Get Audit Agent Report

Cortex XDR REST API

post /public_api/v1/audits/agents_reports

Get agent event reports. - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of incidents from the start of the result set.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

Body parameters
request_dataObject

A dictionary containing the API request fields. An empty dictionary returns all results.

filtersArray

An array of filter fields.

fieldString (Enum)

Identifies a list. Filters are based on the following keywords: - endpoint_id: The endpoint ID. - endpoint_name: The endpoint name. - type: Type of report. - sub_type: Subtype of report. - result: Result type. - timestamp: Report timestamp. - domain: Domain of the agent. - xdr_version: XDR version. - category: Type of event category.

Allowed values:"endpoint_id""endpoint_name""type""sub_type""result""timestamp""domain""xdr_version""category"
operatorString (Enum)

identifies the comparison operator you want to use for this filter. Valid keywords and values are: in - endpoint_id, endpoint_name, type, sub_type, result, domain, xdr_version, category: List of strings

gte / lte - timestamp

Allowed values:"in""gte""lte"
valueArray integer

Value that this filter must match: - timestamp: Integer representing the number of milliseconds after the Unix epoch, UTC timezone. - All other fields require a string value. In the case of in operator, the value is a list of possible values enclosed in square brackets. - category: Permitted values are: status, monitoring, or audit.

search_fromInteger

An integer representing the starting offset within the query result set from which you want agent reports returned. Reports are returned as a zero-based list. Any report indexed less than this value is not returned in the final result set and defaults to zero.

search_toInteger

An integer representing the end offset within the result set after which you do not want agent reports returned. Reports in the agent report list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all reports to the end ofthe list.

sortObjectrequired

Identifies the sort order for the result set.

fieldString (Enum)

The field you want to sort by.

Allowed values:"type""category""trapsversion""timestamp""domain"
keywordString (Enum)

Whether to sort in ascending or descending order.

Allowed values:"asc""desc"
REQUEST BODY
{ "request_data": {} }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/audits/agents_reports'
-d ''
Responses

OK

Body
replyObject

JSON object containing the query result.

total_countInteger

Number of total results of this filter without paging.

result_countInteger

Number of returned items.

dataArray

List of audit items.

TIMESTAMPNumber

Epoch time in milliseconds, UTC timezone.

RECEIVEDTIMENumber

Epoch time in milliseconds, UTC timezone.

ENDPOINTIDString
ENDPOINTNAMEString
DOMAINString
TRAPSVERSIONString
CATEGORYString
TYPEString
SUBTYPEString
RESULTString
REASONString
DESCRIPTIONString
RESPONSE
{ "Example 1": { "reply": { "total_count": 10, "result_count": 1, "data": [ { "TIMESTAMP": 1572427859369.953, "RECEIVEDTIME": 1572427936626.636, "ENDPOINTID": "<endpoint ID>", "ENDPOINTNAME": "<endpoint name>", "DOMAIN": "WORKGROUP", "TRAPSVERSION": "<version>", "CATEGORY": "Status", "TYPE": "Agent Status", "SUBTYPE": "Fully Protected", "RESULT": null, "REASON": null, "DESCRIPTION": "DESKTOP-4LC01UI is fully protected" } ] } } }

Bad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, ID, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal server error. A unified status for API communication type errors.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }