properties":{"data":{"type":"object","properties":{"results":{"type":"array","items":{"type":"object"}},"counts":{"$ref":"#/components/schemas/Counts"}},"required":["results","counts"]}},"required":["data"]}},"securitySchemes":{"ApiKeyAuth":{"description":"API Credential","type":"apiKey","in":"header","name":"X-RFToken"}}},"servers":[{"url":"/alert","x-internal":false}]}