Get Endpoint

post /public_api/v1/endpoints/get_endpoint

Gets a list of filtered endpoints. - The response is concatenated using AND condition (OR is not supported). - The maximum result set size is 100. - Offset is the zero-based number of endpoints from the start of the result set.

Required license: Cortex XDR Prevent or Cortex XDR Pro per Endpoint

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/get_endpoint" \
 -d '{
  "request_data" : {
    "search_from" : 0,
    "filters" : [ {
      "field" : "endpoint_id_list",
      "value" : [ "value", "value" ],
      "operator" : "in"
    }, {
      "field" : "endpoint_id_list",
      "value" : [ "value", "value" ],
      "operator" : "in"
    } ],
    "sort" : {
      "field" : "first_seen",
      "keyword" : "DESC"
    },
    "search_to" : 6
  }
}'
  

Request

Body

optional

You can send a request to retrieve either all or filtered results.

Example:

{"request_data":{"search_from":0,"search_to":1,"sort":{"field":"endpoint_id","keyword":"asc"},"filters":[{"field":"endpoint_status","operator":"eq","value":"disconnected"},{"field":"dist_name","operator":"in","value":["papi-test"]},{"field":"scan_status","operator":"in","value":["none","pending","in_progress","pending_cancellation","aborted","success","canceled","error"]}]}}

request_data

optional

A dictionary containing the API request fields.

An empty dictionary returns all results.

filters

optional

Array

Array of filter fields.

field

optional

String (Enum)

Identifies the field the filter is matching. Filters are based on the following keywords:

endpoint_id_list: List of endpoint IDs.
endpoint_status: Status of the endpoint ID.
dist_name: Distribution / Installation Package name.
first_seen: When the agent was first seen.
last_seen: When the agent was last seen.
ip_list: List of IP addresses.
group_name: Group name the agent belongs to.
platform: Platform name.
alias: Alias name.
isolate: If the endpoint was isolated.
hostname: Host name.
public_ip_list: Public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as Last Origin IP).

Allowed values:

endpoint_id_list

endpoint_status

dist_name

first_seen

last_seen

ip_list

group_name

platform

alias

isolate

hostname

public_ip_list

operator

optional

String (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords and values are: in

endpoint_id_list, dist_name, group_name, alias, hostname, username, public_ip_list: List of strings.
endpoint_status: connected, disconnected, lost, or uninstalled
ip_list: List of strings. For example: "192.168.5.12"
platform: windows, linux, macos, android
isolate: isolated or unisolated
scan_status: none, pending, in_progress, canceled, aborted, pending_cancellation, success, or error gte / lte
first_seen and last_seen: Timestamp epoch milliseconds.

Allowed values:

gte

lte

value

optional

Array of strings

Value that this filter must match. Valid keywords:

endpoint_id_list, dist_name, group_name, alias, hostname, username, public_ip_list: List of strings.
endpoint_status: String. Permitted values are: connected, disconnected, lost, or uninstalled
ip_list: List of strings.
platform: String. Permitted values are: windows, linux, macos, android.
isolate: String. Permitted values are: isolated or unisolated.
scan_status: String. Permitted values are: none, pending, in_progress, canceled, aborted, pending_cancellation, success, or error.
first_seen and last_seen: Integer. Timestamp epoch milliseconds.

search_from

optional

Integer

Represents the start offset within the query result set from which you want endpoints returned.

Endpoints are returned as a zero-based list. Any endpoint indexed less than this value is not returned in the final result set and defaults to zero.

search_to

optional

Integer

Represents the end offset within the result set after which you do not want endpoints returned.

Endpoint in the endpoint list that is indexed higher than this value is not returned in the final results set. Defaults to 100, which returns all endpoints to the end of the list.

sort

optional

Identifies the sort order for the result set.

field

optional

String (Enum)

Identifies the field you want to sort by. Case-sensitive.

Allowed values:

endpoint_id

first_seen

last_seen

keyword

optional

String (Enum)

Whether you want to sort in ascending (ASC) or descending (DESC) order. Case-sensitive.

Allowed values:

ASC

DESC

Responses

Body

optional

JSON object containing the query result.

total_count

optional

Integer

Number of total results of this filter without paging.

result_count

optional

Integer

Number of endpoints actually returned as result.

endpoints

optional

Array

A list of endpoints.

endpoint_id

optional

String

endpoint_name

optional

String

endpointTags

optional

String

endpoint_type

optional

String

endpoint_status

optional

String

os_type

optional

String

os_version

optional

String

optional

Array of strings

ipv6

optional

Array of objects

public_ip

optional

String

users

optional

Array of strings

domain

optional

String

alias

optional

String

first_seen

optional

Integer

last_seen

optional

Integer

content_version

optional

String

installation_package

optional

String

active_directory

optional

Object

install_date

optional

Integer

endpoint_version

optional

String

is_isolated

optional

String

isolated_date

optional

Object

group_name

optional

Array of objects

operational_status

optional

String

operational_status_description

optional

String

scan_status

optional

String

content_release_timestamp

optional

Integer

last_content_update_time

optional

Integer

content_status

optional

String

operating_system

optional

String

mac_address

optional

Array of strings

assigned_prevention_policy

optional

String

assigned_extensions_policy

optional

String

Bad Request. Got an invalid JSON.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.