Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/utmstack/UTMStack/llms.txt

Use this file to discover all available pages before exploring further.

UTMStack stores alerts in Elasticsearch. Use the Elasticsearch API to retrieve individual alerts by their ID.

Get Alert by ID

To retrieve a specific alert, use the Elasticsearch get endpoint: 
GET /api/elasticsearch/{index}/_doc/{alertId}
Where:
  • {index} is the alert index name (e.g., alert-*)
  • {alertId} is the unique alert identifier
curl -X GET https://your-utmstack-instance.com/api/elasticsearch/alert-2024.01/_doc/abc123 \
  -H "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9..."

{
  "_index": "alert-2024.01",
  "_id": "abc123",
  "_version": 1,
  "_source": {
    "id": "abc123",
    "name": "Suspicious Login Attempt",
    "status": 2,
    "severity": 3,
    "category": "Authentication",
    "timestamp": "2024-01-15T10:30:00Z",
    "source": "Windows Event Logs",
    "dataType": "windows-authentication",
    "tags": ["brute-force", "failed-login"],
    "notes": "Multiple failed login attempts detected",
    "statusObservation": null,
    "destination": {
      "ip": "192.168.1.100",
      "port": 3389
    },
    "source": {
      "ip": "10.0.0.50",
      "user": "admin"
    }
  }
}

Alert Fields

_index
string
Elasticsearch index containing the alert
_id
string
Unique alert identifier
_version
integer
Document version (increments on updates)
_source
object
Alert document containing all alert fields

Source Fields

_source.id
string
Alert ID
_source.name
string
Alert name/title
_source.status
integer
Status: 1=Auto Review, 2=Open, 3=In Progress, 4=Completed, 5=Incident Created
_source.severity
integer
Severity: 1=Low, 2=Medium, 3=High, 4=Critical
_source.category
string
Alert category
_source.timestamp
string
ISO 8601 timestamp when alert was created
_source.dataType
string
Type of data source that generated the alert
_source.tags
array
Array of tag strings
_source.notes
string
Analyst notes
_source.statusObservation
string
Notes added when status was changed

Bulk Retrieval

To retrieve multiple alerts efficiently, use the Elasticsearch multi-get endpoint: 
POST /api/elasticsearch/_mget
With a body specifying the alert IDs: 
{
  "docs": [
    { "_index": "alert-2024.01", "_id": "abc123" },
    { "_index": "alert-2024.01", "_id": "def456" }
  ]
}

Build docs developers (and LLMs) love

Get started for freeTalk to us