Gets a list of filtered endpoints. - The response is concatenated using AND condition (OR is not supported). - The maximum result set size is 100. - Offset is the zero-based number of endpoints from the start of the result set.
Required license: Cortex XDR Prevent or Cortex XDR Pro per Endpoint
request_dataObject
A dictionary containing the API request fields.
An empty dictionary returns all results.
filtersArray
Array of filter fields.
fieldString (Enum)
Identifies the field the filter is matching. Filters are based on the following keywords:
- endpoint_id_list
: List of endpoint IDs.
- endpoint_status
: Status of the endpoint ID.
- dist_name
: Distribution / Installation Package name.
- first_seen
: When the agent was first seen.
- last_seen
: When the agent was last seen.
- ip_list
: List of IP addresses.
- group_name
: Group name the agent belongs to.
- platform
: Platform name.
- alias
: Alias name.
- isolate
: If the endpoint was isolated.
- hostname
: Host name.
- public_ip_list
: Public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as Last Origin IP
).
operatorString (Enum)
Identifies the comparison operator you want to use for this filter. Valid keywords and values are:
in
- endpoint_id_list
, dist_name
, group_name
, alias
, hostname
, username
, public_ip_list
: List of strings.
- endpoint_status
: connected
, disconnected
, lost
, or uninstalled
- ip_list
: List of strings. For example: "192.168.5.12"
- platform
: windows
, linux
, macos
, android
- isolate
: isolated
or unisolated
- scan_status
: none
, pending
, in_progress
, canceled
, aborted
, pending_cancellation
, success
, or error
gte
/ lte
- first_seen
and last_seen
: Timestamp epoch milliseconds.
valueString array
Value that this filter must match. Valid keywords:
- endpoint_id_list
, dist_name
, group_name
, alias
, hostname
, username
, public_ip_list
: List of strings.
- endpoint_status
: String. Permitted values are: connected
, disconnected
, lost
, or uninstalled
- ip_list
: List of strings.
- platform
: String. Permitted values are: windows
, linux
, macos
, android
.
- isolate
: String. Permitted values are: isolated
or unisolated
.
- scan_status
: String. Permitted values are: none
, pending
, in_progress
, canceled
, aborted
, pending_cancellation
, success
, or error
.
- first_seen
and last_seen
: Integer. Timestamp epoch milliseconds.
search_fromInteger
Represents the start offset within the query result set from which you want endpoints returned.
Endpoints are returned as a zero-based list. Any endpoint indexed less than this value is not returned in the final result set and defaults to zero.
search_toInteger
Represents the end offset within the result set after which you do not want endpoints returned.
Endpoint in the endpoint list that is indexed higher than this value is not returned in the final results set. Defaults to 100, which returns all endpoints to the end of the list.
sortObject
Identifies the sort order for the result set.
fieldString (Enum)
Identifies the field you want to sort by. Case-sensitive.
keywordString (Enum)
Whether you want to sort in ascending (ASC
) or descending (DESC
) order. Case-sensitive.
{
"request_data": {
"search_from": 0,
"search_to": 1,
"sort": {
"field": "endpoint_id",
"keyword": "asc"
},
"filters": [
{
"field": "endpoint_status",
"operator": "eq",
"value": "disconnected"
},
{
"field": "dist_name",
"operator": "in",
"value": [
"papi-test"
]
},
{
"field": "scan_status",
"operator": "in",
"value": [
"none",
"pending",
"in_progress",
"pending_cancellation",
"aborted",
"success",
"canceled",
"error"
]
}
]
}
}
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/endpoints/get_endpoint'
-d
''