Guys, I am looking to do the following:
So, looking through the SDK I see these endpoints:
There does not appear to be any information though to what exactly those endpoints refer to (i.e. match the endpoint to the UI). Can these be used to achieve what my ask is?
Alert definitions is legacy stuff, nothing you have now should come from that table. Alert configurations is where the web based alert stuff lives.The actual alert messages and their details live on orion.actionproperties, but you will need to join through orion.actionassignments to get to them from alertconfigurations.I modify alert actions in SQL and SWQL pretty often, in fact I made changes to about 100 actions this morning to try to make our messages more useful.As far the copy and edit stuff that you want to do, for the API I expect the recommended method would be to use the alertconfigurations export verb to get your alertdata into a variable, then set-swisobject enabled = 0 on the alert you just copied, import the alert back in and on your new alertid set the canned = 0. Then you would join that back to the actions and figure out all the changes you want to make there, primarily thats going to be a lot of reading the propertyname and propertyvalues to find which ones need changes, and then using set-swisobject to modify them as needed. Usually I find it easiest to edit one example the way I want it in the GUI then use the script to propagate out the change to everything else.Those commands also assume you are using powershell, but the idea is that same in any language.
Thanks for taking time to answer my question! Much appreciated
