post
/public_api/v1/alerts/get_alerts_multi_events
**Note: ** This endpoint is legacy. Use the Get Alerts Multi-Events v2 endpoint.
Get a list of alerts with multiple events.
- Response is concatenated using AND condition (OR is not supported).
- Maximum result set size is 100.
- Offset is the zero-based number of alerts from the start of the result set. Cortex XDR displays in the APIs response whether an PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data.
Note: You can send a request to retrieve either all or filtered results.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
Request headers
Authorization
String
required
{api_key}
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
Example:
xXdrAuthId_example
Accept-Encoding
String
For retrieving a compressed gzipped response
For retrieving a compressed gzipped response
Example:
acceptEncoding_example
Default:
gzip
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
-H
'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":0,\"search_to\":5,\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'Accept-Encoding': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/alerts/get_alerts_multi_events", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":0,\"search_to\":5,\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"filters": [
{
"field": "severity",
"operator": "in",
"value": [
"medium",
"high"
]
}
],
"search_from": 0,
"search_to": 5,
"sort": {
"field": "severity",
"keyword": "asc"
}
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("Accept-Encoding", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":0,\"search_to\":5,\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"Accept-Encoding": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": [
"filters": [
[
"field": "severity",
"operator": "in",
"value": ["medium", "high"]
]
],
"search_from": 0,
"search_to": 5,
"sort": [
"field": "severity",
"keyword": "asc"
]
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":0,\"search_to\":5,\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}",
CURLOPT_HTTPHEADER => [
"Accept-Encoding: SOME_STRING_VALUE",
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":0,\"search_to\":5,\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/alerts/get_alerts_multi_events");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":0,\"search_to\":5,\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
application/json
request_dataobject
filtersarrayAn array of filter fields.
An array of filter fields.
[fieldobject (Enum)
operatorobject (Enum)
valueinteger or string or array[['string', 'integer']]
]
fieldobject (Enum)Identifies the alert field the filter is matching. Filters are based on the following keywords:
alert_id_list: List of integers representing the alert IDs.alert_source: List of strings representing the alert sources.severity: List of strings representing the alert severities.creation_time: Timestamp of the alert creation time.server_creation_time: Timestamp of when Cortex XDR created the alert.external_id_list: List of external IDs.
Identifies the alert field the filter is matching. Filters are based on the following keywords:
alert_id_list: List of integers representing the alert IDs.alert_source: List of strings representing the alert sources.severity: List of strings representing the alert severities.creation_time: Timestamp of the alert creation time.server_creation_time: Timestamp of when Cortex XDR created the alert.external_id_list: List of external IDs.
Allowed values:"alert_id_list""alert_source""severity""creation_time""server_creation_time""external_id_list"
operatorobject (Enum)Identifies the comparison operator you want to use for this filter. Valid keywords are:
in:
alert_id_list, alert_source, severity, and external_id_list.
gte / ltecreation_time.
Identifies the comparison operator you want to use for this filter. Valid keywords are:
in:
alert_id_list,alert_source,severity, andexternal_id_list.gte/ltecreation_time.
Allowed values:"in""gte""lte"
valueinteger or string or array[['string', 'integer']]Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:
creation_time: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under the detection_timestamp field, and represented in console under the TIMESTAMP field.alert_id_list: Array of integers. Each item in the list must be an alert ID.severity: Valid values are low, medium, high, critical.external_id_list: Array of strings.
Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:
creation_time: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under thedetection_timestampfield, and represented in console under the TIMESTAMP field.alert_id_list: Array of integers. Each item in the list must be an alert ID.severity: Valid values arelow,medium,high,critical.external_id_list: Array of strings.
search_fromintegerAn integer representing the starting offset within the query result set from which you want alerts returned.
Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
An integer representing the starting offset within the query result set from which you want alerts returned. Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
search_tointegerAn integer representing the end offset within the result set after which you do not want alerts returned.
Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.
An integer representing the end offset within the result set after which you do not want alerts returned. Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.
sortobjectrequiredIdentifies the sort order for the result set. By default the sort is defined as creation_time, desc.
Identifies the sort order for the result set. By default the sort is defined as creation_time, desc.
fieldobject (Enum)Identifies how to sort the result set, either according to severity or creation time.
Identifies how to sort the result set, either according to severity or creation time.
Allowed values:"severity""creation_time"
keywordobject (Enum)Defines whether to sort the results in ascending (asc) or descending (desc) order.
