To improve data integrity and provide better context within your automated workflows, we are introducing a breaking change to how our API handles cloned alerts.
What is Changing?
In our upcoming release, we are updating the behavior of four specific GET endpoints. Previously, requesting a cloned alert would return the alert data directly. Moving forward, the API will return a 409 Conflict error if the requested alert is a clone.
Also, please note that on the platform, cloned alerts will no longer be displayed on the Investigation page.
This change is designed to reduce noise and help you focus on unique, high-priority incidents.
Definition:
A clone alert is an alert ingested by our system that has the exact same raw data as another alert that we already investigated.
Technical Details
If you attempt to GET a cloned alert, the API will respond as follows:
Status Code:
409 ConflictError Payload: Includes the
reference_alert_id
Impacted Endpoints:
GET /v2/investigations/{alert_id}/resultsGET /v2/investigations/{alert_id}/results/{section}GET /v2/investigations/{alert_id}/htmlGET /v2/investigations/{alert_id}/html/{section}
Example Error Response:
{
"detail": {
"message": "This alert describes the same incident as ALT-12345",
"alert": {
"id": "ALT-12345",
"profile_id": "PROF-789",
"external_id": "EXT-001",
"metadata": {...},
"title": "Suspicious Login Activity",
"index": "logs-auth-001",
"received_at": "2023-10-27T10:00:00Z"
},
"status": "CLONE"
}
}}Action Required: Updating Your SOAR Playbooks
Because the 409 error payload contains only a summary of the original alert, you will need to update your automation logic to perform a second query to retrieve the full alert details.
Catch the 409 Error: Update your integration logic to listen for the
409 Conflictstatus code.Extract the Reference ID: Parse the response body to get the
detail.alert.id.Perform a Follow-up Request: Initiate a new
GETrequest using thatidto fetch the complete alert dataDeduplication: Use this logic to link the current workflow to the existing "Reference" incident in your SOAR, avoiding the creation of duplicate tickets.
Release Timeline
Production Deployment: 21/01/2026.
Coming Soon
We will introduce a change where alerts flagged by our system as duplicates benefit from the same investigation as a chosen reference alert.
Definition: A duplicate alert is an alert ingested by our system that has the exact same security observables as another alert that we already investigated. This is less restrictive than clone alerts.