Skip to main content

✨ Step-by-Step for End Users

1

Log in to Your Account

  1. Go to AirMDR Admin console.
  2. Use your credentials to SignIn.
2

Create Alerts on AirMDR

  1. Create the API key.
    Refer to 🔗 How to generate an AirMDR API Token
  2. To create alert on AirMDR services use the following API request Fill in:
    • API URL: Create alerts
    • Method: POST
    • 🔐Authentication (AirMDR API Key). 
      Header = {"Cookie": "Session="API_KEY", "Content-Type": "application/json"}
    Choose what types of alerts you want sent automatically (e.g., all, critical only, specific policies).
3

Payload Format and Mandatory Params

  1. Define the payload format (default is JSON).
    Test the webhook feature to make sure it’s working
    📦 Request Body Parameters for creating alerts:
    FieldTypeRequiredDescription
    alert_contentstringThe content/body of the alert
    alert_providerstringThe provider/source of the alert (e.g. cyberhaven, aws, microsoft_graph, etc.)
    Organization_codestringCode/identifier of the organization this alert belongs to
    alert_typestringThe type/category of the alert
    created_at_sourceinteger <int64>Timestamp when the alert was created at the source/provider
AirMDR Json parameters
 {
   "alert_content": "string",
   "alert_provider": "string",
   "alert_type": "string",
   "organization_code": "string",
   "created_at_source": integer <int64>
 }
Mandatory Required Params:
  • “organization_code”: “string”,
    To fetch your organization code on AirMDR services use the following API request
    • API URL: getOrganizationsAPI
    • Method: GET
    • 🔐Authentication (AirMDR API Key). 
      Header = {"Cookie": "Session="API_KEY", "Content-Type": "application/json"}
  • “alert_content”: “string”,
  • “alert_provider”: “string”
    To fetch list of providers on AirMDR services use the following API request
    • API URL: getProvidersAPI
    • Method: GET
    • 🔐Authentication (AirMDR API Key). 
      Header = {"Cookie": "Session="API_KEY", "Content-Type": "application/json"}
  • “alert_type”: “string”
    In order for the AI to automatically investigate an alert, the user must provide the alert_type parameter.

📋 Quick Example: Sending Alert to AirMDR via Webhook

Request sample 

curl --location 'https://app.airmdr.com/airmdrapi/alerts' \
--header 'Cookie: Session="<your API KEY>"' \
--header 'Content-Type: application/json' \
--data '{
    "alert_content": "Dummy content",
    "alert_provider": "aws",
    "organization_code": "ASO",
    "alert_type": "Dummy Alert Type",
    "created_at_source": 1717659339
}'
Response sample 

{
"alert_content":"Dummy content",
"alert_id":"ASO-AWS-129",
"alert_provider":"aws",
"alert_type":"Dummy Alert Type",
"alert_uuid":"7ffe9065-ef7e-44ee-b19f-142de5e10422",
"created_at":1746425005,
"created_at_source":1746425005,
"created_by":"11f9cc8f-8c0c-484d-a2e7-de2b5b9b05ea",
"investigation_retry_count":0,
"investigation_status":0,
"modified_at":1746425005,
"organization_code":"ASO",
"organization_uuid":"accb34f3-85c5-4137-906b-55b3022034a3"
}
Investigation Status Values:Created = 0,
Submitted = 5,
InProgress = 10,
Completed = 15,
Failed = 20

AirMDR Alerts Dashboard UI

You can view all your created alerts on the Alerts page.
Alerts Pn
If the User provides the alert_type parameter, AI automatically
  • Creates a new Investigator Playbook (If there is no existing playbook for specified alert_type)
    or
  • Investigate the alert within the existing Investigator Playbook and
  • Creates a Case (Everytime a new Case is generated in the Case Management).
The alert content is organized and segregated in the Alerts page, with each column indicating the corresponding data.
TitleDescriptionExample
IDThe ID is compiled as Org ID-Alert provider-Sequence NumberASO-AWS-129
ORGOrganization Identifier: Unique code assigned to respective organizationASO
PROVIDERAlert provider refers to the system, service, or tool that generated or sent the alert which triggered the playbook.aws
ALERT NAMEAlert Name/Alert Type is a descriptive title or identifier of the alert that triggered the workflow.Dummy Alert Type
STATUSCommon Alert Status Values in a PlaybookCreated

Submitted

Inprogress

Completed

Failed
CREATION TIMEThe timestamp indicating when the alert was first generated or ingested into the system.May 05 2025, 11:33 AM
INVESTIGATORAutomated Playbook workflow created on AirMDR servicesASO aws - Dummy Alert Type - AI Generated May 05, 2025
CASE IDUnique identifier assigned to the case created on AirMDR servicesASO-13812
COMPLETION TIMEThe timestamp indicating when the playbook finished executing for a given alert.May 05 2025, 11:34 AM
ContentAlert content shared with AirMDR servicesDummy content