search
WebsiteBlogLogin

Alerts

hashtag
Overview

Get a list of all or filtered alerts. The alerts listed are what remains after alert exclusions are applied by Netskope.

hashtag
Configuration

hashtag
Parameters

  • Domain (Domain)

hashtag
Secrets

  • Authorization (greymatter_token) refers to the API Tokenarrow-up-right used to authenticate the connection to Greymatter.

To add a Secret, open the Secret fields and click New secret:

  • Give the secret a Name.

  • Turn off the Expiration date option.

  • Click Add new value and paste the secret corresponding to the value.

  • Click Save.

circle-info

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the Greymatter API Alerts fields, or simply paste the desired YAML.

hashtag
Configure as YAML

hashtag
Manually Configure

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

  • Duration - 5 minutes (5m) as default, adjust based on your needs.

  • Offset - 5m

  • Format - RFC3339

Authentication Phase

OFF

hashtag
Enumeration Phase

OFF

hashtag
Collection Phase

  • Pagination Type* - cursor

  • Cursor Selector* - .data.drpAlerts.pageInfo.endCursor

  • Initial Request

    • Method* - POST

    • URL* - https://greymatter.myreliaquest.com/graphql

    • Headers -

      • Name - X-API-KEY

      • Value - ${secrets.greymatter_token}

      • Name - Content-Type

      • Value - application/json

  • Body type- raw

    • Body raw - | { "query":"query drpAlerts ($after: String, $filter: DrpReportTriageItemViewFilterInput, $first: Int!, $orderBy: DRPAlertOrder) {\n drpAlerts (after: $after, filter: $filter, first: $first, orderBy: $orderBy) {\n edges {\n cursor\n node {\n active\n alertFingerprint\n classification\n closedSource\n createdAt\n domain\n hosts\n id\n migrated\n rejectedByRuleIds\n removedAt\n riskFactorKeys\n riskType\n severity\n shortCode\n sourceGroup\n sourceRef\n sourceUpdated\n sourceUris\n subTitle\n thumbnailUri\n title\n updatedAt\n uri\n }\n }\n pageInfo {\n endCursor\n hasNextPage\n hasPreviousPage\n startCursor\n }\n totalCount\n }\n}", "variables": { "after": "T18w", "filter": { "changed": "PT5M#UTC" }, "first": 1000, "orderBy": { "direction": "ASC", "orderBy": "CREATED_AT" } } }

  • Next Request

    • Method* - POST

    • URL* - https://greymatter.myreliaquest.com/graphql

    • Headers -

      • Name - X-API-KEY

      • Value - ${secrets.greymatter_token}

      • Name - Content-Type

      • Value - application/json

  • Body type- raw

    • Body raw - | { "query": "query drpAlerts ($after: String, $filter: DrpReportTriageItemViewFilterInput, $first: Int!, $orderBy: DRPAlertOrder) {\n drpAlerts (after: $after, filter: $filter, first: $first, orderBy: $orderBy) {\n edges {\n cursor\n node {\n active\n alertFingerprint\n classification\n closedSource\n createdAt\n domain\n hosts\n id\n migrated\n rejectedByRuleIds\n removedAt\n riskFactorKeys\n riskType\n severity\n shortCode\n sourceGroup\n sourceRef\n sourceUpdated\n sourceUris\n subTitle\n thumbnailUri\n title\n updatedAt\n uri\n }\n }\n pageInfo {\n endCursor\n hasNextPage\n hasPreviousPage\n startCursor\n }\n totalCount\n }\n}", "variables": { "after": "${pagination.cursor}", "filter": { "changed": "PT5M#UTC" }, "first": 1000, "orderBy": { "direction": "ASC", "orderBy": "CREATED_AT" } } }

  • Output

    • Select - .data.drpAlerts.edges

    • Map - .

    • Output Mode - element

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousCollect data from Greymatter APINextCollect data from Mimecast

Last updated

Was this helpful?