post
/public_api/v1/xql/get_query_results
Retrieve results of an executed XQL query API.
Note: This endpoint only works on XQL queries initiated by /public_api/v1/xql/start_xql_query/.
Maximum result set size is 1000. The API does not support pagination, therefore, you can set values to determine the result size limitation and how to wait for the results. To view response with greater than 1000 results you must call Get XQL Query Results Stream.
For more information on how to run XQL queries, see Running XQL Query APIs.
Note
To ensure you don't surpass your quota, Cortex XDR allows you to run up to four API queries in parallel.
Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB
Request headers
Authorization
String
required
{api_key}
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
Example:
xXdrAuthId_example
Accept-Encoding
String
For retrieving a compressed gzipped response
For retrieving a compressed gzipped response
Example:
acceptEncoding_example
Default:
gzip
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
-H
'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/xql/get_query_results'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"query_id\":\"061880b4867446_4356_inv\",\"pending_flag\":true,\"limit\":100,\"format\":\"json\"}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'Accept-Encoding': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/xql/get_query_results", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/xql/get_query_results")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"query_id\":\"061880b4867446_4356_inv\",\"pending_flag\":true,\"limit\":100,\"format\":\"json\"}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"query_id": "061880b4867446_4356_inv",
"pending_flag": true,
"limit": 100,
"format": "json"
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/xql/get_query_results");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/xql/get_query_results")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("Accept-Encoding", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"query_id\":\"061880b4867446_4356_inv\",\"pending_flag\":true,\"limit\":100,\"format\":\"json\"}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"Accept-Encoding": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": [
"query_id": "061880b4867446_4356_inv",
"pending_flag": true,
"limit": 100,
"format": "json"
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/xql/get_query_results")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/xql/get_query_results",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"query_id\":\"061880b4867446_4356_inv\",\"pending_flag\":true,\"limit\":100,\"format\":\"json\"}}",
CURLOPT_HTTPHEADER => [
"Accept-Encoding: SOME_STRING_VALUE",
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/xql/get_query_results");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"query_id\":\"061880b4867446_4356_inv\",\"pending_flag\":true,\"limit\":100,\"format\":\"json\"}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/xql/get_query_results");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"query_id\":\"061880b4867446_4356_inv\",\"pending_flag\":true,\"limit\":100,\"format\":\"json\"}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
application/json
request_dataobjectrequired
query_idstringString representing the unique execution ID generated by the response to Start an XQL Query API.
You can also enter the execution ID of a query generated in Cortex XDR and listed in the Query Center table.
String representing the unique execution ID generated by the response to Start an XQL Query API. You can also enter the execution ID of a query generated in Cortex XDR and listed in the Query Center table.
pending_flagbooleanBoolean flag indicating whether the API call should operate in synchronous/blocking mode, or in asynchronous/non-blocking mode. Valid Values:
- True (default): The call returns immediately with one of the following options:
- PENDING status indicating query hasn't yet completed or results are not yet ready to be returned. Need to execute the API call again.
- SUCCESS/FAIL status
- False: The API will block until query completes and results are ready to be returned.
Boolean flag indicating whether the API call should operate in synchronous/blocking mode, or in asynchronous/non-blocking mode. Valid Values:
- True (default): The call returns immediately with one of the following options:
- PENDING status indicating query hasn't yet completed or results are not yet ready to be returned. Need to execute the API call again.
- SUCCESS/FAIL status
- False: The API will block until query completes and results are ready to be returned.
limitintegerInteger representing the maximum number of results to return.
If the 'limit' is not specified or if 'limit' is greater than 1000 and the query yields more than 1000 valid results, a stream id will be generated for use in the Get XQL Query Results Stream* API.
In the context of multi-tenant investigations, when you specify the parameter value (x),
it will return x results across all tenants combined, rather than x results for each individual tenant.
For example, if there are y tenants participating in the investigation, the maximum number of results returned can be x*y (up to the limit of 1,000,000).
Integer representing the maximum number of results to return.
If the 'limit' is not specified or if 'limit' is greater than 1000 and the query yields more than 1000 valid results, a stream id will be generated for use in the Get XQL Query Results Stream* API.
In the context of multi-tenant investigations, when you specify the parameter value (x),
it will return x results across all tenants combined, rather than x results for each individual tenant.
For example, if there are y tenants participating in the investigation, the maximum number of results returned can be x*y (up to the limit of 1,000,000).
formatobject (Enum)The type of response output.
The type of response output.
