Skip to main content

GET /api/v1/alerts

Retrieve a paginated list of triggered alerts for your workspace.

Query Parameters

from
string
ISO 8601 timestamp. Return alerts triggered at or after this time.
to
string
ISO 8601 timestamp. Return alerts triggered at or before this time.
rule_type
string
Filter by alert rule type. One of: new_country, high_volume_destructive, ingestion_spike, repeated_action, off_hours.
limit
integer
default:"25"
Number of alerts per page (max 100).
cursor
string
Pagination cursor from a previous response.

Response

{
  "data": [
    {
      "id": "alt_4f7a8b9c-0d1e-2f3a-4b5c-6d7e8f9a0b1c",
      "rule_id": "rul_1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
      "rule_name": "Suspicious Login",
      "rule_type": "new_country",
      "event_id": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
      "reason": "Actor user_2hG9kLm logged in from DE for the first time",
      "triggered_at": "2026-03-26T08:45:12.000000Z"
    }
  ],
  "pagination": {
    "has_more": false,
    "next_cursor": null,
    "total": 1
  }
}

Alert Rule Types

TypeDescription
new_countryActor performed an action from a previously unseen country
high_volume_destructiveHigh volume of destructive actions in a short window
ingestion_spikeEvent ingestion volume exceeded normal baseline
repeated_actionSame action repeated by the same actor rapidly
off_hoursAction occurred outside configured business hours

Examples

curl "https://getimmutable.dev/api/v1/alerts?rule_type=new_country&limit=10" \
  -H "Authorization: Bearer imk_your_api_key_here"

Alert Delivery

Alerts are also delivered in real time via:
  • Email — Sent to workspace members with admin or owner roles.
  • Webhook — POSTed to your endpoint with an HMAC-SHA256 signature in the X-Immutable-Signature header. See Webhook Signatures.

Plan Quotas

PlanAlert Rule Limit
Free2
Starter10
Pro50
EnterpriseUnlimited