cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
3
Helpful
6
Replies

Stealthwatch Cloud API not resolving alert

m2oswald
Level 1
Level 1

I'm trying to resolve alerts using our SOAR automation.  I'm using the api/v3/alerts/alert/<alert_id> endpoint and this PUT command body:

 

{
  "resolved": true,
  "merit": 8,
}

 

 I'm receiving a status code 200 from Stealthwatch, so it seems like it accepted the command.  But the alerts remain open.  Can anyone suggest what might be wrong or how I can troubleshoot this?

1 Accepted Solution

Accepted Solutions

m2oswald
Level 1
Level 1

Update for anyone having the same problem and looking for a solution...

My issue was the REST API endpoint I was using.  It's not this:

api/v3/alerts/alert/<alert_id>

but this:

api/v3/alerts/alert/<alert_id>/

Adding the "/" to the end fixed my problem.  Almost - I was actually missing the "Content-Type" and "Accept" header keys as well, but that was minor.  The big thing was the slash.  Thanks so much to Bryan @ Cisco Support for figuring this out!

View solution in original post

6 Replies 6

lrypl
Cisco Employee
Cisco Employee

Hi,

Do you have a link to documentation for this API? I do not see it at https://developer.cisco.com/docs/stealthwatch/enterprise/reporting-api-version-1/

I should add that I've tried both PUT and PATCH - neither throw an error, but neither resolve the alert

 

chrivand
Cisco Employee
Cisco Employee

hello!

I just did it via the UI, and then checked the Chrome Inspect Network tab, when I marked it as closed, helpful and not snoozed, this is what happened in the PATCH:

{
  "pk": 12345,
  "resolved": true,
  "scope": "gcp-west-42-vm",
  "priority": {
    "type": "Persistent Remote Control Connections",
    "override_priority": "No"
  },
  "merit": 8
}

did you try to do it with the full JSON body like here in this example or with the partial data? not sure if that makes a difference, I guess it shouldn't as it is PATCH but might be worth to try.

API docs are here btw: https://<your-org-prefix>.obsrvbl.com/api/docs/#operation/partialUpdateAlert

Thanks for the help, and for the API doc link.  Unfortunately I'm still stuck. 

I tried sending the PATCH body using all of the fields shown in the API doc example, but still no change to the alert (and no error).  I manually resolved the alert and checked the Inspect Network tab as you suggested - basically got the same body as you saw.  But again, using those fields on a different alert resulted in no change and no error.

I tried just changing the assigned_to field - nothing.

I generated the API key with my account, and I'm able to GET alerts through the API and update alerts manually (e.g. resolve them, change the assigned_to fields) so I don't think it's an issue with permissions.

Any other suggestions would be greatly appreciated, as I just don't know what else to try.  

m2oswald
Level 1
Level 1

Update for anyone having the same problem and looking for a solution...

My issue was the REST API endpoint I was using.  It's not this:

api/v3/alerts/alert/<alert_id>

but this:

api/v3/alerts/alert/<alert_id>/

Adding the "/" to the end fixed my problem.  Almost - I was actually missing the "Content-Type" and "Accept" header keys as well, but that was minor.  The big thing was the slash.  Thanks so much to Bryan @ Cisco Support for figuring this out!