Get endpoint security profiles

post /public_api/v1/endpoints/get_profiles

Returns a list of endpoint security profiles of the requested type. Optionally filters by a list of profile IDs.

Required permission: profiles_view

Notes:

File-Integrity-Monitoring (FIM) extension profiles are omitted when FIM is disabled for the profile's OS type.
is_in_user_scope and at_risk are removed from every profile object before the response is returned.

Request headers

Authorization String required

{api_key}

Example: authorization_example

x-xdr-auth-id String required

{api_key_id}

Example: xXdrAuthId_example

CLIENT REQUEST

          curl -X 'POST'

        -H
        'Accept: application/json'
      
        -H
        'Content-Type: application/json'
      
          -H
          'Authorization: authorization_example'
          -H
          'x-xdr-auth-id: xXdrAuthId_example'
      
      'https://api-yourfqdn/public_api/v1/endpoints/get_profiles'
    
      -d
      ''

import http.client

conn = http.client.HTTPSConnection("api-yourfqdn")

payload = "{\"request_data\":{\"type\":\"prevention\",\"profile_ids\":[1]}}"

headers = {
    'Authorization': "SOME_STRING_VALUE",
    'x-xdr-auth-id': "SOME_STRING_VALUE",
    'content-type': "application/json"
    }

conn.request("POST", "/public_api/v1/endpoints/get_profiles", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api-yourfqdn/public_api/v1/endpoints/get_profiles")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"type\":\"prevention\",\"profile_ids\":[1]}}"

response = http.request(request)
puts response.read_body

const data = JSON.stringify({
  "request_data": {
    "type": "prevention",
    "profile_ids": [
      1
    ]
  }
});

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api-yourfqdn/public_api/v1/endpoints/get_profiles");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");

xhr.send(data);

HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/endpoints/get_profiles")
  .header("Authorization", "SOME_STRING_VALUE")
  .header("x-xdr-auth-id", "SOME_STRING_VALUE")
  .header("content-type", "application/json")
  .body("{\"request_data\":{\"type\":\"prevention\",\"profile_ids\":[1]}}")
  .asString();

import Foundation

let headers = [
  "Authorization": "SOME_STRING_VALUE",
  "x-xdr-auth-id": "SOME_STRING_VALUE",
  "content-type": "application/json"
]
let parameters = ["request_data": [
    "type": "prevention",
    "profile_ids": [1]
  ]] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/endpoints/get_profiles")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

<?php

$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://api-yourfqdn/public_api/v1/endpoints/get_profiles",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"request_data\":{\"type\":\"prevention\",\"profile_ids\":[1]}}",
  CURLOPT_HTTPHEADER => [
    "Authorization: SOME_STRING_VALUE",
    "content-type: application/json",
    "x-xdr-auth-id: SOME_STRING_VALUE"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

CURL *hnd = curl_easy_init();

curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/endpoints/get_profiles");

struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);

curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"type\":\"prevention\",\"profile_ids\":[1]}}");

CURLcode ret = curl_easy_perform(hnd);

var client = new RestClient("https://api-yourfqdn/public_api/v1/endpoints/get_profiles");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"type\":\"prevention\",\"profile_ids\":[1]}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

Body parameters

application/json

request_dataobjectrequired

Parameters for the get_profiles call

typestring (Enum)

The category of profiles to retrieve.

prevention – standard endpoint prevention profiles managed by ProfilesService (malware, exploit, restrictions, agent-settings, exceptions, etc.)
extension – device-control and host-firewall profiles managed by DeviceControlProfilesService

Example:"prevention"

Allowed values:"prevention""extension"

profile_idsarray[integer]

Optional list of profile IDs to filter by. When omitted or null, all profiles of the requested type are returned. When provided, only profiles whose id is in this list are returned. Must be a JSON array; passing a non-array value yields HTTP 400.

REQUEST

{
  "request_data": {
    "type": "prevention"
  }
}

{
  "request_data": {
    "type": "extension",
    "profile_ids": [
      1,
      42,
      99
    ]
  }
}

Responses

OK. Profiles retrieved successfully

Body

application/json

Successful response envelope

replyarray

List of matching profile objects.

[

idintegerint64

Internal numeric profile ID

Example:1

uuidstring

Globally unique profile identifier (UUID v4)

Example:"a1b2c3d4-e5f6-7890-abcd-ef1234567890"

namestring

Human-readable profile name.

Example:"Default Malware Profile"

typestring (Enum)

Target operating system

Example:"AGENT_OS_WINDOWS"

Allowed values:"AGENT_OS_WINDOWS""AGENT_OS_MAC""AGENT_OS_LINUX""AGENT_OS_ANDROID""AGENT_OS_IOS""AGENT_OS_CAAS_LINUX""AGENT_OS_SERVERLESS"

is_defaultboolean

Whether this is the system-managed default profile for its type and OS

Example:true

is_globalboolean

Whether this profile is a global (cross-tenant) profile

is_disabledboolean

Whether this profile is currently disabled

associated_targetsarray[string]

Human-readable list of policy rule targets (endpoint groups, tags, and so on.) that reference this profile, rendered as UI-friendly strings. null when the profile is not referenced by any policy rule.

usage_countintegerint32

Number of policy rules that reference this profile

Example:5

descriptionstring

Optional free-text description of the profile

Example:"Default anti-malware profile for Windows endpoints"

created_bystring

Internal identifier (email or system name) of the creator

Example:"admin@example.com"

created_by_prettystring

Display name of the creator

Example:"Admin User"

creation_timeintegerint64

Profile creation timestamp in Unix epoch milliseconds

Example:1700000000000

modified_bystring

Internal identifier of the last modifier

Example:"admin@example.com"

modified_by_prettystring

Display name of the last modifier

Example:"Admin User"

modification_timeintegerint64

Last modification timestamp in Unix epoch milliseconds

Example:1710000000000

modulesobject

JSON object containing the profile's security module configuration. The schema varies by type and platform. Common top-level keys are module names (for example, malware, exploit, agent_settings), each containing mode and sub-option settings.

]

RESPONSE

{
  "reply": [
    {
      "id": 1,
      "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "name": "Default Malware Profile",
      "type": "MALWARE",
      "platform": "AGENT_OS_WINDOWS",
      "is_default": true,
      "is_global": false,
      "is_disabled": false,
      "associated_targets": [
        "All endpoints"
      ],
      "usage_count": 5,
      "description": "Default anti-malware profile for Windows",
      "created_by": "system",
      "created_by_pretty": "Palo Alto Networks",
      "creation_time": 1700000000000,
      "modified_by": "admin@example.com",
      "modified_by_pretty": "Admin User",
      "modification_time": 1710000000000,
      "modules": {
        "malware": {
          "mode": "prevent"
        }
      }
    },
    {
      "id": 2,
      "uuid": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
      "name": "Custom Exploit Profile",
      "type": "EXPLOIT",
      "platform": "AGENT_OS_MAC",
      "is_default": false,
      "is_global": false,
      "is_disabled": false,
      "associated_targets": [
        "macOS Servers"
      ],
      "usage_count": 2,
      "description": null,
      "created_by": "admin@example.com",
      "created_by_pretty": "Admin User",
      "creation_time": 1705000000000,
      "modified_by": "admin@example.com",
      "modified_by_pretty": "Admin User",
      "modification_time": 1705000000000,
      "modules": {}
    }
  ]
}

Bad request. Possible causes:

type field is missing (TypeIsMandatory)
type value is not prevention or extension (TypeNotSupported)
profile_ids is provided but is not a list (ProfileIDsMustBeAList)
Any internal error during profile retrieval (GeneralError)

Body

application/json

replyobject

err_codeinteger

HTTP-equivalent error code

err_msgstring

Short error category string

err_extrastring

Human-readable detail explaining the specific error

RESPONSE

{
  "reply": {
    "err_code": 400,
    "err_msg": "PROFILES_PUBLIC_API_ERROR",
    "err_extra": "type is mandatory"
  }
}

{
  "reply": {
    "err_code": 400,
    "err_msg": "PROFILES_PUBLIC_API_ERROR",
    "err_extra": "type 'unknown' is not supported. Valid types: ('prevention', 'extension')"
  }
}

{
  "reply": {
    "err_code": 400,
    "err_msg": "PROFILES_PUBLIC_API_ERROR",
    "err_extra": "profile_ids must be a list"
  }
}

{
  "reply": {
    "err_code": 400,
    "err_msg": "PROFILES_PUBLIC_API_ERROR",
    "err_extra": "General error"
  }
}

Unauthorized – missing or invalid API-key headers

Body

application/json

replyobject

err_codeinteger

HTTP-equivalent error code

err_msgstring

Short error category string

err_extrastring

Human-readable detail explaining the specific error

RESPONSE
{
  "reply": {
    "err_code": 0,
    "err_msg": "example",
    "err_extra": "example"
  }
}

Forbidden. Possible causes:

The API key does not have the profiles_view permission
The feature flag ALPHAFEATURES_PUBLIC_API_GET_POLICIES is disabled
The tenant is a secondary HA replica

Body

application/json

replyobject

err_codeinteger

HTTP-equivalent error code

err_msgstring

Short error category string

err_extrastring

Human-readable detail explaining the specific error

RESPONSE
{
  "reply": {
    "err_code": 0,
    "err_msg": "example",
    "err_extra": "example"
  }
}

Internal Server Error