Close false positive - Alerts API

Run the POST request to close multiple alerts matching the specified filters as false positive (an alert on a non-malicious activity).

HTTP request

POST /api/v1/alerts/close_false_positive/

Request BODY parameters

Parameter Description
filters Filter objects with all the search filters for the request, see alert filters for more details
comment A comment about why the alerts are dismissed
reasonId The reason for closing the alerts as false positive. Providing a reason helps improve the accuracy of the detection over time. Possible values include:

0: Not of interest
1: Too many similar alerts
3: Alert is not accurate
4: Other
sendFeedback A boolean value indicating that feedback about this alert is provided. Default value: false
feedbackText The text of the feedback
allowContact A boolean value indicating that consent to contact the user is provided. Default value: false
contactEmail The email address of the user

Example

Request

Here is an example of the request.

curl -XPOST -H "Authorization:Token <your_token_key>" -H "Content-Type: application/json" "https://<tenant_id>.<tenant_region>.portal.cloudappsecurity.com/api/v1/alerts/close_false_positive/" -d '{
  "filters": {
    "id": {
      "eq": [
        "55af7415f8a0a7a29eef2e1f",
        "55af741cf8a0a7a29eef2e20",
        "5f8d70bfc1ffb25b0a541c7d"
      ]
    }
  },
  "comment": "Irrelevant",
  "reasonId": 0,
  "sendFeedback": true,
  "feedbackText": "Feedback text",
  "allowContact": true,
  "contactEmail": " user@contoso.com"
}'

Response

Response if alert was properly closed

{
    "closed_false_positive": 1
}

Response if alert not found

{
    "closed_false_positive": 0,
    "alertsNotFound": [
        "5f843e9cfe3f6d80fe58a962"
    ]
}

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.