Solved

What is the difference between Alert and Security_assessment endpoints in API?

  • 15 December 2021
  • 3 replies
  • 28 views

Badge +5

Hi All, 

 

I am looking for getting alerts from the Netskope tenant. So far I am seeing 2 API endpoints which gives me similar results.  

  1. https://docs.netskope.com/en/get-alerts-data.html 

  2. https://docs.netskope.com/en/view-security-assessment-violations.html

Can someone please help me understand the difference between them? And when should I use which endpoints?  

I am very new here, let me know if I started the discussion at the wrong place. thanks!

icon

Best answer by jayjoshi-crest 16 December 2021, 13:23

View original

3 replies

Badge +19

@nking @ekorhonen @jhwong would any of you be able to provide some insight into the 2 API endpoints and when a user should use them?

 

 

Badge +5

So far I have gathered the following details. Please feel free to add more if I missed something. 

 

                                             Alerts                                   Security Assessment
  • It is a generic endpoint providing alerts for multiple categories
  • The security assessment is just one category of alert
  • It provides historical data. that means you can even get the alerts that were generated in past. 
  • It provides the alerts which are currently open. Only the last snapshot instead of historical. 
  • For Security assessment alerts, there's no way to check if the alert is resolved or not. 
  • The status parameter can tell if the rule is passed or not in the present time. 
  • start-time & end-time parameters are required to get the historical data. 
  • It will only provide the latest data. 
  • Since the alert endpoint is used for many categories, it provides much more details in the response. 
  • Only the details specific to the security alert are provided. but so far, it does the job. 
  • For filtering, only the "query" request param is available.
  • For filtering, multiple params are available. But so far, both ways are equally good.  
Badge +11

That looks correct to me. A useful way to think the security-assessment endpoint vs. the alerts endpoint is to see the first one as an alias for a subset of the latter with some useful additional filter shortcuts built in.

Reply