Hi Dishen,
The alert data model in VI separates the incoming "events" that need to be investigated from the alert "work item". The events are basically immutable - they get recorded when they arrive. When an alerting event arrives, the system will check if there is an alert or not. If there is no alert, one is created. If there is an alert, it is updated based on information in the new event. The score may change, the alert may be routed to a different queue, etc. We maintain a complete audit trail of changes that are made to the alert over time.
In your situation, I think the easiest thing for you to do is query the svi_alerts.tdc_alerting_event table. You can use the created_dttm column to find all the new alerting events that were generated by scenario administrator. (Depending on your configuration, you may also want to filter on domain_id if the deployment includes multiple alerting domains.)
Since you were talking about ETL, I was using "sql terminology". This information is also accessible via REST call. That would look something like this:
/svi-alert/alertingEvents?filter=gt(creationTimeStamp,2020-04-22) or
/svi-alert/alertingEvents?filter=and(eq(domainId,svidomain),gt(creationTimeStamp,2020-04-22))
You can learn more about the alert data model by reading Chapter 2 of the SAS® Visual Investigator 10.6: User’s Guide, "Performing Alert-Based Investigations", and Chapter 16 of the SAS® Visual Investigator 10.6: Administrator’s Guide, "Alert Scorecards".