Get XQL Query Results

Cortex XDR REST API

post /public_api/v1/xql/get_query_results

Retrieve results of an executed XQL query API.

Note: This endpoint only works on XQL queries initiated by /public_api/v1/xql/start_xql_query/.

Maximum result set size is 1000. The API does not support pagination, therefore, you can set values to determine the result size limitation and how to wait for the results. To view response with greater than 1000 results you must call Get XQL Query Results Stream.

For more information on how to run XQL queries, see Running XQL Query APIs.

Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB

CURL
curl -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ "https://api-yourfqdn/public_api/v1/xql/get_query_results" \ -d '{ "request_data" : { "query_id" : "061880b4867446_4356_inv", "pending_flag" : true, "limit" : 100, "format" : "json" } }'
Request
Body
optional
Example: {"request_data":{"query_id":"061880b4867446_4356_inv","pending_flag":true,"limit":100,"format":"json"}}
request_data
required
query_id
required
String
String representing the unique execution ID generated by the response to Start an XQL Query API. You can also enter the execution ID of a query generated in Cortex XDR and listed in the Query Center table.
pending_flag
optional
Boolean

Boolean flag indicating whether the API call should operate in synchronous/blocking mode, or in asynchronous/non-blocking mode. Valid Values:

  • True (default): The call returns immediately with one of the following options:
  1. PENDING status indicating query hasn't yet completed or results are not yet ready to be returned. Need to execute the API call again.
  2. SUCCESS/FAIL status
  • False: The API will block until query completes and results are ready to be returned.
limit
optional
Integer
Integer representing the maximum number of results to return. If the 'limit' is not specified or if 'limit' is greater than 1000 and the query yields more than 1000 valid results, a stream id will be generated for use in the Get XQL Query Results Stream* API. In the context of multi-tenant investigations, when you specify the parameter value (x), it will return x results across all tenants combined, rather than x results for each individual tenant. For example, if there are y tenants participating in the investigation, the maximum number of results returned can be x*y (up to the limit of 1,000,000).
format
optional
String (Enum)
The type of response output.
Allowed values:
json
csv
Responses

Successful response

Body
reply
optional
status
optional
String
number_of_results
optional
Integer
query_cost
optional
9995067425505
optional
Number
remaining_quota
optional
Number
results
optional
data
optional
Array
event_id
optional
String
agent_version
optional
String
_product
optional
String
_time
optional
Integer
_vendor
optional
String
insert_timestamp
optional
Integer
agent_os_type
optional
String
event_type
optional
String
event_sub_type
optional
String

Bad Request. Got an invalid JSON.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body
The query result upon error.
err_code
optional
String
HTTP response code.
err_msg
optional
String
Error message.
Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
err_extra
optional
String
Additional information describing the error.