Create Alert Enrichment Item

Creates a new alert enrichment item (Enrichment V2)

📘

New API Version & Additional Functionality

Extraction and Composition tags cannot be created using the V2.0 Alert Enrichment. To create and manage non-mapping tags, see the Alert Enrichments V2.1 API version documenation.

If you have previously configured API management of Alert Enrichment using the V1 or V2.0 API, you can update those processes to the new version by following the steps in the Migrate to Alert Enrichment V2.1 documentation.

🚧

Authentication

All BigPanda APIs require Bearer Token Authorization in the call headers.

This API uses the User API Key type of Authorization token.

🚧

Tag Limitations

To maintain quality of service, BigPanda limits the number of alert tags and enrichment items available. Each organization can have:

  • 1000 alert tags
  • 500 enrichment items per alert tag
  • 20,000 alert enrichment items total
  • 200 mapping enrichment results tags

If more alert tags or enrichment items are needed, we recommend exploring normalization options to help streamline your alert data and improve incident quality.

Sample Calls

curl --request POST \
     --url https://api.bigpanda.io/resources/v2.0/alert-enrichments \
     --header 'Authorization: Bearer <User API Key>' \
     --header 'Content-Type: application/json' \
     --data '{
	"type": "mapping",
	"active": true,
	"when": "discard != true",
	"config": {
		"name": "map-test5",
		"fields": [
			{
				"title": "application",
				"type": "query_tag"
			},
			{
				"title": "application1",
				"type": "query_tag"
			},
			{
				"title": "owner",
				"type": "result_tag",
				"override_existing": false
			},
			{
				"title": "Runbook URL",
				"type": "result_tag",
				"tag_name": "wiki",
				"override_existing": false
			}
		]
	},
	"note": "wiki.com"
}'
curl --request POST \
     --url https://eu-api.bigpanda.io/resources/v2.0/alert-enrichments \
     --header 'Authorization: Bearer <User API Key>' \
     --header 'Content-Type: application/json' \
     --data '{
	"type": "mapping",
	"active": true,
	"when": "discard != true",
	"config": {
		"name": "map-test5",
		"fields": [
			{
				"title": "application",
				"type": "query_tag"
			},
			{
				"title": "application1",
				"type": "query_tag"
			},
			{
				"title": "owner",
				"type": "result_tag",
				"override_existing": false
			},
			{
				"title": "Runbook URL",
				"type": "result_tag",
				"tag_name": "wiki",
				"override_existing": false
			}
		]
	},
	"note": "wiki.com"
}'

Literal Pipes in Tag Values

Pipes: | are used in BigPanda as a delimiter for array values.
If the value should have a literal pipe, wrap the entire cell in three quotes:
"""this is a | literal pipe"""
If the value should have both a literal pipe and quotation marks, then the cell should be wrapped in three quotes, and the quoted text needs to be wrapped in four quotes:
"""this is a | literal pipe with """"quoted"""" text"""

📘

Filtering by Source or Integration

You can use the when parameter to filter by source or integration.

Example:
"when": "source_system IN [nagios*, datadog, api.integration]"

Language