Retrieve a list of all the datasets and their properties.
Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB
Authorization
String
required
{api_key}
{api_key}
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
xXdrAuthId_example
Accept-Encoding
String
For retrieving a compressed gzipped response
For retrieving a compressed gzipped response
acceptEncoding_example
gzip
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
-H
'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/xql/get_datasets'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request\":{}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'Accept-Encoding': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/xql/get_datasets", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/xql/get_datasets")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request\":{}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request": {}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/xql/get_datasets");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/xql/get_datasets")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("Accept-Encoding", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request\":{}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"Accept-Encoding": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request": []] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/xql/get_datasets")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/xql/get_datasets",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request\":{}}",
CURLOPT_HTTPHEADER => [
"Accept-Encoding: SOME_STRING_VALUE",
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/xql/get_datasets");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request\":{}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/xql/get_datasets");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request\":{}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);requestobject
{
"request": {}
}OK
replyarray
dataset_namestringDataset name.
Dataset name.
typestringDataset type. Can be one of the following: System, Lookup, Raw, User, Snapshot, Correlation, System Audit.
Dataset type. Can be one of the following: System, Lookup, Raw, User, Snapshot, Correlation, System Audit.
log_update_typestringLog update type. Can be one of the following: Logs (event logs are updated continuously), State (the current state is updated periodically).
Log update type. Can be one of the following: Logs (event logs are updated continuously), State (the current state is updated periodically).
last_updatedintegerInteger in timestamp epoch milliseconds. When the data in the dataset was last updated.
Integer in timestamp epoch milliseconds. When the data in the dataset was last updated.
total_days_storedintegerNumber of dats the data is stored in the tenant, which is comprised of hot_range + cold_range.
Number of dats the data is stored in the tenant, which is comprised of hot_range + cold_range.
hot_rangeobjectThe time period of the hot storage from the start date to the end date.
The time period of the hot storage from the start date to the end date.
fromintegerInteger in timestamp epoch milliseconds.
Integer in timestamp epoch milliseconds.
tointegerInteger in timestamp epoch milliseconds.
Integer in timestamp epoch milliseconds.
cold_rangeobjectThe time period of the cold storage from the start date to the end date.
The time period of the cold storage from the start date to the end date.
fromintegerInteger in timestamp epoch milliseconds.
Integer in timestamp epoch milliseconds.
tointegerInteger in timestamp epoch milliseconds.
Integer in timestamp epoch milliseconds.
total_size_storedintegerActual size of the data (in bytes) that is stored in the tenant. This number is dependent on the events stored in the hot storage. For the xdr_data dataset, where the first 31 days of storage are included with your license, the first 31 days are not included in the total_size_stored number.
Actual size of the data (in bytes) that is stored in the tenant. This number is dependent on the events stored in the hot storage. For the xdr_data dataset, where the first 31 days of storage are included with your license, the first 31 days are not included in the total_size_stored number.
average_daily_sizeintegerAverage daily amount stored (in bytes) in the tenant. This number is dependent on the events stored in the hot storage.
Average daily amount stored (in bytes) in the tenant. This number is dependent on the events stored in the hot storage.
total_eventsintegerNumber of total events/logs that are stored in the tenant. This number is dependent on the events stored in the hot storage.
Number of total events/logs that are stored in the tenant. This number is dependent on the events stored in the hot storage.
average_event_sizeintegerAverage size (in bytes) of a single event in the dataset (total_size_stored divided by the total_events). This number is dependent on the events stored in the hot storage.
Average size (in bytes) of a single event in the dataset (total_size_stored divided by the total_events). This number is dependent on the events stored in the hot storage.
ttlintegerTime to live. Defines when lookup entries expire and are removed automatically from the lookup dataset.
Time to live. Defines when lookup entries expire and are removed automatically from the lookup dataset.
default_query_targetbooleanwhether the dataset is configured to use as your default query target in XQL Search, so when you write your queries you do not need to define a dataset. Can be one of the following: True, False.
whether the dataset is configured to use as your default query target in XQL Search, so when you write your queries you do not need to define a dataset. Can be one of the following: True, False.
{
"reply": [
{
"Dataset Name": "xdr_data",
"Type": "SYSTEM",
"Log Update Type": "LOGS",
"Last Updated": null,
"Total Days Stored": null,
"Hot Range": {
"from": 1715299200000,
"to": 1716595200000
},
"Cold Range": {},
"Total Size Stored": null,
"Average Daily Size": null,
"Total Events": null,
"Average Event Size": null,
"TTL": null,
"Default Query Target": "FALSE"
},
{
"Dataset Name": "host_inventory",
"Type": "SYSTEM",
"Log Update Type": "LOGS",
"Last Updated": null,
"Total Days Stored": null,
"Hot Range": {},
"Cold Range": {},
"Total Size Stored": null,
"Average Daily Size": null,
"Total Events": null,
"Average Event Size": null,
"TTL": null,
"Default Query Target": "FALSE"
},
{
"Dataset Name": "host_users_to_groups",
"Type": "SYSTEM",
"Log Update Type": "LOGS",
"Last Updated": null,
"Total Days Stored": null,
"Hot Range": {},
"Cold Range": {},
"Total Size Stored": null,
"Average Daily Size": null,
"Total Events": null,
"Average Event Size": null,
"TTL": null,
"Default Query Target": "FALSE"
}
]
}ad Request. Got an invalid JSON.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, ID, or other invalid authentication parameters.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. User does not have the required license type to run this API.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal server error. A unified status for API communication type errors.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}