Alert Events
Overview
Get a list of all or filtered alerts. The alerts listed are what remains after alert exclusions are applied by Agari DMARC Protection.
Configuration
Parameters
parameters.domainwill store the value of the API URL, excluding the endpoint paths like/v1/cp/oauth/tokenor/v1/cp/alert_events
Secrets
secrets.client_idwill reference to Agari's Client IDsecrets.client_secretwill reference to Agari's Client Secret.
After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML:
Toggle this ON to enable a free text field where you can paste your YAML.
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 5m
tz: UTC
format: RFC3339
withAuthentication: true
authentication:
type: token
token:
request:
method: POST
url: ${parameters.domain}/v1/cp/oauth/token
headers:
- name: Content-Type
value: application/x-www-form-urlencoded
- name: Accept
value: application/json
bodyType: urlEncoded
bodyParams:
- name: client_id
value: '${secrets.client_id}'
- name: client_secret
value: '${secrets.client_secret}'
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: false
collectionPhase:
paginationType: offsetLimit
limit: 200
request:
responseType: json
method: GET
url: ${parameters.domain}/v1/cp/alert_events
queryParams:
- name: start_date
value: ${temporalWindow.from}
- name: end_date
value: ${temporalWindow.to}
- name: offset
value: ${pagination.offset}
- name: limit
value: ${pagination.limit}
output:
select: ".alert_events"
map: "."
outputMode: elementTemporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Duration - 5 minutes (
5m) as default, adjust based on your needs.Offset - initial offset should be
5mFormat -
RFC3339
Authentication Phase
Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.
Type* -
tokenRequest Method* -
POST(we would need to generate the JWT using the secretsclient_idandclient_secret)URL* -
${parameters.domain}/v1/cp/oauth/tokenHeaders
Name -
Content-typeValue -
application/x-www-form-urlencodedName -
AcceptValue -
application/json
BodyType* -
UrlEncodedBody params
Name -
client_idValue -
'${secrets.client_ID}'Name -
client_secretValue -
'${secrets.client_Secret
Token Path* -
.access_tokenAuth Injection
In* -
headerName* -
authorizationPrefix -
BearerSuffix -
''
Enumeration Phase
OFF
Collection Phase
Pagination Type* -
offset/LimitLimit* -
200Request
Response Type -
JSONMethod* -
GETURL* -
${parameters.domain}/v1/cp/alert_eventsHeaders -
Name -
start_dateValue -
${temporalWindow.from}Name -
end_dateValue -
${temporalWindow.to}Name -
offsetValue -
${pagination.offset}Name -
limitValue -
${pagination.limit}
Output
Select -
.alert_eventsMap -
.Output Mode -
element
This HTTP Pull Listener now uses the data export API to extract alert events.
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?