Alerts & threats
Alerts are security events detected across the monitored surface of a tenant — from endpoint threats and network anomalies to identity-based attacks and policy violations.
The alert object
json
{
"id": "alr_01hxyz",
"tenant_id": "ten_01hxyz",
"title": "Suspicious login from new country",
"description": "User [email protected] authenticated from Nigeria — first seen location.",
"severity": "high",
"status": "open",
"category": "identity",
"source": "homebase_identity",
"affected_assets": [
{ "type": "user", "id": "usr_01hxyz", "label": "[email protected]" }
],
"mitre_tactics": ["Initial Access"],
"mitre_techniques": ["T1078"],
"created_at": "2025-06-01T03:14:00Z",
"updated_at": "2025-06-01T03:14:00Z",
"resolved_at": null,
"metadata": {}
}Severity levels
| Name | Type | Required | Description |
|---|---|---|---|
| critical | string | No | Immediate action required. Active compromise or data exfiltration likely. |
| high | string | No | Significant risk. Investigate within 1 hour. |
| medium | string | No | Elevated risk. Investigate within 24 hours. |
| low | string | No | Informational or low-probability threat. Review at next opportunity. |
| informational | string | No | Policy or hygiene finding. No direct threat. |
List alerts
bash
GET /v1/alerts| Name | Type | Required | Description |
|---|---|---|---|
| filter[tenant_id] | string | No | Scope to a specific tenant. |
| filter[severity] | string | No | critical | high | medium | low | informational |
| filter[status] | string | No | open | acknowledged | resolved | suppressed |
| filter[category] | string | No | identity | endpoint | network | cloud | compliance |
| filter[created_after] | string | No | ISO 8601 timestamp. |
| filter[created_before] | string | No | ISO 8601 timestamp. |
Acknowledge an alert
bash
POST /v1/alerts/:id/acknowledge
{
"note": "Verified with user — business travel to Lagos. False positive."
}Resolve an alert
bash
POST /v1/alerts/:id/resolve
{
"resolution": "mitigated",
"note": "Account locked and session terminated via Sentinel."
}Escalate to Sentinel
bash
POST /v1/alerts/:id/escalateEscalating an alert hands it off to HLD Sentinel for automated investigation and response. The alert status changes to escalated and a linked incident is created under the Sentinel API.
Note:Escalation requires the
sentinel:respond scope.