What this endpoint does

Searches Recorded Future alerts — notifications generated when alert rules detect new intelligence matching monitored criteria such as brand mentions, malware activity, vulnerability disclosures, or infrastructure changes. Alerts can be filtered by time range (e.g., last 24 hours), review status (New, Resolved, Pending, Dismissed), alert rule, assignee, or freetext search across alert content. Results are paginated and sorted by trigger time. Use the fields parameter to control which sections are returned (e.g., id,rule,review,hits), as full alert responses including hits can be very large. Alert IDs from search results are used with the Alerts: Get by ID, Alerts: Get Hits, and Alerts: Get Image endpoints.

Response data

Returns a paginated array of alert objects along with counts showing the number returned and total matching. Each alert includes the triggering rule's name and identifier, the alert's triage review status and assignee, and the triggered_by field showing the entity path chains that caused the alert — for example, which company or domain matched which watchlist. When the hits field is requested, each alert also includes the full array of intelligence matches with source documents, entity references, and text fragments. The counts object enables pagination by providing the total number of matching alerts.