Get Violations

post /public_api/v1/device_control/get_violations

Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.

When filtering by multiple fields:

Response is concatenated using AND condition (OR is not supported).
Maximum result set size is 100.
Offset is the zero-based number of incidents from the start of the result set.

Required license: Cortex XDR Prevent or Cortex XDR Pro per Endpoint

Request headers

Authorization String required

{api_key}

Example: authorization_example

x-xdr-auth-id String required

{api_key_id}

Example: xXdrAuthId_example

Accept-Encoding String

For retrieving a compressed gzipped response

Example: acceptEncoding_example

Default: gzip

CLIENT REQUEST

          curl -X 'POST'

        -H
        'Accept: application/json'
      
        -H
        'Content-Type: application/json'
      
          -H
          'Authorization: authorization_example'
          -H
          'x-xdr-auth-id: xXdrAuthId_example'
          -H
          'Accept-Encoding: acceptEncoding_example'
      
      'https://api-yourfqdn/public_api/v1/device_control/get_violations'
    
      -d
      ''

import http.client

conn = http.client.HTTPSConnection("api-yourfqdn")

payload = "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"endpoint_id_list\",\"value\":\"asc\"}}}"

headers = {
    'Authorization': "SOME_STRING_VALUE",
    'x-xdr-auth-id': "SOME_STRING_VALUE",
    'Accept-Encoding': "SOME_STRING_VALUE",
    'content-type': "application/json"
    }

conn.request("POST", "/public_api/v1/device_control/get_violations", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api-yourfqdn/public_api/v1/device_control/get_violations")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"endpoint_id_list\",\"value\":\"asc\"}}}"

response = http.request(request)
puts response.read_body

const data = JSON.stringify({
  "request_data": {
    "filters": [
      {
        "field": "endpoint_id_list",
        "operator": "in",
        "value": [
          0
        ]
      }
    ],
    "search_from": 0,
    "search_to": 0,
    "sort": {
      "field": "endpoint_id_list",
      "value": "asc"
    }
  }
});

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api-yourfqdn/public_api/v1/device_control/get_violations");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");

xhr.send(data);

HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/device_control/get_violations")
  .header("Authorization", "SOME_STRING_VALUE")
  .header("x-xdr-auth-id", "SOME_STRING_VALUE")
  .header("Accept-Encoding", "SOME_STRING_VALUE")
  .header("content-type", "application/json")
  .body("{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"endpoint_id_list\",\"value\":\"asc\"}}}")
  .asString();

import Foundation

let headers = [
  "Authorization": "SOME_STRING_VALUE",
  "x-xdr-auth-id": "SOME_STRING_VALUE",
  "Accept-Encoding": "SOME_STRING_VALUE",
  "content-type": "application/json"
]
let parameters = ["request_data": [
    "filters": [
      [
        "field": "endpoint_id_list",
        "operator": "in",
        "value": [0]
      ]
    ],
    "search_from": 0,
    "search_to": 0,
    "sort": [
      "field": "endpoint_id_list",
      "value": "asc"
    ]
  ]] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/device_control/get_violations")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

<?php

$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://api-yourfqdn/public_api/v1/device_control/get_violations",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"endpoint_id_list\",\"value\":\"asc\"}}}",
  CURLOPT_HTTPHEADER => [
    "Accept-Encoding: SOME_STRING_VALUE",
    "Authorization: SOME_STRING_VALUE",
    "content-type: application/json",
    "x-xdr-auth-id: SOME_STRING_VALUE"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

CURL *hnd = curl_easy_init();

curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/device_control/get_violations");

struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);

curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"endpoint_id_list\",\"value\":\"asc\"}}}");

CURLcode ret = curl_easy_perform(hnd);

var client = new RestClient("https://api-yourfqdn/public_api/v1/device_control/get_violations");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[0]}],\"search_from\":0,\"search_to\":0,\"sort\":{\"field\":\"endpoint_id_list\",\"value\":\"asc\"}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

Body parameters

application/json

request_dataobject

An empty object returns all results.

filtersarray

Provides an array of filter fields.

[

fieldstring (Enum)

String that identifies the violation field the filter is matching. Filters are based on the following keywords:

endpoint_id_list: List of endpoint IDs.
type: Type of violation.
timestamp: Timestamp of the violation.
ip_list: List of IP addresses.
vendor: Name of vendor.
vendor_id: Vendor ID.
product: Name of product.
product_id: Product ID.
serial: Serial number.
hostname: Hostname.
violation_id_list: List of violation IDs.
username: Username.

Allowed values:"endpoint_id_list""type""timestamp""ip_list""vendor""vendor_id""product""product_id""serial""hostname""violation_id_list""username"

operatorstring (Enum)

String that identifies the comparison operator you want to use for this filter. Valid keywords are: in — Permitted for all fields except timestamp. gte / lte — Permitted only for timestamp.

Allowed values:"in""gte""lte"

valueinteger or string or array[['integer', 'string']]

Value that this filter must match. The contents of this field will differ depending on the violation field that you specified for this filter:

timestamp: Integer, in UTC timezone epoch milliseconds
violation_id_list: List of integers
ip_list: Must contain an IP string
type: Must be either cd-rom, disk drive, floppy disk, portable device
All other fields need to be list of strings.

]

search_frominteger

Integer representing the starting offset within the query result set from which you want violations returned. Violations are returned as a zero-based list. Any violation indexed less than this value is not returned in the final result set and defaults to zero.

search_tointeger

An integer representing the end of offset within the result set after which you do not want violations returned. Violations in the violation list that are indexed higher than this value are not returned in the final results set. Defaults to zero, which returns all alerts to the end of the list.

sortobjectrequired

Identifies the sort order for the result set.

fieldstring (Enum)

The field you want to sort by.

Allowed values:"endpoint_id_list""type""timestamp""ip_list""vendor""vendor_id""product""product_id""serial""hostname""violation_id_list""username"

valuestring (Enum)

Can be either asc (ascending) or desc (descending).

Default:"desc"

Allowed values:"asc""desc"

REQUEST

{
  "request_data": {}
}

{
  "request_data": {
    "filters": [
      {
        "field": "type",
        "operator": "in",
        "value": [
          "disk drive"
        ]
      }
    ],
    "search_to": 1
  }
}

Responses

Successful response

Body

application/json

replyobject

total_countinteger

Number of total results of this filter without paging.

result_countinteger

Number of alerts actually returned as a result.

violationsarray

[

hostnamestring

usernamestring

ipstring

timestampinteger

violation_idinteger

typestring

vendor_idstring

vendorstring

product_idstring

productstring

serialstring

endpoint_idstring

]

RESPONSE
{
  "reply": {
    "total_count": 0,
    "result_count": 0,
    "violations": [
      {
        "hostname": "example",
        "username": "example",
        "ip": "example",
        "timestamp": 0,
        "violation_id": 0,
        "type": "example",
        "vendor_id": "example",
        "vendor": "example",
        "product_id": "example",
        "product": "example",
        "serial": "example",
        "endpoint_id": "example"
      }
    ]
  }
}

Bad Request. Got an invalid JSON.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Unauthorized access. User does not have the required license type to run this API.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Internal server error. A unified status for API communication type errors.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}