post
/public_api/v1/device_control/get_violations
Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.
When filtering by multiple fields: - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of incidents from the start of the result set.
Required license: Cortex XDR Prevent or Cortex XDR Pro per Endpoint
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/device_control/get_violations" \
-d '{
"request_data" : {
"search_from" : 0,
"filters" : [ {
"field" : "endpoint_id_list",
"value" : [ "", "" ],
"operator" : "in"
}, {
"field" : "endpoint_id_list",
"value" : [ "", "" ],
"operator" : "in"
} ],
"sort" : {
"field" : "endpoint_id_list",
"value" : "desc"
},
"search_to" : 6
}
}'
Request
Body
optional
You can send a request to retrieve either all or filtered results.
Example:
{"request_data":{}}
request_data
optional
An empty object returns all results.
filters
optional
Array
Provides an array of filter fields.
field
required
String
(Enum)
String that identifies the violation field the filter is matching. Filters are based on the following keywords:
endpoint_id_list
: List of endpoint IDs.type
: Type of violation.timestamp
: Timestamp of the violation.ip_list
: List of IP addresses.vendor
: Name of vendor.vendor_id
: Vendor ID.product
: Name of product.product_id
: Product ID.serial
: Serial number.hostname
: Hostname.violation_id_list
: List of violation IDs.username
: Username.
Allowed values:
endpoint_id_list
type
timestamp
ip_list
vendor
vendor_id
product
product_id
serial
hostname
violation_id_list
username
operator
required
String
(Enum)
String that identifies the comparison operator you want to use for this filter. Valid keywords are:
in
— Permitted for all fields except timestamp
.
gte
/ lte
— Permitted only for timestamp
.
Allowed values:
in
gte
lte
value
required
Array
of objects
Value that this filter must match. The contents of this field will differ depending on the violation field that you specified for this filter:
timestamp
: Integer, in UTC timezone epoch millisecondsviolation_id_list
: List of integersip_list
: Must contain an IP stringtype
: Must be eithercd-rom
,disk drive
,floppy disk
,portable device
- All other fields need to be list of strings.
search_from
optional
Integer
Integer representing the starting offset within the query result set from which you want violations returned.
Violations are returned as a zero-based list. Any violation indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
Integer
An integer representing the end of offset within the result set after which you do not want violations returned.
Violations in the violation list that are indexed higher than this value are not returned in the final results set. Defaults to zero, which returns all alerts to the end of the list.
sort
optional
Identifies the sort order for the result set.
field
required
String
(Enum)
The field you want to sort by.
Allowed values:
endpoint_id_list
type
timestamp
ip_list
vendor
vendor_id
product
product_id
serial
hostname
violation_id_list
username
value
required
String
(Enum)
Can be either
asc
(ascending) or desc
(descending).
Allowed values:
asc
desc
Responses