post
/public_api/v1/audits/agents_reports
Get agent event reports. - Response is concatenated using AND condion (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of incidents from the start of the result set.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/audits/agents_reports" \
-d '{
"request_data" : {
"search_from" : 0,
"filters" : [ {
"field" : "endpoint_id",
"value" : [ "value", "value" ],
"operator" : "in"
}, {
"field" : "endpoint_id",
"value" : [ "value", "value" ],
"operator" : "in"
} ],
"sort" : {
"field" : "type",
"keyword" : "desc"
},
"search_to" : 6
}
}'
Request
Body
optional
You can send a request to retrieve either all or filtered results.
Example:
{"request_data":{}}
request_data
optional
A dictionary containing the API request fields.
An empty dictionary returns all results.
filters
optional
Array
An array of filter fields.
field
required
String
(Enum)
Identifies a list. Filters are based on the following keywords:
endpoint_id
: The endpoint ID.endpoint_name
: The endpoint name.type
: Type of report.sub_type
: Subtype of report.result
: Result type.timestamp
: Report timestamp.domain
: Domain of the agent.xdr_version
: XDR version.category
: Type of event category.
Allowed values:
endpoint_id
endpoint_name
type
sub_type
result
timestamp
domain
xdr_version
category
operator
required
String
(Enum)
identifies the comparison operator you want to use for this filter. Valid keywords and values are:
in
endpoint_id
,endpoint_name
,type
,sub_type
,result
,domain
,xdr_version
,category
: List of strings
gte
/ lte
timestamp
Allowed values:
in
gte
lte
value
required
Array
of strings
Value that this filter must match:
timestamp
: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.- All other fields require a string value. In the case of
in
operator, the value is a list of possible values enclosed in square brackets. category
: Permitted values are:status
,monitoring
, oraudit
.
search_from
optional
Integer
An integer representing the starting offset within the query result set from which you want agent reports returned.
Reports are returned as a zero-based list. Any report indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
An integer representing the end offset within the result set after which you do not want agent reports returned.
Reports in the agent report list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all reports to the end ofthe list.
sort
optional
Identifies the sort order for the result set.
field
required
String
(Enum)
The field you want to sort by.
Allowed values:
type
category
trapsversion
timestamp
domain
keyword
required
String
(Enum)
Whether to sort in ascending or descending order.
Allowed values:
asc
desc
Responses