Defines whether to sort the results in ascending (asc) or descending (desc) order.
Allowed values:"asc""desc"
REQUEST
{
"request_data": {}
}{
"request_data": {
"filters": [
{
"field": "severity",
"operator": "in",
"value": [
"medium",
"high"
]
}
],
"search_from": 0,
"search_to": 5,
"sort": {
"field": "severity",
"keyword": "asc"
}
}
}Responses
Successful response
Body
application/json
total_countintegerNumber of total results of this filter without paging. If filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.
Number of total results of this filter without paging. If filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.
result_countintegerNumber of alerts actually returned as result.
Number of alerts actually returned as result.
alertsarray
[external_idstring
severitystring
matching_statusstring
end_match_attempt_tsinteger
local_insert_tsinteger
bioc_indicatorstring
matching_service_rule_idstring
attempt_counterinteger
bioc_category_enum_keystring
is_whitelistedboolean
starredboolean
deduplicate_tokensstring
filter_rule_idstring
mitre_technique_id_and_namearray[string]
mitre_tactic_id_and_namearray[string]
agent_versionstring
agent_device_domainstring
agent_fqdnstring
agent_os_typestring
agent_os_sub_typestring
agent_data_collection_statusboolean
macstring
mac_addressarray[string]
agent_is_vdiboolean
contains_featured_hoststring (Enum)
contains_featured_userstring (Enum)
contains_featured_ipstring (Enum)
eventsarray
alert_idstring
detection_timestampinteger
namestring
categorystring
endpoint_idstring
descriptionstring
host_iparray[string]
host_namestring
sourcestring
actionstring
action_prettystring
]
external_idstring
severitystring
matching_statusstring
end_match_attempt_tsinteger
local_insert_tsinteger
bioc_indicatorstring
matching_service_rule_idstring
attempt_counterinteger
bioc_category_enum_keystring
is_whitelistedboolean
starredboolean
deduplicate_tokensstring
filter_rule_idstring
mitre_technique_id_and_namearray[string]
mitre_tactic_id_and_namearray[string]
agent_versionstring
agent_device_domainstring
agent_fqdnstring
agent_os_typestring
agent_os_sub_typestring
agent_data_collection_statusboolean
macstring
mac_addressarray[string]
agent_is_vdiboolean
contains_featured_hoststring (Enum)
Allowed values:"YES""NO"
contains_featured_userstring (Enum)
Allowed values:"YES""NO"
contains_featured_ipstring (Enum)
Allowed values:"YES""NO"
eventsarray
[agent_install_typestring
agent_host_boot_timeinteger
event_sub_typestring
module_idstring
association_strengthstring
dst_association_strengthstring
story_idstring
event_idstring
event_typestring
event_timestampinteger
actor_process_instance_idstring
actor_process_image_pathstring
actor_process_image_namestring
actor_process_command_linestring
actor_process_signature_statusstring
actor_process_signature_vendorstring
actor_process_image_sha256string
actor_process_image_md5string
actor_process_causality_idstring
actor_causality_idstring
actor_process_os_pidstring
actor_thread_thread_idstring
causality_actor_process_image_namestring
causality_actor_process_command_linestring
causality_actor_process_image_pathstring
causality_actor_process_signature_vendorstring
causality_actor_process_signature_statusstring
causality_actor_causality_idstring
causality_actor_process_execution_timeinteger
causality_actor_process_image_md5string
causality_actor_process_image_sha256string
action_file_pathstring
action_file_namestring
action_file_md5string
action_file_sha256string
action_file_macro_sha256string
action_registry_datastring
action_registry_key_namestring
action_registry_value_namestring
action_registry_full_keystring
action_local_ipstring
action_local_portstring
action_remote_ipstring
action_remote_portstring
action_external_hostnamestring
action_countrystring
action_process_instance_idstring
action_process_causality_idstring
action_process_image_namestring
action_process_image_sha256string
action_process_image_command_linestring
action_process_signature_statusstring
action_process_signature_vendorstring
os_actor_effective_usernamestring
os_actor_process_instance_idstring
