Get all datasets

Cortex XDR REST API

post /public_api/v1/xql/get_datasets

Retrieve a list of all the datasets and their properties.

Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB

Request headers
Authorization
String
required
{api_key}
Example: authorization_example
x-xdr-auth-id
String
required
{api_key_id}
Example: xXdrAuthId_example
Body parameters
requestObject
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/xql/get_datasets'
-d ''
Responses

OK

Body
replyArray
dataset_nameString

Dataset name.

typeString

Dataset type. Can be one of the following: System, Lookup, Raw, User, Snapshot, Correlation, System Audit.

log_update_typeString

Log update type. Can be one of the following: Logs (event logs are updated continuously), State (the current state is updated periodically).

last_updatedInteger

Integer in timestamp epoch milliseconds. When the data in the dataset was last updated.

total_days_storedInteger

Number of dats the data is stored in the tenant, which is comprised of hot_range + cold_range.

hot_rangeObject

The time period of the hot storage from the start date to the end date.

fromInteger
Integer in timestamp epoch milliseconds.
toInteger

Integer in timestamp epoch milliseconds.

cold_rangeObject

The time period of the cold storage from the start date to the end date.

fromInteger

Integer in timestamp epoch milliseconds.

toInteger

Integer in timestamp epoch milliseconds.

total_size_storedInteger

Actual size of the data (in bytes) that is stored in the tenant. This number is dependent on the events stored in the hot storage. For the xdr_data dataset, where the first 31 days of storage are included with your license, the first 31 days are not included in the total_size_stored number.

average_daily_sizeInteger

Average daily amount stored (in bytes) in the tenant. This number is dependent on the events stored in the hot storage.

total_eventsInteger

Number of total events/logs that are stored in the tenant. This number is dependent on the events stored in the hot storage.

average_event_sizeInteger

Average size (in bytes) of a single event in the dataset (total_size_stored divided by the total_events). This number is dependent on the events stored in the hot storage.

ttlInteger

Time to live. Defines when lookup entries expire and are removed automatically from the lookup dataset.

default_query_targetBoolean

whether the dataset is configured to use as your default query target in XQL Search, so when you write your queries you do not need to define a dataset. Can be one of the following: True, False.

RESPONSE
{ "reply": [ { "Dataset Name": "xdr_data", "Type": "SYSTEM", "Log Update Type": "LOGS", "Last Updated": null, "Total Days Stored": null, "Hot Range": { "from": 1715299200000, "to": 1716595200000 }, "Cold Range": {}, "Total Size Stored": null, "Average Daily Size": null, "Total Events": null, "Average Event Size": null, "TTL": null, "Default Query Target": "FALSE" }, { "Dataset Name": "host_inventory", "Type": "SYSTEM", "Log Update Type": "LOGS", "Last Updated": null, "Total Days Stored": null, "Hot Range": {}, "Cold Range": {}, "Total Size Stored": null, "Average Daily Size": null, "Total Events": null, "Average Event Size": null, "TTL": null, "Default Query Target": "FALSE" }, { "Dataset Name": "host_users_to_groups", "Type": "SYSTEM", "Log Update Type": "LOGS", "Last Updated": null, "Total Days Stored": null, "Hot Range": {}, "Cold Range": {}, "Total Size Stored": null, "Average Daily Size": null, "Total Events": null, "Average Event Size": null, "TTL": null, "Default Query Target": "FALSE" } ] }

ad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, ID, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal server error. A unified status for API communication type errors.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }