sophos_search_alerts
Search and filter alerts using a POST request body with filters like severity, product, category, date range, or alert IDs. Enables complex queries for targeted alert retrieval.
Instructions
Search alerts using a POST request body. Equivalent to sophos_list_alerts but filters are sent in a JSON body — useful for filtering by multiple IDs or long lists of categories/products.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| ids | No | Array of specific alert IDs to retrieve | |
| sort | No | Sort order array (e.g. ['raisedAt:desc']) | |
| fields | No | Fields to include in the response (e.g. ['severity', 'groupKey', 'allowedActions']) | |
| product | No | Array of product names to filter on (e.g. ['endpoint', 'server', 'mobile', 'wireless']) | |
| to_date | No | Return alerts raised before this ISO 8601 timestamp | |
| category | No | Array of alert categories to filter on (e.g. ['malware', 'policy', 'runtimeDetections']) | |
| page_key | No | Pagination key for fetching the next page of results | |
| severity | No | Array of severity levels to filter on (e.g. ['high', 'medium', 'low']) | |
| from_date | No | Return alerts raised after this ISO 8601 timestamp | |
| group_key | No | Filter by group key for grouped alerts | |
| page_size | No | Number of alerts per page (default 50) | |
| tenant_id | Yes | The tenant ID to search alerts for | |
| page_total | No | If true, include total page count in the response |