post
/public_api/v1/endpoints/file_retrieval
Retrieve files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. - Response is concatenated using AND condition (OR is not supported). - Offset is the zero-based number of incidents from the start of the result set.
Required license: Cortex XDR Prevent or Cortex XDR Pro per Endpoint
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/file_retrieval" \
-d '{
"request_data" : {
"incident_id" : "incident_id",
"files" : {
"linux" : [ "linux", "linux" ],
"windows" : [ "windows", "windows" ],
"macos" : [ "macos", "macos" ]
},
"filters" : [ {
"field" : "endpoint_id_list",
"value" : [ "value", "value" ],
"operator" : "in"
}, {
"field" : "endpoint_id_list",
"value" : [ "value", "value" ],
"operator" : "in"
} ]
}
}'
Request
Body
optional
request_data
required
A dictionary containing the API request fields.
filters
required
Array
An array of filter fields.
field
required
String
(Enum)
Identifies the field the filter must match:
endpoint_id_list
Allowed values:
endpoint_id_list
operator
required
String
(Enum)
Identifies the comparison operator you want to use for this filter. Valid keywords and values are:
in
- 'endpoint_id_list'
Allowed values:
in
value
required
Array
of strings
Value that this filter must match. Valid keywords:
- 'endpoint_id_list': List of strings.
files
required
One of the operating system types must be included.
windows
optional
Array
of strings
linux
optional
Array
of strings
macos
optional
Array
of strings
incident_id
optional
String
Incident ID. When included in the request, the Retrieve File action will appear in the Cortex XDR Incident View Timeline tab.
Responses