Gets a list of filtered endpoints. - The response is concatenated using AND condition (OR is not supported). - The maximum result set size is 100. - Offset is the zero-based number of endpoints from the start of the result set.
Required license: Cortex XDR Prevent or Cortex XDR Pro per Endpoint
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/get_endpoint" \
-d '{
"request_data" : {
"search_from" : 0,
"filters" : [ {
"field" : "endpoint_id_list",
"value" : [ "value", "value" ],
"operator" : "in"
}, {
"field" : "endpoint_id_list",
"value" : [ "value", "value" ],
"operator" : "in"
} ],
"sort" : {
"field" : "first_seen",
"keyword" : "DESC"
},
"search_to" : 6
}
}'
{"request_data":{"search_from":0,"search_to":1,"sort":{"field":"endpoint_id","keyword":"asc"},"filters":[{"field":"endpoint_status","operator":"eq","value":"disconnected"},{"field":"dist_name","operator":"in","value":["papi-test"]},{"field":"scan_status","operator":"in","value":["none","pending","in_progress","pending_cancellation","aborted","success","canceled","error"]}]}}
A dictionary containing the API request fields.
An empty dictionary returns all results.
Identifies the field the filter is matching. Filters are based on the following keywords:
endpoint_id_list
: List of endpoint IDs.endpoint_status
: Status of the endpoint ID.dist_name
: Distribution / Installation Package name.first_seen
: When the agent was first seen.last_seen
: When the agent was last seen.ip_list
: List of IP addresses.group_name
: Group name the agent belongs to.platform
: Platform name.alias
: Alias name.isolate
: If the endpoint was isolated.hostname
: Host name.public_ip_list
: Public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know asLast Origin IP
).
Identifies the comparison operator you want to use for this filter. Valid keywords and values are:
in
endpoint_id_list
,dist_name
,group_name
,alias
,hostname
,username
,public_ip_list
: List of strings.endpoint_status
:connected
,disconnected
,lost
, oruninstalled
ip_list
: List of strings. For example: "192.168.5.12"platform
:windows
,linux
,macos
,android
isolate
:isolated
orunisolated
scan_status
:none
,pending
,in_progress
,canceled
,aborted
,pending_cancellation
,success
, orerror
gte
/lte
first_seen
andlast_seen
: Timestamp epoch milliseconds.
Value that this filter must match. Valid keywords:
endpoint_id_list
,dist_name
,group_name
,alias
,hostname
,username
,public_ip_list
: List of strings.endpoint_status
: String. Permitted values are:connected
,disconnected
,lost
, oruninstalled
ip_list
: List of strings.platform
: String. Permitted values are:windows
,linux
,macos
,android
.isolate
: String. Permitted values are:isolated
orunisolated
.scan_status
: String. Permitted values are:none
,pending
,in_progress
,canceled
,aborted
,pending_cancellation
,success
, orerror
.first_seen
andlast_seen
: Integer. Timestamp epoch milliseconds.
Represents the start offset within the query result set from which you want endpoints returned.
Endpoints are returned as a zero-based list. Any endpoint indexed less than this value is not returned in the final result set and defaults to zero.
Represents the end offset within the result set after which you do not want endpoints returned.
Endpoint in the endpoint list that is indexed higher than this value is not returned in the final results set. Defaults to 100, which returns all endpoints to the end of the list.
ASC
) or descending (DESC
) order. Case-sensitive.