The triggered time itself has millisecond precision, but can be searched for using parameters of higher granularity on the form [x, y], which is interpreted as beginning of x until end of y.

For example:

• [2024-08-01, 2024-08-14] matches alerts triggered since beginning of 2024-08-01 to end of 2023-08-14
• [2024-09-23 12:02, 2024-09-23 12:03] matches alerts triggered since beginning of 12:02 to end of 12:03, for example including an alert with triggered: 12:03:58.567

The format of the time is either 2024-09-23 12:03:58.000 or 2024-09-23T12:03:58.000Z (the T and Z are optional). The precision used can range from a year down to milliseconds. On the form [x, y], x and y should have the same level of precision (e.g. date, minutes, milliseconds). Relative time expressions are also supported, such as -2d, which means two days prior to today and yesterday. As with absolute time references, both ends of the range still need to be specified. For example, to search for alerts that fired within the last 24 hrs, use triggered = [-24h,]. Open-ended ranges is allowed, but will only exclude one single millisecond compared to a closed-ended range, and therefore only make sense to use when filtering on millisecond precision.

For example:

• [2024-09-23 12:03:58.000, 2024-09-23 12:03:58.567) will match an alert triggered at 12:03:58.567 but not an alert triggered at 12:03:58.568.

Filter by a specific assigned user, using the email address associated with that user account, or use 'NONE' to explicitly match against unassigned alerts.

Filter by review status.

Filter by alert rule id.

Filter by any text.

Sort order

Sort direction based on the triggered timestamp

Fields to include in the response. If no specific fields are requested, all available fields are included in the response.

Values should be separated by comma.

Available fields are:

• ai_insights
• enriched_entities
• hits
• id
• log
• owner_organisation_details
• review
• rule
• title
• triggered_by
• type
• url