Get Endpoint

Cortex XDR REST API

post /public_api/v1/endpoints/get_endpoint

Gets a list of filtered endpoints. - The response is concatenated using AND condition (OR is not supported). - The maximum result set size is 100. - Offset is the zero-based number of endpoints from the start of the result set.

Required license: Cortex XDR Prevent or Cortex XDR Pro per Endpoint

Body parameters
request_dataObject

A dictionary containing the API request fields.

An empty dictionary returns all results.

filtersArray

Array of filter fields.

fieldString (Enum)

Identifies the field the filter is matching. Filters are based on the following keywords: - endpoint_id_list: List of endpoint IDs. - endpoint_status: Status of the endpoint ID. - dist_name: Distribution / Installation Package name. - first_seen: When the agent was first seen. - last_seen: When the agent was last seen. - ip_list: List of IP addresses. - group_name: Group name the agent belongs to. - platform: Platform name. - alias: Alias name. - isolate: If the endpoint was isolated. - hostname: Host name. - public_ip_list: Public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as Last Origin IP).

Allowed values:endpoint_id_listendpoint_statusdist_namefirst_seenlast_seenip_listgroup_nameplatformaliasisolatehostnamepublic_ip_list
operatorString (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords and values are: in - endpoint_id_list, dist_name, group_name, alias, hostname, username, public_ip_list: List of strings. - endpoint_status: connected, disconnected, lost, or uninstalled - ip_list: List of strings. For example: "192.168.5.12" - platform: windows, linux, macos, android - isolate: isolated or unisolated - scan_status: none, pending, in_progress, canceled, aborted, pending_cancellation, success, or error gte / lte - first_seen and last_seen: Timestamp epoch milliseconds.

Allowed values:ingtelteeq
valueString array

Value that this filter must match. Valid keywords: - endpoint_id_list, dist_name, group_name, alias, hostname, username, public_ip_list: List of strings. - endpoint_status: String. Permitted values are: connected, disconnected, lost, or uninstalled - ip_list: List of strings. - platform: String. Permitted values are: windows, linux, macos, android. - isolate: String. Permitted values are: isolated or unisolated. - scan_status: String. Permitted values are: none, pending, in_progress, canceled, aborted, pending_cancellation, success, or error. - first_seen and last_seen: Integer. Timestamp epoch milliseconds.

search_fromInteger

Represents the start offset within the query result set from which you want endpoints returned.

Endpoints are returned as a zero-based list. Any endpoint indexed less than this value is not returned in the final result set and defaults to zero.

search_toInteger

Represents the end offset within the result set after which you do not want endpoints returned.

Endpoint in the endpoint list that is indexed higher than this value is not returned in the final results set. Defaults to 100, which returns all endpoints to the end of the list.

sortObject

Identifies the sort order for the result set.

fieldString (Enum)

Identifies the field you want to sort by. Case-sensitive.

Allowed values:endpoint_idfirst_seenlast_seenscan_status
keywordString (Enum)

Whether you want to sort in ascending (ASC) or descending (DESC) order. Case-sensitive.

Allowed values:ASCDESC
REQUEST BODY
{ "request_data": { "search_from": 0, "search_to": 1, "sort": { "field": "endpoint_id", "keyword": "asc" }, "filters": [ { "field": "endpoint_status", "operator": "eq", "value": "disconnected" }, { "field": "dist_name", "operator": "in", "value": [ "papi-test" ] }, { "field": "scan_status", "operator": "in", "value": [ "none", "pending", "in_progress", "pending_cancellation", "aborted", "success", "canceled", "error" ] } ] } }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/endpoints/get_endpoint'
-d ''
Responses

OK

Body
replyObject

JSON object containing the query result.

total_countInteger

Number of total results of this filter without paging.

result_countInteger

Number of endpoints actually returned as result.

endpointsArray

A list of endpoints.

endpoint_idString
endpoint_nameString
endpointTagsString
endpoint_typeString
endpoint_statusString
os_typeString
os_versionString
ipArray[string]
ipv6Array
public_ipString
usersArray[string]
domainString
aliasString
first_seenInteger
last_seenInteger
content_versionString
installation_packageString
active_directoryObject
install_dateInteger
endpoint_versionString
is_isolatedString
isolated_dateObject
group_nameArray
operational_statusString
operational_status_descriptionString
scan_statusString
content_release_timestampInteger
last_content_update_timeInteger
content_statusString
operating_systemString
mac_addressArray[string]
assigned_prevention_policyString
assigned_extensions_policyString
RESPONSE
{ "reply": { "total_count": 0, "result_count": 0, "endpoints": [ { "endpoint_id": "string", "endpoint_name": "string", "endpointTags": "string", "endpoint_type": "string", "endpoint_status": "string", "os_type": "string", "os_version": "string", "ip": [ "string" ], "ipv6": [ {} ], "public_ip": "string", "users": [ "string" ], "domain": "string", "alias": "string", "first_seen": 0, "last_seen": 0, "content_version": "string", "installation_package": "string", "active_directory": null, "install_date": 0, "endpoint_version": "string", "is_isolated": "string", "isolated_date": null, "group_name": [ {} ], "operational_status": "string", "operational_status_description": "string", "scan_status": "string", "content_release_timestamp": 0, "last_content_update_time": 0, "content_status": "string", "operating_system": "string", "mac_address": [ "string" ], "assigned_prevention_policy": "string", "assigned_extensions_policy": "string" } ] } }

Bad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal server error. A unified status for API communication type errors.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }