Reporting alerts

You can inject alerts to Acronis Cyber Protect Cloud by sending a POST request to the /api/alert_manager/v1/alerts endpoint.
Injected alerts display in the Cyber Protection console.
See the Alert example, below.

Interaction diagram

autonumber

participant "Acronis Cyber Protect Cloud" as ACC
participant "Connector - Sync Algorithm" As ConnSync
participant "Connector - ISV's System Abstraction" As ConnExt
participant "ISV's system" As Ext

group Detecting and sending alerts
    activate ConnSync
    ConnSync -> ConnExt: Poll alerts updated since <last_alerts_update_timestamp>
    deactivate ConnSync

    activate ConnExt
    loop Until the last alerts page is reached
        ConnExt -> Ext: Fetch an alerts page
        activate Ext
        Ext -> ConnExt: n-th alerts page
        deactivate Ext
    end
    ConnExt -> ConnSync: A list of alerts to push
    deactivate ConnExt

    activate ConnSync
    ConnSync -> ConnSync: Set <last_alerts_update_timestamp> to\n'timestamp' field
    ConnSync -> ConnSync: Map ISV's alert data structure\nto the platform alert data structure
    ConnSync -> ConnSync: Map ISV's tenant IDs\nto the platform tenant IDs

    loop For each alert in the list
        ConnSync -> ACC: POST /api/alert_manager/v1/alerts with alert data
        deactivate ConnSync
    end
end

Request structure

Parameter

Type

Description

type

string

The identifier of the alert type.

category

string

The identifier of the alert category.

details

object

An object that contains the information about the alert.

details.title

string

A human-readable title of the alert.

details.category

string

A human-readable alert category name.

details.description

string

A human-readable description of the alert.

details.fields

object

An object with arbitrary keys and values where each key-value pair represents a table row. Key is the first column, value is the second column of the row.

Note

If the object includes a key-value of the type url: http://some_url, the URL is displayed as an active link.
If the URL is too long to fit on a single line in the alert, it is truncated and the suppressed characters are replaced with an ellipsis.

tenantID

string

The identifier of the tenant where the alert was triggered.

ResourceID and ResourceName

strings

Note

Both are required for the device/workload row to appear in the alert.

ResourceID is the UUID of the device/workload which triggered the alert.
ResourceName is the name of the device/workload which triggered the alert.
  • When the Partner or customer opens the Alerts section of Acronis Protection Console, the alert shows ResourceName as a link.
    The user can click this link to drill down to the device/workload (similar to native Acronis alerts).
  • When the Partner or customer opens the Acronis dashboard and adds alerts widgets, the alert shows ResourceName as a link.
    The user can click this link to drill down to the device/workload (similar to native Acronis alerts).
  • When the Partner or customer opens the DEVICES section in Acronis Protection Console, and opens the device/workload for which an alert has been posted, the Alert section in the right panel contains the alert.

Note

If device/workload no longer exists, the name is displayed, but it is not clickable.

Alert example

{
    "type": "cti.a.p.am.alert.v1.0~a.p.basic.v1.0~vendor.application.malware_detected.v1.0",
    "category": "cti.a.p.am.category.v1.0~vendor.application.protection.v1.0",
    "details": {
        "title": "Malware Quarantined",
        "category": "Malware Detected",
        "description": "Malicious file \"trojan.exe\" was put into quarantine.",
        "fields": {
            "Malware type": "Trojan:Win32/Caphaw.D!lnk",
            "Device ID": "62aedd2b-6556-45d5-a76e-43db475068a7",
            "Full path": "C:\\Windows\\System32\\trojan.exe"
        }
    },
    "tenantID": "f234baa2-e404-4d78-93de-4f3a77448d02"
}

Produces the following alert in the Cyber Protection console.

../../../_images/successful_alert.png

Response structure

The response returns status 200, with a single field payload.

Parameter

Type

Description

id

string

UUID of the reported alert.

In this section