Update Alert - Calseta

curl --request PATCH \ --url https://api.example.com/v1/alerts/{alert_uuid} \ --header 'Content-Type: application/json' \ --data ' { "status": "Open", "severity": "Pending", "close_classification": "True Positive - Suspicious Activity", "tags": [ "<string>" ], "malice_override": "Pending", "reset_malice_override": false } '

{ "data": { "uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a", "title": "<string>", "severity": "Pending", "status": "Open", "enrichment_status": "Pending", "source_name": "<string>", "occurred_at": "2023-11-07T05:31:56Z", "ingested_at": "2023-11-07T05:31:56Z", "enriched_at": "2023-11-07T05:31:56Z", "is_enriched": true, "fingerprint": "<string>", "close_classification": "True Positive - Suspicious Activity", "acknowledged_at": "2023-11-07T05:31:56Z", "triaged_at": "2023-11-07T05:31:56Z", "closed_at": "2023-11-07T05:31:56Z", "tags": [ "<string>" ], "detection_rule_id": 123, "created_at": "2023-11-07T05:31:56Z", "updated_at": "2023-11-07T05:31:56Z", "description": "<string>", "duplicate_count": 0, "last_seen_at": "2023-11-07T05:31:56Z", "raw_payload": {}, "malice": "<string>", "malice_override": "<string>", "malice_override_source": "<string>", "malice_override_at": "2023-11-07T05:31:56Z", "indicators": [ { "uuid": "<string>", "type": "ip", "value": "<string>", "first_seen": "2023-11-07T05:31:56Z", "last_seen": "2023-11-07T05:31:56Z", "is_enriched": true, "malice": "<string>", "created_at": "2023-11-07T05:31:56Z", "updated_at": "2023-11-07T05:31:56Z", "malice_source": "<string>", "malice_overridden_at": "2023-11-07T05:31:56Z", "enrichment_results": {} } ], "detection_rule": { "uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a", "name": "<string>", "source_rule_id": "<string>", "source_name": "<string>", "severity": "<string>", "is_active": true, "mitre_tactics": [ "<string>" ], "mitre_techniques": [ "<string>" ], "mitre_subtechniques": [ "<string>" ], "data_sources": [ "<string>" ], "run_frequency": "<string>", "created_by": "<string>", "documentation": "<string>", "created_at": "2023-11-07T05:31:56Z", "updated_at": "2023-11-07T05:31:56Z" }, "context_documents": [ { "uuid": "3c90c3cc-0d44-4b50-8888-8dd25736052a", "title": "<string>", "document_type": "<string>", "is_global": true, "description": "<string>", "tags": [ "<string>" ], "version": 123, "created_at": "2023-11-07T05:31:56Z", "updated_at": "2023-11-07T05:31:56Z", "content": "<string>", "targeting_rules": {} } ], "agent_findings": [ {} ] }, "meta": {} }

Path Parameters

alert_uuid

string<uuid>

required

Body

application/json

Patch request for updating an alert — PATCH /v1/alerts/{uuid}. All fields optional. If status=Closed, close_classification is required.

status

enum<string> | null

Alert investigation lifecycle status. Stored as TEXT with Pydantic validation. Do NOT use a Postgres ENUM type — TEXT with app-level validation is easier to migrate.

Transition flow: Open → Triaging / Escalated → Closed

Available options:

Open,

Triaging,

Escalated,

Closed

severity

enum<string> | null

Alert severity levels. Stored as TEXT with Pydantic validation. Source plugins are responsible for mapping source-specific severity values to this enum.

Available options:

Pending,

Informational,

Low,

Medium,

High,

Critical

close_classification

enum<string> | null

Required when status transitions to Closed. Used for FP rate metrics and detection quality. Any value starting with 'False Positive' counts toward the false_positive_rate metric.

Available options:

True Positive - Suspicious Activity,

Benign Positive - Suspicious but Expected,

False Positive - Incorrect Detection Logic,

False Positive - Inaccurate Data,

Undetermined,

Duplicate,

Not Applicable

Response

Successful Response

data

AlertResponse · object

required

Full alert response — returned by GET /v1/alerts/{uuid}.

Show child attributes

API Reference

Path Parameters

Body

Response