Update alert properties including status, notes, and tags.
Update Alert Status
Update the status of one or more alerts.
Request Body
Array of alert IDs to update
New status code (1=Auto Review, 2=Open, 3=In Progress, 4=Completed, 5=Incident Created)
Notes describing the status change
Whether to add a false positive tag (only applicable when status=4)
curl -X POST https://your-utmstack-instance.com/api/utm-alerts/status \
-H "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9..." \
-H "Content-Type: application/json" \
-d '{
"alertIds": ["abc123", "def456"],
"status": 3,
"statusObservation": "Investigating suspicious activity",
"addFalsePositiveTag": false
}'
Update Alert Notes
Add or update notes for a specific alert.
Query Parameters
The ID of the alert to update
Request Body
Plain text string containing the notes.
curl -X POST "https://your-utmstack-instance.com/api/utm-alerts/notes?alertId=abc123" \
-H "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9..." \
-H "Content-Type: text/plain" \
-d "User confirmed this was legitimate activity. Closing as false positive."
Request Body
Array of alert IDs to tag
Array of tag names to apply
Whether to create an automatic tagging rule based on these tags
curl -X POST https://your-utmstack-instance.com/api/utm-alerts/tags \
-H "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9..." \
-H "Content-Type: application/json" \
-d '{
"alertIds": ["abc123", "def456"],
"tags": ["false-positive", "vpn-access"],
"createRule": false
}'
Convert to Incident
Convert one or more alerts into an incident for investigation.
Request Body
Array of alert/event IDs to include in the incident
Name for the new incident
ID of existing incident to add alerts to (optional)
Source/origin of the incident
curl -X POST https://your-utmstack-instance.com/api/utm-alerts/convert-to-incident \
-H "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9..." \
-H "Content-Type: application/json" \
-d '{
"eventIds": ["abc123", "def456", "ghi789"],
"incidentName": "Potential Ransomware Attack",
"incidentSource": "SOC Analysis"
}'