Reporting alerts

You can inject alerts to Acronis Cyber Protect Cloud by sending a POST request to the /api/alert_manager/v1/alerts endpoint.
Injected alerts display in the Cyber Protection console.
See the Alert example, below.

Interaction diagram

$autonumber participant "Acronis Cyber Protect Cloud" as ACC participant "Connector - Sync Algorithm" As ConnSync participant "Connector - ISV's System Abstraction" As ConnExt participant "ISV's system" As Ext group Detecting and sending alerts activate ConnSync ConnSync -> ConnExt: Poll alerts updated since <last_alerts_update_timestamp> deactivate ConnSync activate ConnExt loop Until the last alerts page is reached ConnExt -> Ext: Fetch an alerts page activate Ext Ext -> ConnExt: n-th alerts page deactivate Ext end ConnExt -> ConnSync: A list of alerts to push deactivate ConnExt activate ConnSync ConnSync -> ConnSync: Set <last_alerts_update_timestamp> to\n'timestamp' field ConnSync -> ConnSync: Map ISV's alert data structure\nto the platform alert data structure ConnSync -> ConnSync: Map ISV's tenant IDs\nto the platform tenant IDs loop For each alert in the list ConnSync -> ACC: POST /api/alert_manager/v1/alerts with alert data deactivate ConnSync end end$

Request structure

type string

The identifier of the alert type.
category string

The identifier of the alert category.
details object

An object that contains the information about the alert.
details.title string

A human-readable title of the alert.
details.category string

A human-readable alert category name.
details.description string

A human-readable description of the alert.
details.fields object

An object with arbitrary keys and values where each key-value pair represents a table row.

Key is the first column, value is the second column of the row.

Note

If the object includes a key-value of the type url: http://some_url, the URL is displayed as an active link.

If the URL is too long to fit on a single line in the alert, it is truncated and the suppressed characters are replaced with an ellipsis.
tenantID string

The identifier of the tenant where the alert was triggered.
ResourceID string and ResourceName string

Note

Both are required for the device/workload row to appear in the alert.

ResourceID is the UUID of the device/workload which triggered the alert.

ResourceName is the name of the device/workload which triggered the alert.
- When the Partner or customer opens the Alerts section of Acronis Protection Console, the alert shows ResourceName as a link.
  
  The user can click this link to drill down to the device/workload (similar to native Acronis alerts).
- When the Partner or customer opens the Acronis dashboard and adds alerts widgets, the alert shows ResourceName as a link.
  
  The user can click this link to drill down to the device/workload (similar to native Acronis alerts).
- When the Partner or customer opens the DEVICES section in Acronis Protection Console, and opens the device/workload for which an alert has been posted, the Alert section in the right-hand panel contains the alert.
Note

If device/workload no longer exists, the name is displayed, but it is not clickable.

Alert example

{
    "type": "cti.a.p.am.alert.v1.0~a.p.basic.v1.0~vendor.application.malware_detected.v1.0",
    "category": "cti.a.p.am.category.v1.0~vendor.application.protection.v1.0",
    "details": {
        "title": "Malware Quarantined",
        "category": "Malware Detected",
        "description": "Malicious file \"trojan.exe\" was put into quarantine.",
        "fields": {
            "Malware type": "Trojan:Win32/Caphaw.D!lnk",
            "Device ID": "62aedd2b-6556-45d5-a76e-43db475068a7",
            "Full path": "C:\\Windows\\System32\\trojan.exe"
        }
    },
    "tenantID": "f234baa2-e404-4d78-93de-4f3a77448d02"
}

Produces the following alert in the Cyber Protection console.

Response structure

The response returns status 200 with a single field payload.

id string

UUID of the reported alert.

In this section

Step-by-step procedure