os_actor_process_image_pathstring
os_actor_process_image_namestring
os_actor_process_command_linestring
os_actor_process_signature_statusstring
os_actor_process_signature_vendorstring
os_actor_process_image_sha256string
os_actor_process_causality_idstring
os_actor_causality_idstring
os_actor_process_os_pidstring
os_actor_thread_thread_idstring
fw_app_idstring
fw_interface_fromstring
fw_interface_tostring
fw_rulestring
fw_rule_idstring
fw_device_namestring
fw_serial_numberinteger
fw_url_domainstring
fw_email_subjectstring
fw_email_senderstring
fw_email_recipientstring
fw_app_subcategorystring
fw_app_categorystring
fw_app_technologystring
fw_vsysstring
fw_xffstring
fw_miscstring
fw_is_phishingstring
dst_agent_idstring
dst_causality_actor_process_execution_timeinteger
dns_query_namestring
dst_action_external_hostnamestring
dst_action_countrystring
dst_action_external_portstring
user_namestring
]
agent_install_typestring
agent_host_boot_timeinteger
event_sub_typestring
module_idstring
association_strengthstring
dst_association_strengthstring
story_idstring
event_idstring
event_typestring
event_timestampinteger
actor_process_instance_idstring
actor_process_image_pathstring
actor_process_image_namestring
actor_process_command_linestring
actor_process_signature_statusstring
actor_process_signature_vendorstring
actor_process_image_sha256string
actor_process_image_md5string
actor_process_causality_idstring
actor_causality_idstring
actor_process_os_pidstring
actor_thread_thread_idstring
causality_actor_process_image_namestring
causality_actor_process_command_linestring
causality_actor_process_image_pathstring
causality_actor_process_signature_vendorstring
causality_actor_process_signature_statusstring
causality_actor_causality_idstring
causality_actor_process_execution_timeinteger
causality_actor_process_image_md5string
causality_actor_process_image_sha256string
action_file_pathstring
action_file_namestring
action_file_md5string
action_file_sha256string
action_file_macro_sha256string
action_registry_datastring
action_registry_key_namestring
action_registry_value_namestring
action_registry_full_keystring
action_local_ipstring
action_local_portstring
action_remote_ipstring
action_remote_portstring
action_external_hostnamestring
action_countrystring
action_process_instance_idstring
action_process_causality_idstring
action_process_image_namestring
action_process_image_sha256string
action_process_image_command_linestring
action_process_signature_statusstring
action_process_signature_vendorstring
os_actor_effective_usernamestring
os_actor_process_instance_idstring
os_actor_process_image_pathstring
os_actor_process_image_namestring
os_actor_process_command_linestring
os_actor_process_signature_statusstring
os_actor_process_signature_vendorstring
os_actor_process_image_sha256string
os_actor_process_causality_idstring
os_actor_causality_idstring
os_actor_process_os_pidstring
os_actor_thread_thread_idstring
fw_app_idstring
fw_interface_fromstring
fw_interface_tostring
fw_rulestring
fw_rule_idstring
fw_device_namestring
fw_serial_numberinteger
fw_url_domainstring
fw_email_subjectstring
fw_email_senderstring
fw_email_recipientstring
fw_app_subcategorystring
fw_app_categorystring
fw_app_technologystring
fw_vsysstring
fw_xffstring
fw_miscstring
fw_is_phishingstring
dst_agent_idstring
dst_causality_actor_process_execution_timeinteger
dns_query_namestring
dst_action_external_hostnamestring
dst_action_countrystring
dst_action_external_portstring
user_namestring
alert_idstring
detection_timestampinteger
namestring
categorystring
endpoint_idstring
descriptionstring
host_iparray[string]
host_namestring
sourcestring
actionstring
action_prettystring
alert_idstring
detection_timestampinteger
namestring
categorystring
endpoint_idstring
descriptionstring
host_iparray[string]
host_namestring
sourcestring
actionstring
action_prettystring
malicious_urlsarray[string]Malicious URL/s that have been detected in the destination or content of the accessed web page.
Malicious URL/s that have been detected in the destination or content of the accessed web page.
