Reporting alerts

You can inject alerts to Acronis Cyber Protect Cloud by sending a POST request to the /api/alert_manager/v1/alerts endpoint.
Injected alerts display in the Cyber Protection console.
See the Alert example, below.

Interaction diagram

$autonumber participant "Acronis Cyber Protect Cloud" as ACC participant "Connector - Sync Algorithm" As ConnSync participant "Connector - ISV's System Abstraction" As ConnExt participant "ISV's system" As Ext group Detecting and sending alerts activate ConnSync ConnSync -> ConnExt: Poll alerts updated since <last_alerts_update_timestamp> deactivate ConnSync activate ConnExt loop Until the last alerts page is reached ConnExt -> Ext: Fetch an alerts page activate Ext Ext -> ConnExt: n-th alerts page deactivate Ext end ConnExt -> ConnSync: A list of alerts to push deactivate ConnExt activate ConnSync ConnSync -> ConnSync: Set <last_alerts_update_timestamp> to\n'timestamp' field ConnSync -> ConnSync: Map ISV's alert data structure\nto the platform alert data structure ConnSync -> ConnSync: Map ISV's tenant IDs\nto the platform tenant IDs loop For each alert in the list ConnSync -> ACC: POST /api/alert_manager/v1/alerts with alert data deactivate ConnSync end end$

Request structure

Parameter	Type	Description
`type`	string	The identifier of the alert type.
`category`	string	The identifier of the alert category.
`details`	object	An object that contains the information about the alert.
`details.title`	string	A human-readable title of the alert.
`details.category`	string	A human-readable alert category name.
`details.description`	string	A human-readable description of the alert.
`details.fields`	object	An object with arbitrary keys and values where each key-value pair represents a table row. Key is the first column, value is the second column of the row. Note If the object includes a key-value of the type `url: http://some_url`, the URL is displayed as an active link. If the URL is too long to fit on a single line in the alert, it is truncated and the suppressed characters are replaced with an ellipsis.
`tenantID`	string	The identifier of the tenant where the alert was triggered.
`ResourceID` and `ResourceName`	strings	Note Both are required for the device/workload row to appear in the alert. `ResourceID` is the UUID of the device/workload which triggered the alert. `ResourceName` is the name of the device/workload which triggered the alert. When the Partner or customer opens the Alerts section of Acronis Protection Console, the alert shows `ResourceName` as a link. The user can click this link to drill down to the device/workload (similar to native Acronis alerts). When the Partner or customer opens the Acronis dashboard and adds alerts widgets, the alert shows `ResourceName` as a link. The user can click this link to drill down to the device/workload (similar to native Acronis alerts). When the Partner or customer opens the DEVICES section in Acronis Protection Console, and opens the device/workload for which an alert has been posted, the Alert section in the right panel contains the alert. Note If device/workload no longer exists, the name is displayed, but it is not clickable.

Alert example

{
    "type": "cti.a.p.am.alert.v1.0~a.p.basic.v1.0~vendor.application.malware_detected.v1.0",
    "category": "cti.a.p.am.category.v1.0~vendor.application.protection.v1.0",
    "details": {
        "title": "Malware Quarantined",
        "category": "Malware Detected",
        "description": "Malicious file \"trojan.exe\" was put into quarantine.",
        "fields": {
            "Malware type": "Trojan:Win32/Caphaw.D!lnk",
            "Device ID": "62aedd2b-6556-45d5-a76e-43db475068a7",
            "Full path": "C:\\Windows\\System32\\trojan.exe"
        }
    },
    "tenantID": "f234baa2-e404-4d78-93de-4f3a77448d02"
}

Produces the following alert in the Cyber Protection console.

Response structure

The response returns status 200, with a single field payload.

Parameter	Type	Description
`id`	string	UUID of the reported alert.

In this section

Step-by-step procedure