Get XQL Query Results Stream

Cortex XDR REST API

post /public_api/v1/xql/get_query_results_stream

Retrieve XQL query results with more than 1000 results.

Note: This endpoint only works on XQL queries initiated by /public_api/v1/xql/start_xql_query/.

Response is returned as chunked (Transfer-Encoding: chunked). To retrieve a compressed gzipped response (Content-Encoding: gzip), in your header add Accept-Encoding: gzip.

For more information on how to run XQL queries, see Running XQL Query APIs.

Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB

Request headers
'Accept-Encoding: gzip' : " "
String
For retrieving a compressed gzipped response
Example: QuoteAcceptEncoding gzipQuote Double_Quote Double_Quote_example
Body parameters
request_dataObjectrequired
stream_idString

String representing the unique ID generate by the response to Get XQL Query Results API.

is_gzip_compressedBoolean

A boolean flag indicating whether the response should be compressed and gzipped.

CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H ''Accept-Encoding: gzip' : " ": QuoteAcceptEncoding gzipQuote Double_Quote Double_Quote_example'
'https://api-yourfqdn/public_api/v1/xql/get_query_results_stream'
-d ''
Responses

Successful response

Bad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal server error. A unified status for API communication type errors.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }