Get data from a lookup dataset

Cortex XDR REST API

post /public_api/v1/xql/lookups/get_data

Get data from a lookup dataset according to the specified filter fields. All lookup entries matching any of the filter blocks are returned. To match a filter block, a lookup entry must match all the specified fields as if there were an AND operator between them. If no filters are specified, return all lookup entries.

Note: The maximum number of entries returned is 10,000.

Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB

Request headers
Authorization
String
required
{api_key}
Example: authorization_example
x-xdr-auth-id
String
required
{api_key_id}
Example: xXdrAuthId_example
Body parameters
requestObjectrequired
dataset_nameString

Name of the dataset to query.

filtersArray

Key-value pairs of fields to query in a dataset. A lookup entry must match all the specified fields as if there were an AND operator between them. You can use one or more fields, up to the number of fields in the schema.

limitInteger

The maximum number of results to return. If this is not specified, return all lookup entries that match the filter criteria.

REQUEST BODY
{ "request": { "dataset_name": "users", "filters": [ { "uid": "123", "username": "john" }, { "department": "dev", "zipcode": "58674" } ], "limit": 20 } }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/xql/lookups/get_data'
-d ''
Responses

OK

Body
dataObject
filter_countInteger

Number of entries that match the filter.

total_countInteger

Total number of entries.

RESPONSE
{ "reply": { "data": [ { "uid": "uid5", "salary": 5.1, "zipcode": 70005, "birthday": 386418165000, "is_admin": true, "username": "username5", "_insert_time": 1718807765000, "_update_time": 1718807765000, "_collector_name": "Console", "_collector_type": "Console" }, { "uid": "uid6", "salary": 6.1, "zipcode": 70006, "birthday": 386418165000, "is_admin": true, "username": "username6", "_insert_time": 1718807765000, "_update_time": 1718807765000, "_collector_name": "Console", "_collector_type": "Console" } ], "filter count": 2, "total count": 10 } }

ad Request. Got an invalid JSON.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, ID, or other invalid authentication parameters.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Unauthorized access. User does not have the required license type to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }

Internal server error. A unified status for API communication type errors.

Body
err_codeString

HTTP response code.

err_msgString

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extraString

Additional information describing the error.

RESPONSE
{ "err_code": "err_code_example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "err_extra_example" }