RESPONSE
{
"reply": {
"total_count": 45,
"result_count": 1,
"alerts": [
{
"external_id": "<external ID>",
"severity": "high",
"matching_status": "FAILED",
"end_match_attempt_ts": 1603552062824,
"local_insert_ts": 1603279967500,
"bioc_indicator": null,
"matching_service_rule_id": null,
"attempt_counter": 55,
"bioc_category_enum_key": null,
"is_whitelisted": false,
"starred": false,
"deduplicate_tokens": null,
"filter_rule_id": null,
"mitre_technique_id_and_name": [
""
],
"mitre_tactic_id_and_name": [
""
],
"agent_version": "<agent version>",
"agent_device_domain": null,
"agent_fqdn": "test",
"agent_os_type": "Windows",
"agent_os_sub_type": "<os subtype>",
"agent_data_collection_status": true,
"mac": null,
"mac_address": [
"<mac address>"
],
"agent_is_vdi": null,
"contains_featured_host": false,
"contains_featured_user": false,
"contains_featured_ip": false,
"events": [
{
"agent_install_type": "NA",
"agent_host_boot_time": null,
"event_sub_type": null,
"module_id": "Privilege Escalation Protection",
"association_strength": null,
"dst_association_strength": null,
"story_id": null,
"event_id": null,
"event_type": "Process Execution",
"event_timestamp": 1603279888980,
"actor_process_instance_id": "<instance ID>",
"actor_process_image_path": "c:\\<file path>\\virus.exe",
"actor_process_image_name": "virus.exe",
"actor_process_command_line": "c:\\<file path>\\virus.exe",
"actor_process_signature_status": "N/A",
"actor_process_signature_vendor": null,
"actor_process_image_sha256": "<SHA256 value>",
"actor_process_image_md5": null,
"actor_process_causality_id": null,
"actor_causality_id": null,
"actor_process_os_pid": "<PID>",
"actor_thread_thread_id": null,
"causality_actor_process_image_name": null,
"causality_actor_process_command_line": null,
"causality_actor_process_image_path": null,
"causality_actor_process_signature_vendor": null,
"causality_actor_process_signature_status": "N/A",
"causality_actor_causality_id": null,
"causality_actor_process_execution_time": null,
"causality_actor_process_image_md5": null,
"causality_actor_process_image_sha256": null,
"action_file_path": null,
"action_file_name": null,
"action_file_md5": null,
"action_file_sha256": null,
"action_file_macro_sha256": null,
"action_registry_data": null,
"action_registry_key_name": null,
"action_registry_value_name": null,
"action_registry_full_key": null,
"action_local_ip": null,
"action_local_port": null,
"action_remote_ip": null,
"action_remote_port": null,
"action_external_hostname": null,
"action_country": "UNKNOWN",
"action_process_instance_id": null,
"action_process_causality_id": null,
"action_process_image_name": null,
"action_process_image_sha256": null,
"action_process_image_command_line": null,
"action_process_signature_status": "N/A",
"action_process_signature_vendor": null,
"os_actor_effective_username": null,
"os_actor_process_instance_id": null,
"os_actor_process_image_path": null,
"os_actor_process_image_name": null,
"os_actor_process_command_line": null,
"os_actor_process_signature_status": "N/A",
"os_actor_process_signature_vendor": null,
"os_actor_process_image_sha256": null,
"os_actor_process_causality_id": null,
"os_actor_causality_id": null,
"os_actor_process_os_pid": null,
"os_actor_thread_thread_id": null,
"fw_app_id": null,
"fw_interface_from": null,
"fw_interface_to": null,
"fw_rule": null,
"fw_rule_id": null,
"fw_device_name": null,
"fw_serial_number": null,
"fw_url_domain": null,
"fw_email_subject": null,
"fw_email_sender": null,
"fw_email_recipient": null,
"fw_app_subcategory": null,
"fw_app_category": null,
"fw_app_technology": null,
"fw_vsys": null,
"fw_xff": null,
"fw_misc": null,
"fw_is_phishing": "N/A",
"dst_agent_id": null,
"dst_causality_actor_process_execution_time": null,
"dns_query_name": null,
"dst_action_external_hostname": null,
"dst_action_country": null,
"dst_action_external_port": null,
"user_name": null
}
],
"alert_id": "<alert ID>",
"detection_timestamp": 1603279888980,
"name": "Kernel Privilege Escalation",
"category": "Exploit",
"endpoint_id": "<endpoint ID>",
"description": "Local privilege escalation prevented",
"host_ip": [
"<IP address>"
],
"host_name": "Test",
"source": "XDR Agent",
"action": "BLOCKED",
"action_pretty": "Prevented (Blocked)"
}
]
}
}Bad Request. Got an invalid JSON.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. User does not have the required license type to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal server error. A unified status for API communication type errors.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}