Reporting alerts

Alerts can be injected to Acronis Cyber Protect Cloud by sending a POST request to the /api/alert_manager/v1/alerts endpoint.

Example

Injected alerts display in the Cyber Protection console.

../../../../_images/successful_alert.png

Interaction diagram

$autonumber participant "Acronis Cyber Protect Cloud" as ACC participant "Connector - Sync Algorithm" As ConnSync participant "Connector - ISV's System Abstraction" As ConnExt participant "ISV's system" As Ext group Detecting and sending alerts activate ConnSync ConnSync -> ConnExt: Poll alerts updated since <last_alerts_update_timestamp> deactivate ConnSync activate ConnExt loop Until the last alerts page is reached ConnExt -> Ext: Fetch an alerts page activate Ext Ext -> ConnExt: n-th alerts page deactivate Ext end ConnExt -> ConnSync: A list of alerts to push deactivate ConnExt activate ConnSync ConnSync -> ConnSync: Set <last_alerts_update_timestamp> to\n'timestamp' field ConnSync -> ConnSync: Map ISV's alert data structure\nto the platform alert data structure ConnSync -> ConnSync: Map ISV's tenant IDs\nto the platform tenant IDs loop For each alert in the list ConnSync -> ACC: POST /api/alert_manager/v1/alerts with alert data deactivate ConnSync end end$

Request structure

Name	Value type	Description
`type`	string	The identifier of the alert type.
`category`	string	The identifier of the alert category.
`details`	object	An object that contains the information about the alert.
`details.title`	string	A human-readable title of the alert.
`details.category`	string	A human-readable alert category name.
`details.description`	string	A human-readable description of the alert.
`details.fields`	object	An object with arbitrary keys and values where each key-value pair represents a table row. Key is the first column, value is the second column of the row. Note If the object includes a key-value of the type `url: http://some_url`, the URL is displayed as an active link. If the URL is too long to fit on a single line in the alert, it is truncated and the suppressed characters are replaced with an ellipsis.
`tenantID`	string	The identifier of the tenant where the alert was triggered.

Example of the alert:

{
    "type": "cti.a.p.am.alert.v1.0~a.p.basic.v1.0~vendor.application.malware_detected.v1.0",
    "category": "cti.a.p.am.category.v1.0~vendor.application.protection.v1.0",
    "details": {
        "title": "Malware Quarantined",
        "category": "Malware Detected",
        "description": "Malicious file \"trojan.exe\" was put into quarantine.",
        "fields": {
            "Malware type": "Trojan:Win32/Caphaw.D!lnk",
            "Device ID": "62aedd2b-6556-45d5-a76e-43db475068a7",
            "Full path": "C:\\Windows\\System32\\trojan.exe"
        }
    },
    "tenantID": "f234baa2-e404-4d78-93de-4f3a77448d02"
}

Response structure

The response returns status 200 with a payload in the following structure:

Name	Value type	Description
`id`	string	UUID of the reported alert.

In this section

Step-by-step procedure