UTMStack stores alerts in Elasticsearch. Use the Elasticsearch API to retrieve individual alerts by their ID.
Get Alert by ID
To retrieve a specific alert, use the Elasticsearch get endpoint:
GET /api/elasticsearch/{index}/_doc/{alertId}
{index} is the alert index name (e.g., alert-*){alertId} is the unique alert identifier
curl -X GET https://your-utmstack-instance.com/api/elasticsearch/alert-2024.01/_doc/abc123 \
-H "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9..."
{
"_index": "alert-2024.01",
"_id": "abc123",
"_version": 1,
"_source": {
"id": "abc123",
"name": "Suspicious Login Attempt",
"status": 2,
"severity": 3,
"category": "Authentication",
"timestamp": "2024-01-15T10:30:00Z",
"source": "Windows Event Logs",
"dataType": "windows-authentication",
"tags": ["brute-force", "failed-login"],
"notes": "Multiple failed login attempts detected",
"statusObservation": null,
"destination": {
"ip": "192.168.1.100",
"port": 3389
},
"source": {
"ip": "10.0.0.50",
"user": "admin"
}
}
}
Alert Fields
Elasticsearch index containing the alert
Document version (increments on updates)
Alert document containing all alert fields
Source Fields
Status: 1=Auto Review, 2=Open, 3=In Progress, 4=Completed, 5=Incident Created
Severity: 1=Low, 2=Medium, 3=High, 4=Critical
ISO 8601 timestamp when alert was created
Type of data source that generated the alert
_source.statusObservation
Notes added when status was changed
Bulk Retrieval
To retrieve multiple alerts efficiently, use the Elasticsearch multi-get endpoint:
POST /api/elasticsearch/_mget
{
"docs": [
{ "_index": "alert-2024.01", "_id": "abc123" },
{ "_index": "alert-2024.01", "_id": "def456" }
]
}