Get Audit Agent Report

Cortex XDR REST API

post /public_api/v1/audits/agents_reports

Get agent event reports. - Response is concatenated using AND condion (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of incidents from the start of the result set.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/audits/agents_reports" \
 -d '{
  "request_data" : {
    "search_from" : 0,
    "filters" : [ {
      "field" : "endpoint_id",
      "value" : [ "value", "value" ],
      "operator" : "in"
    }, {
      "field" : "endpoint_id",
      "value" : [ "value", "value" ],
      "operator" : "in"
    } ],
    "sort" : {
      "field" : "type",
      "keyword" : "desc"
    },
    "search_to" : 6
  }
}'
  

Request

Body

optional

You can send a request to retrieve either all or filtered results.

Example: {"request_data":{}}

request_data

optional

A dictionary containing the API request fields. An empty dictionary returns all results.

filters

optional

Array

An array of filter fields.

field

required

String (Enum)

Identifies a list. Filters are based on the following keywords:

endpoint_id: The endpoint ID.
endpoint_name: The endpoint name.
type: Type of report.
sub_type: Subtype of report.
result: Result type.
timestamp: Report timestamp.
domain: Domain of the agent.
xdr_version: XDR version.
category: Type of event category.

Allowed values:

endpoint_id

endpoint_name

type

sub_type

result

timestamp

domain

xdr_version

category

operator

required

String (Enum)

identifies the comparison operator you want to use for this filter. Valid keywords and values are: in

endpoint_id, endpoint_name, type, sub_type, result, domain, xdr_version, category: List of strings

gte / lte

timestamp

Allowed values:

in

gte

lte

value

required

Array of strings

Value that this filter must match:

timestamp: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
All other fields require a string value. In the case of in operator, the value is a list of possible values enclosed in square brackets.
category: Permitted values are: status, monitoring, or audit.

search_from

optional

Integer

An integer representing the starting offset within the query result set from which you want agent reports returned. Reports are returned as a zero-based list. Any report indexed less than this value is not returned in the final result set and defaults to zero.

search_to

optional

Integer

An integer representing the end offset within the result set after which you do not want agent reports returned. Reports in the agent report list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all reports to the end ofthe list.

sort

optional

Identifies the sort order for the result set.

field

required

String (Enum)

The field you want to sort by.

Allowed values:

type

category

trapsversion

timestamp

domain

keyword

required

String (Enum)

Whether to sort in ascending or descending order.

Allowed values:

asc

desc

Responses

OK

Body

reply

optional

JSON object containing the query result.

total_count

optional

Integer

Number of total results of this filter without paging.

result_count

optional

Integer

Number of returned items.

data

optional

Array

List of audit items.

TIMESTAMP

optional

Number

Epoch time in milliseconds, UTC timezone.

RECEIVEDTIME

optional

Number

Epoch time in milliseconds, UTC timezone.

ENDPOINTID

optional

String

ENDPOINTNAME

optional

String

DOMAIN

optional

String

TRAPSVERSION

optional

String

CATEGORY

optional

String

TYPE

optional

String

SUBTYPE

optional

String

RESULT

optional

String

REASON

optional

String

DESCRIPTION

optional

String

Bad Request. Got an invalid JSON.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, ID, or other invalid authentication parameters.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.