Allowed values:"json""csv"
REQUEST
{
"request_data": {
"query_id": "061880b4867446_4356_inv",
"pending_flag": true,
"limit": 100,
"format": "json"
}
}Responses
Successful response
Body
application/json
replyobject
statusstring
number_of_resultsinteger
query_costobject
9995067425505number
remaining_quotanumber
resultsobject
dataarray
[event_idstring
agent_versionstring
_productstring
_timeinteger
_vendorstring
insert_timestampinteger
agent_os_typestring
event_typestring
event_sub_typestring
]
event_idstring
agent_versionstring
_productstring
_timeinteger
_vendorstring
insert_timestampinteger
agent_os_typestring
event_typestring
event_sub_typestring
RESPONSE
{
"reply": {
"status": "PENDING"
}
}{
"reply": {
"status": "SUCCESS",
"number_of_results": 3,
"query_cost": {
"tenant_id_1": 0.001596388888888889
},
"remaining_quota": 4.998403611111111,
"results": {
"data": [
{
"event_id": "eventID1",
"_vendor": "PANW",
"_product": "Fusion",
"insert_timestamp": 1621541825324,
"_time": 1621541523000,
"event_type": "STORY",
"event_sub_type": "NULL"
},
{
"event_id": "eventID2",
"_vendor": "PANW",
"_product": "Fusion",
"insert_timestamp": 1621541825326,
"_time": 1621541528000,
"event_type": "STORY",
"event_sub_type": "NULL"
},
{
"event_id": "eventID3",
"_vendor": "PANW",
"_product": "Fusion",
"insert_timestamp": 1621541825325,
"_time": 1621541517000,
"event_type": "STORY",
"event_sub_type": "NULL"
}
]
}
}
}{
"reply": {
"status": "SUCCESS",
"number_of_results": 3,
"query_cost": {
"tenant_id_1": 0.001596388888888889
},
"remaining_quota": 4.998403611111111,
"results": {
"data": "_vendor,_product,insert_timestamp,event_id1,_time,event_type,event_sub_type\r\nPANW,Fusion,2021-05-20 20:17:05.324000+00:00,eventID,2021-05-20 20:12:03+00:00,STORY,NULL\r\nPANW,Fusion,2021-05-20 20:17:05.326000+00:00,eventID2,2021-05-20 20:12:08+00:00,STORY,NULL\r\nPANW,Fusion,2021-05-20 20:17:05.325000+00:00,eventID3,2021-05-20 20:11:57+00:00,STORY,NULL\r\n"
}
}
}{
"reply": {
"status": "SUCCESS",
"number_of_results": 6,
"query_cost": {
"tenant_id_1": 0.001596388888888889,
"tenant_id_2": 0.00179989
},
"remaining_quota": 4.995007332222222,
"results": {
"data": [
{
"event_id": "eventID1",
"_vendor": "PANW",
"_product": "Fusion",
"insert_timestamp": 1621541825324,
"_time": 1621541523000,
"event_type": "STORY",
"event_sub_type": "NULL",
"tenant": "1723879655"
},
{
"event_id": "eventID2",
"_vendor": "PANW",
"_product": "Fusion",
"insert_timestamp": 1621541825326,
"_time": 1621541528000,
"event_type": "STORY",
"event_sub_type": "NULL",
"tenant": "1723879655"
},
{
"event_id": "eventID3",
"_vendor": "PANW",
"_product": "Fusion",
"insert_timestamp": 1621541825325,
"_time": 1621541517000,
"event_type": "STORY",
"event_sub_type": "NULL",
"tenant": "1723879655"
},
{
"event_id": "eventID4",
"_vendor": "PANW",
"_product": "Fusion",
"insert_timestamp": 1621541825324,
"_time": 1621541523000,
"event_type": "STORY",
"event_sub_type": "NULL",
"tenant": "1705396706"
},
{
"event_id": "eventID5",
"_vendor": "PANW",
"_product": "Fusion",
"insert_timestamp": 1621541825326,
"_time": 1621541528000,
"event_type": "STORY",
"event_sub_type": "NULL",
"tenant": "1705396706"
},
{
"event_id": "eventID6",
"_vendor": "PANW",
"_product": "Fusion",
"insert_timestamp": 1621541825325,
"_time": 1621541517000,
"event_type": "STORY",
"event_sub_type": "NULL",
"tenant": "1705396706"
}
]
}
}
}{
"reply": {
"status": "SUCCESS",
"number_of_results": 1000000,
"query_cost": {
"tenant_id_1": 0.011742777777777777
},
"remaining_quota": 4.984442777777778,
"results": {
"stream_id": "streamID"
}
}
}Bad Request. Got an invalid JSON.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. User does not have the required license type to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal server error. A unified status for API communication type errors.
Body
application/json
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
Example:
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
RESPONSE
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}