Use the Alert Logic IRIS API to Close Incidents in Bulk

The following article describes how to mass close incidents on your account in the following three sections:

• Retrieve Your AIMS Authentication Token
• Create Closure Request
• Check Status of Closure Request

Retrieve Your AIMS Authentication Token

1. Authenticate with the Alert Logic AIMS service to retrieve your token for interacting with our APIs using the following:
   
   ~$ TOKEN=$(curl -X POST -u '<UIuser>:<UIpass>' -d '{"mfa_code": "<INSERTCODE>"}' https://api.cloudinsight.alertlogic.com/aims/v1/authenticate/ | jq -r .authentication.token)
   
   More information on our AIMS service can be found in the Alert Logic console.
   
   
2. Check that you have a valid token using: ~$ echo $TOKEN

Create Closure Request

A closure request can be created for closing:

• ALL incidents
• Incidents updated within a time range
• Incidents with a specific severity value

The possible values for the request are listed below:

• notes* - What note you would like added to the incident when it’s closed
• reason_code* - Below are the list of options and what each means:
  • further_action - Taking action to mitigate the threat.
  • acceptable_risk - Risk is acceptable. No action required.
  • compensating_control - Compensation control in place. No action required.
  • threat_not_valid - The threat is not valid.
  • other - Other assessment.
• start_time - Start of the timeframe to close incidents for (epoch format)
• end_time - End of the timeframe to close incidents for (epoch format)
• severity - What severity incidents you want to close - Critical, High, Medium, Low, Info

The values for notes and reason_code are mandatory. The values for start_time, end_time, and severity are optional.

Additional considerations:

• If no start_time and no end_time are supplied, all relevant incidents for that account will be closed.
• If both start_time and end_time are supplied, all relevant incidents updated within that range for that account will be closed.
• If only start_time is supplied, all relevant incidents updated after start_time for that account will be closed.
• If only end_time is supplied, all relevant incidents updated before end_time for that account will be closed.
• If a value for severity is supplied, it will be applied to limit the incidents being closed; otherwise, relevant incidents for all severities will be closed.

Request Closure using the IRIS API

To request the closure of incidents, use the following IRIS API endpoint:

curl -H "x-aims-auth-token: ${TOKEN}" -X POST -d [...] https://api.cloudinsight.alertlogic<.com or .co.uk>/iris/v3/<Insert_Customer_id>/mass_close

Note: Make sure to update the URL based on whether your account is in our US or UK data center and add your Customer ID into the URL.

An example of a payload, to close all High incidents within a given period is below:

{

  "notes": "Closing high incidents between given date.",

  "reason_code": "other",

  "start_time": 1697180400,

  "end_time": 1697220000,

  "severity": "High"

}

If successful, it will return a request ID, similar to ee119379bccff2f6.

Check Status of Closure Request

To check the status of your request, use the IRIS API endpoint:

curl -H "x-aims-auth-token: ${TOKEN}" -X GET https://api.cloudinsight.alertlogic<.com or .co.uk>/iris/v3/<Insert_Customer_id>/mass_close/ee119379bccff2f6

This will return a JSON object of the following format:

{

 "request_id": "ee119379bccff2f6",

 "account_id": 134260824,

 "count": 18340,

 "end_time": 1699610627,

 "last_update": 1699612460,

 "notes": "Closing high incidents between given date.",

 "reason_code": "other",

 "requested_date": 1698938690,

 "start_time": 1668074603,

 "status": "COMPLETE",

 "who_str": "John Doe <jdoe@alertlogic.com>",

 "who_uuid": "CBAA2703-B7F6-43E6-8B17-F75A04A5423C"

}

The status of the request can be one of 3 values: REQUESTED, IN_PROGRESS, COMPLETE:

1. REQUESTED - the request is queued for processing but not yet picked up by the backend
2. IN_PROGRESS - the backend is processing the closure of all the relevant incidents.
3. COMPLETE - the backend has closed all relevant incidents.

The length of time it takes to complete a closure request will vary depending on the number of incidents to be closed, and if multiple requests are being actioned. An approximate estimate of duration is 10,000 incidents in 15 minutes.

To ensure the same closure request is not requested or run multiple times, there is a limitation that allows only one active closure request per account. If more than one request for the same account is needed, subsequent requests must only be submitted after the previous one has completed.